I have a requirement to pass a client assertion in the client credentials grant type token request as specified in the spec - https://www.rfc-editor.org/rfc/rfc7521.html. According to the above spec, instead of client_id and client_secret, we need to specify client_assertion_type and client_assertion in the token request payload.
Below is something I tried.
Generated JWT:
map<json> sub = {
"sub" : "abcd"
};
jwt:IssuerConfig issuerConfig = {
customClaims: sub,
issuer: "abcd",
audience: "https://abcd/oauth2/token",
expTime: 3000,
signatureConfig: {
config: {
keyFile: "./privatekey.pem"
}
}
};
string jwt = check jwt:issue(issuerConfig);
Constructed optional params map passing the JWT:
map<string> jwtAssertion = {
"client_assertion_type" : "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion" : jwt
};
Passed the optional params to the client credentials config record:
oauth2:ClientCredentialsGrantConfig epicConfig = {
tokenUrl: "https://abcd/oauth2/token",
clientId: "abcd",
optionalParams: jwtAssertion,
clientSecret: "random"
};
But the problem here is that since client_id and client_secret are mandatory, the backend I'm trying to connect is returning a 400.
Is there any suggestion to handle this scenario where I need to send the assertion without the id and secret? Also, is there any future plan to add the support mentioned in the spec https://www.rfc-editor.org/rfc/rfc7521.html, to the oauth2 module?
Currently, this is not supported in the oauth2 module.
We can use a separate HTTP client and get the token by sending a post request to STS. Then, manually set the obtained assertion/token in the header of the resource request.