Versions Compared

Old Version 20

changes.mady.by.user Gabriel BERLICKI

Saved on

compared with

New Version Current

changes.mady.by.user Gabriel BERLICKI

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section


Column
width80%

Initial private (JWT) key registration process

The private_key_jwt authentication is based on asymmetric key, the private part is generated and only known by the client whereas the public part is communicated and registered in the authorization server for the specific client.

draw.io Diagram
bordertrue
diagramNameprivate_key_jwt registration
simpleViewerfalse
linksauto
tbstyletop
lboxtrue
diagramWidth1081
revision1


Info
ae.1.- Generation of (ES256) asymmetric keys


Private (JWT) key authentication process

The authentication flow of private_key_jwt is depicted in the diagram below

draw.io Diagram
bordertrue
diagramNameprivate_key_jwt authentication
simpleViewerfalse
width600
linksauto
tbstyletop
lboxtrue
diagramWidth1121
revision1

The private_key_jwt authentication consists of creating a JSON structure containing the following login attributes:

Attribute

Example

Description

issdas-api-authIssuer: Client id
subdas-api-authSubject: Client id
audhttps://logindev.wipo.int:443/am/oauth2/access_tokenAudience: Token endpoint of the authorization server
exp1622450728Expiration time: The expiration time of the data, current time + small amount of seconds
(current epoch + 10s is ok)

ES256 signing algorithm + above attributes + signature of them must be served in JWT format (rfc7519), see below:

JWT client assertion header

Code Block
languageyml
linenumberstrue
{
  "alg": "ES256",
  "typ": "JWT"
}

JWT client assertion payload

Code Block
languageyml
{
  "iss": "das-api-auth",
  "sub": "das-api-auth",
  "aud": "https://logindev.wipo.int:443/am/oauth2/access_token",
  "exp": 1622450728
}

JWT client assertion signature

Code Block
languageyml
# Signature of the header and payload sections. 
# it is an array of bytes encoded in base 64

All parts are encoded and separated by '.' to make up the JWT as follows

private_key_jwt assertion

Code Block
languageyml
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkYXMtYXBpLWF1dGgiLCJzdWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZGV2LndpcG8uaW50OjQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXhwIjoxNjIyNDUwNzI4fQ.BLA6k2kKKFVm6AGeyJpc3MiOiJkYXMtYXBpLWF1dGgiLCJz
dWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZGV2LndpcG8uaW50O
jQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXhwIjoxNjIyNDUwNzI4fQ.BLA6k2
kKKFVm6AG-DPDpRU_5JDFGRF1dHjKul7saWCv5OxXGg4EY-J9e1p8Dg0ngD2dZ2grkJ2su7jaHy67YEwJ9e1p8Dg0ngD2dZ2grkJ2
su7jaHy67YEw

The JWT client assertion can now be submitted to authorization server for authentication with the token endpoint (i.e. POST https://logindev.wipo.int:443/am/oauth2/access_token in the attached specification) including the following parameters for client_credentials:

POST parameter

example

Description 

grant_typeclient_credentialsOAuth2 client_credentials authentication flow  is used for machine to machine communication
scopedas-api/das-accessScopes (=roles), if any, separated by spaces which are required to use the DAS API
client_assertion_typeurn:ietf:params:oauth:client-assertion-type:jwt-bearerThe client_assertion_type indicates to the authorization server the method used to authenticate, private_key_jwt requires jwt-bearer
client_assertion

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkYXMtYXBpLWF1dG giLCJzdWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZG V2LndpcG8uaW50OjQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXh wIjoxNjIyNDUwNzI4fQ.BLA6k2kKKFVm6AG-DPDpRU_5JDFGRF1dHjKul7saWCv5OxXGg4EY-J9e1p8Dg0ngD2dZ2grkJ2su7jaHy67YEw

The JWT generated in the paragraph above


Note
The above token endpoint is part of third party product that supports OpenID Connect (OIDC) authentication protocol based on the OAuth 2.0 family of specifications


Info

ae.2.- Sample authentication script (using JWT private key)


Warning
titleCertificate to communicate to WIPO

After the generation of the es256 key, you will obtain the following files (or similar):

es256_cert.pemCertificate file that will be communicated to WIPO for the configuration of the private_key_jwt client authentication
es256_private.pemMust never be communicated and kept secret, used by the client to sign the private_key_jwt authentication request
es256_public.pemUsed only at the generation step, kept for record
openssl.cnfUsed only at the generation step, kept for record

As per the process, in order to register the Office key on WIPO systems, be aware that the file that has to be sent to WIPO is the one for the certificate (not the public key file)



Column
width20%

a.- New DAS exchange API

Table of Contents

Page Tree
roota.- New DAS exchange API
startDepth0
pagea.- Initial private_key_jwt registration process


...