fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Feature: Support JWT Profile for Client Authentication

Open robotdan opened this issue 5 years ago • 4 comments

Support JWT Profile for Client Authentication

Problem

RFC 7523 describes the JWT Profile for Client Authentication in order to provide an additional mechanism to authenticate a client. FusionAuth does not currently support this profile for client authentication.

Solution

Add support for this authentication scheme.

Alternatives/workarounds

A clear and concise description of any alternative solutions or workarounds you've considered.

Additional context

  • https://tools.ietf.org/html/rfc7521
  • https://tools.ietf.org/html/rfc7523#section-2.1
  • https://tools.ietf.org/html/rfc7523#section-2.2
  • https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/

We could look at adding both the JWT Client Authentication Profile as well as the Bearer JWT grant.

This came up in a sales conversation. Internal: https://inversoft.slack.com/archives/C068UM25PNJ/p1731586209203619

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan avatar Jan 07 '20 19:01 robotdan

I'm not sure to understand what you think about a JWT profile. Do you mean authenticate an app with JWT is currently not possible with FusionAuth? :thinking:

soullivaneuh avatar Jan 14 '20 10:01 soullivaneuh

I'm not sure to understand what you think about a JWT profile. Do you mean authenticate an app with JWT is currently not possible with FusionAuth? 🤔

Yes, you can already authenticate an app with a JWT.

You can review the linked RFCs for additional context and description of using a JWT in the Authorization Code grant, and as a method of Client Authentication.

robotdan avatar Jan 14 '20 17:01 robotdan

So if I well understood, JWT is supported but some additional features can be added on it? I was afraid taking the wrong direction. :smile:

soullivaneuh avatar Jan 15 '20 10:01 soullivaneuh

Make sure to follow the latest and greatest OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants doc (the draft mentioned above, though it might have been published since) because there were some security issues around the previous implementation.

From the draft:

When performing a security analysis of a pre-final version of the OpenID Federation specification [OpenID.Federation], University of Stuttgart security researchers Pedram Hosseyni, Dr. Ralf Küsters, and Tim Würtele discovered a vulnerability affecting multiple OpenID and OAuth specifications caused by ambiguities in the audience values of tokens sent to authorization servers. The vulnerability was disclosed to the OAuth working group in an interim meeting in January 2025 called for that purpose, including providing a description of the vulnerability [private_key_jwt.Disclosure]. A paper they published describing the attack is [Audience.Injection].

mooreds avatar Nov 03 '25 20:11 mooreds