Add section for Private Key JWT client authentication in OIDC client docs #6689
Comments
…lient docs -1 Add section for Private Key JWT client authentication in OIDC client docs -1 #6689
|
Hi Adam, The suggested changes have been made. Draft Document links: Please check and add the Regards, CC @dmuelle |
The change to this sentence makes it clunky and now has an error. I prefer one of the following revisions:
Or a revision based on your change:
The formatting of the XML in this section is a bit off. We could add some newlines to make it more readable: <openidConnectClient id="myOidcClientUsingPrivateKeyJwt"
tokenEndpointAuthMethod="private_key_jwt"
tokenEndpointAuthSigningAlgorithm="E512"
keyAliasName="privatekeyaliasES512"
...
/>
Need to change "supports" to "support" to agree with "clients", which is the subject of the sentence. Same XML formatting suggestion. |
…ient docs -2 Add section for Private Key JWT client authentication in OIDC client docs -2 #6689
|
Hi Adam, The suggested corrections have been made. Draft Document links: Please review the same and add the Regards, CC @dmuelle Quick question: |
|
Changes look good. The XML snippet in https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/socialLogin-1.0.html#_use_private_key_jwt_for_client_authentication still needs to have its indentation fixed, though. <oidcLogin id="myOidcClientUsingPrivateKeyJwt"
tokenEndpointAuthMethod="private_key_jwt"
tokenEndpointAuthSigningAlgorithm="E512"
keyAliasName="privatekeyaliasES512"
...
/>(If you're already going back to fix the indentation, I'd suggest adding an |
…ient docs -3 Add section for Private Key JWT client authentication in OIDC client docs -3 #6689
|
Hi Adam, The suggested corrections have been made to the code block in both documents. Draft Document links: Please review the same and add the Regards, CC @dmuelle |
ayoho
added
the
technical reviewed
|
LGTM 👍 |
Peer review
The tokenEndpointAuthSigningAlgorithm attribute specifies the signing algorithm to use to sign the JWT used for client authentication. sslRef attribute in the OpenID Connect client configuration ---> sslRef attribute in the config:openidConnectClient[display=OpenID Connect client configuration]. |
…ient docs -4 Add section for Private Key JWT client authentication in OIDC client docs -4 #6689
|
Hi David Made suggested corrections to the page. Draft Document links: Please review the same. Please let me know if I need to make more corrections. Regards, |
|
Looks good except the link to OpenID Connect Client 1.0 feature should point directly to the Use Private Key JWT for client authentication example on the OIDC page. I think you will have to construct a relative link instead of using the macro to get it to recognize the anchor.
JWT is already defined on the page so you can just use the abbreviation here.
missing space after period |
…ient docs-5 Add section for Private Key JWT client authentication in OIDC client docs -5 #6689
…ient docs-6 Add section for Private Key JWT client authentication in OIDC client docs -6 #6689
…ient docs -7 Add section for Private Key JWT client authentication in OIDC client docs -7 #6689
|
Hi David Made suggested corrections to the page. Draft Document links: Regards, |
|
LGTM, thanks, adding peer review label |
|
Hi David Staging site links: Regards, |
|
content is on vNExt and will publish with 23.0.0.6 |
|
reopening issue as the epic fell out of 23.0.0.6 and is now expected for 23.0.0.8. Backporting changes to remove published docs form 23.0.0.6 and 7. |
|
Hi David Draft site links: Regards, |
|
LGTM, send to staging when you have a chance |
|
Hi David Staging site links: Regards, |
|
LGTM, thanks |
|
Content is on vNext and will publish with 23.0.0.9. Closing as completed. |
Epic: OpenLiberty/open-liberty#21826
Relevant docs page: https://openliberty.io/docs/latest/reference/feature/openidConnectClient-1.0.html
New section proposal
Title: Use Private Key JWT for client authentication
Location: After the Support Multiple OpenID Connect Providers section.
Content:
OpenID Connect clients in Open Liberty support the
private_key_jwtclient authentication method with OpenID Connect token endpoints. OpenID Connect clients are required to provide authentication data to the OpenID Connect provider when invoking the provider's token endpoint. Clients can authenticate using several different methods, but most of those methods require a client secret. Theprivate_key_jwtauthentication method allows clients to make use of asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients in Open Liberty using this authentication method are no longer required to have a client secret.Server administrators can enable this functionality using the
private_key_jwtoption for thetokenEndpointAuthMethodattribute, as well as the newtokenEndpointAuthSigningAlgorithmandkeyAliasNameattributes in the<openidConnectClient>element:The
tokenEndpointAuthSigningAlgorithmattribute specifies the signing algorithm to use to sign the JWT used for client authentication. ThekeyAliasNameattribute points to the private key to use to sign the JWT. The private key must exist in the keystore that is referenced by thesslRefattribute in the OpenID Connect client configuration. OpenID Connect providers that support Private Key JWT client authentication typically provide an interface for administrators to upload their corresponding public key.More information about
private_key_jwtclient authentication can be found in the OpenID Connect core specification and RFC 7523.Other updates
Relevant docs page: https://openliberty.io/docs/latest/reference/feature/socialLogin-1.0.html
New section proposal
Title: Use Private Key JWT for client authentication
Location: After the Provide other social media logins as options to the user section.
Content:
OpenID Connect clients that are configured using the
<oidcLogin>element in the Social Media Login feature support theprivate_key_jwtclient authentication method with OpenID Connect token endpoints. The process for enabling this support is identical to the OpenID Connect Client 1.0 feature. An example is shown here.The text was updated successfully, but these errors were encountered: