OE 11.7
https://difi.github.io/felleslosninger/oidc_protocol_jwtgrant.html
I am trying to find out how I can build the JWT to ask for a token I have done kind of same communication, but never used JWT. After looking around I found jwt.io very usefull, but still not crystal clear.
Header:
| x5c | optional |
The business certificate/eseal (virksomhetssertifikat) of the organization. Full certificate chain, see RFC7517 chapter 4.7. |
I have got two .p12 files and one .cer and as I understand I am going to do something like this:
one of the .p12 I shoud use for authorization and cryptation and the other .p12 is used for signing:
so p12auth.p12 and p12sign.p12
make Header (in json)
alg:RS256
x5c:<this part I am not sure about, is this where I place .p12 or convert .p12 to a .pem and place the result here?? or is it the .cert?>
Body:
aud:https://oidc-ver2.difi.no/idporten-oidc-provider/ <--- url encoded (probably, since it contains) :
iss:<my client id>
iat: set to timestamp of generation
exp: iat + 120 seconds
jti:not sure if needed, but just a unique code
then I do a
b64Header = base64(header)
b64Body = base64(body)
b64HeaderAndBody = base64(b64Header + '.' + b64Body)
RSASSAPKCS1v15Signature = RSASSA(b64HeaderAndBody,givenSecret,SHA256)
JWT=b64Header + '.' + b64Body + '.' + RSASSAPKCS1v15Signature
Then I send it using:
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=< the JWT I made>
Have I forgotten something?
I just have to say that I find it very difficult to read this kind of documentation that the authprovider has given,
but thas me....
//Geir Otto
This is probably the correct posting for TOKEN:
POST /token
Content-type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<JWT>