Using Client assertion instead of Client Secret in OIDC flow
Hi Everyone,
I can see that the current OOTB OIDC "Authorization Code" grant flow uses Client ID and Secret. However, our IDP doesn't support Client Secret and we therefore have a requirement to use "Client Assertion" instead of Client Secret.
My question is does Pega support Client Assertion?
Thanks
SB
JP Morgan
US
- Client App <<--->> Generate JWT token
- Client App with JWT token <<--- calls auth provider --->> Auth provider
- Client App receives token from Auth provider to access resource <<------------------->> Resource
This should be achievable using Token profile.
I'm assuming you are on pega8.x. We do have a rule type called TokenProfile.
As you are using Client_Assertion you can specify the desired Claims you want in TokenProfile to send to the generate jwt token. Specify attributes you want in header.
Add any custom claims if you have any.
As you will be the owner of token you will need to have signing certificate and the private key. You can share the public key with the Auth provider. You can create keystore file and add your private key to it.
Next step you will have to share public key with auth provider. Ideally we share .cer file with them however with pega you can expose an ootb url : https://hostname:port/prweb/PRRestService/keys/v1/jwt/YourTestTokenProfile
To generate token you will need pxGenerateJWT activity which will use your above created token profile by incorporating claims mentioned.
The above generatedtoken can be used to call the Authprovider as client_credential/assertion grant type.
The auth provider will return you the token with expiry time.
- Client App <<--->> Generate JWT token
- Client App with JWT token <<--- calls auth provider --->> Auth provider
- Client App receives token from Auth provider to access resource <<------------------->> Resource
This should be achievable using Token profile.
I'm assuming you are on pega8.x. We do have a rule type called TokenProfile.
As you are using Client_Assertion you can specify the desired Claims you want in TokenProfile to send to the generate jwt token. Specify attributes you want in header.
Add any custom claims if you have any.
As you will be the owner of token you will need to have signing certificate and the private key. You can share the public key with the Auth provider. You can create keystore file and add your private key to it.
Next step you will have to share public key with auth provider. Ideally we share .cer file with them however with pega you can expose an ootb url : https://hostname:port/prweb/PRRestService/keys/v1/jwt/YourTestTokenProfile
To generate token you will need pxGenerateJWT activity which will use your above created token profile by incorporating claims mentioned.
The above generatedtoken can be used to call the Authprovider as client_credential/assertion grant type.
The auth provider will return you the token with expiry time.
Use the token to access the resource.
Feel free to drop me a note. I will be happy to help.
Updated: 15 Nov 2021 19:55 EST
Toyota Financial Services
AU
@abdulq95 Thanks for your reply.
Our requirement is to use the "Authorization Code" grant flow where Pega would be the "client app" requesting the access token from IDP. However, instead of using Client ID and secret we need to use Client Assertion. So how would we use "TokenProfile" in that scenario? or are you suggesting that we need to build this whole as a custom solution?
JP Morgan
US
That’s right using token profile you need to build your solution matching the auth provider requirements.
pega ootb doesn’t cater the author providers request needs. It would be one time but needs a custom solution for sure
Toyota Financial Services
AU
@SwaidB26 I just got the confirmation from Pega product team that "Client assertion" is not supported atm and will be in future.
Which essentially means that we need to custom build the whole "Auth code grant" OIDC flow.
Any idea what would be the good starting point ?