Client Authentication with Private Key JWT using WSO2 Identity Server

What is Private Key JWT Client Authentication?

OAuth2 client shares its public key with Authorization Server
OAuth2 client sends the JWT data signed with its private key to the token endpoint to authneticates itself and obtain access token
The authorization server authenticates the client by Validateingthe signature using the public key of the client

Configuring Client Authentication with Private Key JWT

keytool -genkey -alias <client_ID> -keyalg RSA -keystore TodayApp.jkskeytool -export -alias <client_ID> -file nwU59qy9AsDqftmwLcfmkvOhvuYa -keystore TodayApp.jkskeytool -importkeystore -srckeystore TodayApp.jks -destkeystore TodayApp.p12 -deststoretype PKCS12openssl pkcs12 -in TodayApp.p12 -nokeys -out pubcert.pemopenssl pkcs12 -in TodayApp.p12 -nodes -nocerts -out privatekey.pem
iss: [REQUIRED] Issuer. This must contain the client_id of the OAuth Client.sub: [REQUIRED] Subject. This must contain the client_id of the OAuth Client.aud: [REQUIRED] Audience. The aud (audience) Claim. A value that identifies the Authorization Server as an intended audience. The Authorization Server must verify that it is an intended audience for the token. The Audience should be the URL of the Authorization Server’s Token Endpoint.jti: [REQUIRED] JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens must only be used once unless conditions for reuse were negotiated between the parties; any such negotiation is beyond the scope of this specification.exp:[REQUIRED] Expiration time on or after which the JWT must not be accepted for processing.iat:[OPTIONAL] Time at which the JWT was issued.
{
“typ”: “JWT”,
“alg”: “RS256”,
“kid”: “piraveena”
}
{
“iss”: “CAeFC1u5I0SZvh5FfYgYk2IMRNsa”,
“sub”: “CAeFC1u5I0SZvh5FfYgYk2IMRNsa”,
“exp”: 1581752233,
“iat”: 1581748633,
“jti”: “10003”,
“aud”: “https://localhost:9443/oauth2/token"
}
keytool -importcert -alias <client-id> -file pubcert.pem -keystore ${IS_HOME}//Users/piraveena/Documents/issue/wso2is-5.10.0/repository/resources/security/client-truststore.jks -storepass wso2carbon -noprompt
[[event_listener]]
id = “private_key_jwt_authenticator”
type = “org.wso2.carbon.identity.core.handler.AbstractIdentityHandler”
name = “org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator”
order = “899”
[event_listener.properties]
PreventTokenReuse = true
EnableCacheForJTI = true
[oauth.grant_type.client_credentials]
allow_id_token = true # to get id_token for client_credential type
[[cache.manager]]
name="PrivateKeyJWT"
timeout="300"
capacity=”5000"
isDistributed=”false”

Curl commands to get id_token with private-key JWT authentication

Software Engineer @WSO2, CSE Undergraduate @ University of Moratuwa, Former Software Engineering Intern @ WSO2