How to generate JWT - info needed

Posted by goo on 30-Nov-2019 08:40

OE 11.7

https://difi.github.io/felleslosninger/oidc_protocol_jwtgrant.html

I am trying to find out how I can build the JWT to ask for a token I have done kind of same communication, but never used JWT. After looking around I found jwt.io very usefull, but still not crystal clear.

Header:

x5c optional

The business certificate/eseal (virksomhetssertifikat) of the organization. Full certificate chain, see RFC7517 chapter 4.7.

I have got two .p12 files and one .cer and as I understand I am going to do something like this:

one of the .p12 I shoud use for authorization and cryptation and the other .p12 is used for signing: 

so p12auth.p12 and p12sign.p12

make Header (in json) 

alg:RS256

x5c:<this part I am not sure about, is this where I place .p12 or convert .p12 to a .pem and place the result here?? or is it the .cert?>

Body:

aud:https://oidc-ver2.difi.no/idporten-oidc-provider/  <--- url encoded (probably, since it contains) :

iss:<my client id>

iat: set to timestamp of generation

exp: iat + 120 seconds

jti:not sure if needed, but just a unique code

then I do a

b64Header = base64(header)

b64Body = base64(body)

b64HeaderAndBody = base64(b64Header + '.' + b64Body)

RSASSAPKCS1v15Signature = RSASSA(b64HeaderAndBody,givenSecret,SHA256)

JWT=b64Header + '.' + b64Body + '.' + RSASSAPKCS1v15Signature

Then I send it using:

POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=< the JWT I made>

Have I forgotten something?

I just have to say that I find it very difficult to read this kind of documentation that the authprovider has given,
but thas me....

//Geir Otto

 

All Replies

Posted by goo on 30-Nov-2019 09:19

This is probably the correct posting for TOKEN:

POST /token

Content-type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<JWT>

This thread is closed