Client Secret JWT Authentication

The Client Secret JSON Web Token (JWT) Authentication feature in Reltio supports HMAC - Hash based Message Authentication Code where every service account is signed using a cryptographic signature.

Reltio currently supports basic authentication of the service accounts where client_id and client_secret are sent in a static Base-64 encoded format as part of the request header.

The client_secret_jwt is a new method that has been added as an additional capability for authentication of service accounts. This method uses a signature (generated by using HS256 cryptographic algorithm and client secret) that is unique to the request, thus ensuring it is more resilient to attacks. The authorization server authenticates the client by verifying this unique signature.

JWT

A JWT is an open standard (RFC 7519) method that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. A JWT is a string made up of the following three parts:

1. Header

The header typically consists of two parts - the type of token, which is JWT, and the hashing algorithm that is used. Currently, we only support HMAC SHA256.

2. Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity. Table 1:Payload Claims describes the claims:

Table 1. Payload claims
Parameter Description Type Mandatory (Y/N)
sub The subject of the token, which is mostly the client ID. String Yes
iss The name of the person who issued the token, which is mostly the client ID. String Yes
aud The URL of the resource of JWT that must be authenticated. For example, https://auth.reltio.com/oauth/token. String Yes
exp The expiration time of the JWT in seconds. Integer Yes
jti The identifier of the token. String No
iat The time the JWT was issued, in seconds. Integer No

An example for claims is given below:

{
                "sub": "xHtahu",
                "iss": "xHtahu",
                "aud": "https://auth.reltio.com/oauth/token",
                "exp": 1631334680
                "jti": ca87ab0a-1a18-11ec-9621-0242ac130002
                "iat": 1631334380
                }

3. Signature

The Signature is created by including the encoded header, the encoded payload, the secret, and the algorithm specified in the header. These details are then signed. For example,

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Sample JWT Token

The Header, Payload, and Signature make up the JWT token. They are each separated by a dot. A sample JWT token is given below:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIi0IxMjMONTY30DkwIiwibmFtZSI6kpvaG4gRG9lIiwiaXNTb2NpYWwiOnRydWV9. 
                4pcPyMD0olPSyXnrXCjTwXyr4BsezdI1AVTmud2fU4

The first part is the base64 encoded Header. In the above example, it is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. The second part is the base64 encoded Payload. In the above example, it is eyJzdWIi0IxMjMONTY30DkwIiwibmFtZSI6kpvaG4gRG9lIiwiaXNTb2NpYWwiOnRydWV9. The third part is the encoded Signature. In the above example, it is 4pcPyMD0olPSyXnrXCjTwXyr4BsezdI1AVTmud2fU4.

Enabling the client_secret_jwt authentication method to a service account

To enable the client_secret_jwt authentication method for a service account, do the following: