oauth2-server icon indicating copy to clipboard operation
oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon thephpleague

Support assertions for client authentication

Open alexbilbie opened this issue 8 years ago • 2 comments

Instead of passing client_id and client_secret as client authentication a client can make an assertions instead.

The following parameters will be passed in:

  • client_assertion_type - e.g. urn:ietf:params:oauth:client-assertion-type:jet-bearer
  • client_assertion - e.g. a JWT

A new method on the client repository will be required to generate a hash using HMAC

alexbilbie avatar Apr 23 '16 08:04 alexbilbie

A new method on the client repository will be required to generate a hash using HMAC

I guess this will all be handled by lcobucci/jwt, as HMAC is only needed when the algorithm defined in the sent JWT is HS256.

e.g. for our specific API use case we are using RS256 as the algorithm.

Perni1984 avatar Apr 24 '16 11:04 Perni1984

Any ideas when this will be possible?

JurRutten avatar Dec 22 '23 10:12 JurRutten