oauth2-server
oauth2-server copied to clipboard
Support assertions for client authentication
Instead of passing client_id
and client_secret
as client authentication a client can make an assertions instead.
The following parameters will be passed in:
-
client_assertion_type
- e.g.urn:ietf:params:oauth:client-assertion-type:jet-bearer
-
client_assertion
- e.g. a JWT
A new method on the client repository will be required to generate a hash using HMAC
A new method on the client repository will be required to generate a hash using HMAC
I guess this will all be handled by lcobucci/jwt
, as HMAC is only needed when the algorithm defined in the sent JWT is HS256.
e.g. for our specific API use case we are using RS256 as the algorithm.
Any ideas when this will be possible?