OAuth 2.0 client authentication using JWT

book

Article ID: 209339

calendar_today

Updated On:

Products

CA API Gateway STARTER PACK-7 API SECURITY CA Mobile API Gateway CA Rapid App Security

Issue/Introduction

The client authentication (JWT) was introduced since OTK 4.3, to avoid using client secret to call the OTK endpoints.

The client_secret parameter can be replaced by 2 parameters,

client_assertion=<JWT>&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer 

 

Environment

Release : 10.0

Component : API GATEWAY

Resolution

Here is an example,

1. Register a new oauth client as per document,

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/registering-clients-with-the-oauth-manager.html

"Client Type" = confidential

"Authentication Method" = Client Secret (JWT)

"Scope" = oob

 

2. Publish a new web API, and import the attached policy, replace the client_id and client_secret as per step 1

The JWT credential will be created as per document,

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/configure-authentication/client-authentication.html

 

3. Call the demo API, it will return sample json for the JWT credential, and the sample curl command line

Sample output (the new api path is /jwts here),

# curl http://localhost:8080/jwts
sample json to generate jwt:

 "sub": "58634101-8006-4823-a92d-25efc5ac5de7",
 "iss": "58634101-8006-4823-a92d-25efc5ac5de7",
 "exp": 1614310725,
 "jti": "ByMark2021",
 "aud": "https://apimgw10mark.sgn.broadcom.net:8443/auth/oauth/v2/token"
}

samele call:
curl -k -X POST -H "content-type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ew0KICJzdWIiOiAiNTg2MzQxMDEtODAwNi00ODIzLWE5MmQtMjVlZmM1YWM1ZGU3IiwNCiAiaXNzIjogIjU4NjM0MTAxLTgwMDYtNDgyMy1hOTJkLTI1ZWZjNWFjNWRlNyIsDQogImV4cCI6IDE2MTQzMTA3MjUsDQogImp0aSI6ICJCeU1hcmsyMDIxIiwNCiAiYXVkIjogImh0dHBzOi8vYXBpbWd3MTBtYXJrLnNnbi5icm9hZGNvbS5uZXQ6ODQ0My9hdXRoL29hdXRoL3YyL3Rva2VuIg0KfQ.3zMcnZSUaTE7CmEfiZYZVLZSYPklCBaG9h0mjSALVf8&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_id=58634101-8006-4823-a92d-25efc5ac5de7&scope=oob' https://apimgw10mark.sgn.broadcom.net:8443/auth/oauth/v2/token

4. Copy and run the curl command, it will return the access token, in this curl command line, the client_secret is replaced by the jwt

Sample output:

# curl -k -X POST -H "content-type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ew0KICJzdWIiOiAiNTg2MzQxMDEtODAwNi00ODIzLWE5MmQtMjVlZmM1YWM1ZGU3IiwNCiAiaXNzIjogIjU4NjM0MTAxLTgwMDYtNDgyMy1hOTJkLTI1ZWZjNWFjNWRlNyIsDQogImV4cCI6IDE2MTQzMTA3MjUsDQogImp0aSI6ICJCeU1hcmsyMDIxIiwNCiAiYXVkIjogImh0dHBzOi8vYXBpbWd3MTBtYXJrLnNnbi5icm9hZGNvbS5uZXQ6ODQ0My9hdXRoL29hdXRoL3YyL3Rva2VuIg0KfQ.3zMcnZSUaTE7CmEfiZYZVLZSYPklCBaG9h0mjSALVf8&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_id=58634101-8006-4823-a92d-25efc5ac5de7&scope=oob' https://apimgw10mark.sgn.broadcom.net:8443/auth/oauth/v2/token
{
  "access_token":"7a45c008-1a95-46b9-8ab5-046c679f6034",
  "token_type":"Bearer",
  "expires_in":3600,
  "scope":"oob"
}

 

 

Attachments

1614309248873__OTKclientAuthenticationJWT.xml get_app