Enable Client Secret JWT Authentication for Clients

To enable the client secret JWT Authentication, you must first activate the client_secret_JWT authentication method for specific client IDs.

Activating client_secret_jwt authencation for a service account

Contact Reltio Customer Support to enable this method for a service account.

Note: It is recommended that you request for a new client ID with the client_secret_JWT feature to minimize disruptions to existing code base.

After the client_secret_JWT method is activated, Reltio will share the client secret with the customer. If the method is activated for an existing client ID, then the new client secret is shared with the customer. If the method is activated for a new client ID, then both the client ID and client secret is shared with the customer. The client secret is then used for signing the JWT token.

The procedure to create the JWT token using the client secret is explained below.

Create JWT using client secret

For more information on creating JWT using client secret, see https://bitbucket.org/reltio-ondemand/building-jwt-sample.

A sample is given below:

Using JJWT Library:

String clientSecret = "${clientSecret}"; // This will be provided by Reltio
                SecretKey sharedSecret = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), SignatureAlgorithm.HS256.getJcaName());
                Instant now = Instant.now();
                
                String jwt = Jwts.builder()
                .setAudience("https://auth.reltio.com/oauth/token")
                .setIssuedAt(Date.from(now))
                .setExpiration(Date.from(now.plus(5L, ChronoUnit.MINUTES)))
                .setIssuer(clientId)
                .setSubject(clientId)
                .setId(UUID.randomUUID().toString())
                .signWith(sharedSecret)
                .compact();

Using NJWT library (Javascript):

const njwt = require('njwt');
                
                const clientSecret = "${clientSecret}"; // This will be provided by Reltio
                const clientId = "${clientId}"; 
                const now = Math.floor( new Date().getTime() / 1000 ); // seconds since epoch
                const plus5Minutes = new Date( ( now + (5*60) ) * 1000); // Date object
                
                const claims = {
                aud: "https://auth.reltio.com/oauth/token", // audience
                };
                
                const jwt = njwt.create(claims, clientSecret)
                .setIssuedAt(now)
                .setExpiration(plus5Minutes)
                .setIssuer(clientId)
                .setSubject(clientId)
                .compact();
            

For more information on the payload claims, see JWT.

Obtaining tokens for authorization

You must first delete the authorization header and include three new parameters in the body of the existing token request. These new parameters and the token request for different grant types are explained below.

Token Request for different Grant Types

The client_secret_JWT method is supported for Grant type methods client_credentials, password, and refresh_token.

You must include three new parameters to the body of the existing token request. Table 1:New Parameters describes the three parameters that must be added to the existing token request.

Table 1. New parameters
Parameter Description
client_id The ID of the client who must be authenticated.
client_assertion_type This is a fixed value, which is urn:ietf:params:oauth:Aclient-assertion-type:jwt-bearer.
client_assertion The URL encoded version of the JWT payload along with the signature created using HS256 MAC algorithm.

Sample token request for client_credentials grant type

POST /oauth/token HTTP/1.1
                Host: auth.reltio.com
                Content-Type: application/x-www-form-urlencoded
                grant_type=client_credentials&
                client_id=xHyag1H
                client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
                client_assertion=eYhskhfhj.........cfxz

Sample token request for password grant type

POST /oauth/token HTTP/1.1
                Host: auth.reltio.com
                Content-Type: application/x-www-form-urlencoded
                grant_type=password&
                client_id=xHyag1H
                client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
                client_assertion=eYhskhfhj.........cfxz&
                username=john124&
                password=secret567

Sample token request for refresh_token grant type

POST /oauth/token HTTP/1.1
                Host: auth.reltio.com
                Content-Type: application/x-www-form-urlencoded
                grant_type=refresh_token&
                client_id=xHyag1H
                client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
                client_assertion=eYhskhfhj.........cfxz&
                refresh_token=7771bbdb-14f7-4d51-9f69-fb23be555dc9