The oauth_jwt_bearer_grant feature implements the JWT profile for OAuth 2.0 Client Authentication and Authorization Grants.
It is meant to be used by systems where the OAuth Authorization Server is decoupled from the Identity Provider, and the Identity Provider emits JWT assertions.
plugin :rodauth do
enable :oauth_jwt_bearer_grant
end
The token endpoint supports receiving the following arguments:
"grant_type" can receive "urn:ietf:params:oauth:grant-type:jwt-bearer`;"assertion" should receive the JWT bearer grant;The oauth_jwt_bearer_grant feature can be used for token endpoint client authentication.
when paired with, p.ex. the authorization code grant, it supports these extra parameters:
"client_assertion_type" can receive "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";"client_assertion" should be the JWT Bearer grant;along with, p.ex. "grant_type=authorization_code&code=eos234..234"
It supports the following authentication methods:
NOTE: Due to the JWT being symmetrically signed with the client secret, the client application secret must be stored in plaintext in the database, in order for this to be used.
The client application must set its JWKs by making use of the oauth_applications_jwks_column or oauth_applications_jwks_uri_column, in order to verify the signature of the assertion.