For Authlete 2.x documentation, see 2.x version.
Preface
This article provides an overview of the fundamental aspects of configuring client authentication in Authlete.How Client Authentication Works in Authlete
Authlete performs client authentication during token requests processing (POST /auth/token) by using both pre-configured information and information obtained at runtime.
Pre-configured Information
You will configure both an Authlete Service (an API instance acting as a backend of an authorization server) and a client in the service.- Authlete service
- Client
Information obtained at runtime
On receiving a token request from a client, an authorization server passes the content of the request to Authlete’s POST /auth/token API that processes it. Authlete parses the content, detects the identity of the client, determines the pre-specified authentication method, and fulfills client authentication. Some client authentication methods require additional information such as a value of Authorization header in HTTP request from the client to the authorization server, the client’s certificate used in mutual TLS connection between the parties. In such cases, the authorization server extracts those information from the HTTP request or the mutual TLS, and sends it to Authlete, along with the content of the token request.Configuration example
This section shows an example to use CLIENT_SECRET_BASIC method to authenticate a client (ID: 1257…) and fulfill a token request.
Service Settings
The following settings are done in the pre-configuration. To enable theCLIENT_SECRET_BASIC method in your service:
- Log in to the Authlete Management Console
- Click on your Organization name and choose your Service.
- Navigate to Service Settings > Endpoints > Token
- Under the Supported Client Authentication Methods section, select the
CLIENT_SECRET_BASICcheckbox. - Click Save Changes to apply the updates.
Client Settings
To enable theCLIENT_SECRET_BASIC method for your client:
- Navigate to Client Settings > Endpoints > Token > General
- Under the Client Authentication Method section, open the dropdown menu and select
CLIENT_SECRET_BASIC - Click Save Changes to apply the updates.
Client ID and Client Secret in Client Basic Settings
CLIENT_SECRET_BASIC requires only “client ID” and “client secret” to authenticate the client. In Authlete, these values are automatically generated (“1257…” and “gTyu…” respectively in this example). The client administrator sets the auto-generated values to the client. To view your Client ID and Client Secret in the Authlete Management Console:- Log in to the Authlete Management Console
- Click on your Organization name and choose your Service.
- Navigate to Client Settings > Basic Settings > General
Client Request Flow from Start to Finish
Here are flows from a token request by the client to fulfillment by Authlete. Step 1 The client prepares a token request. The request will be sent to the authorization server with information needed for client authentication. In this case, the client sets its client ID (1257…) and secret (gTyu…) to Authorization header of the HTTP request.| Item | Value |
|---|---|
| Content of token request | grant_type=authorization_code&code=...&redirect_uri=... |
| Client ID | 1257... |
| Client secret | gTyu... |
Method Specific Configuration Tips
Both client information to be pre-configured in an Authlete service, and tasks to be done by an authorization server on receiving an token request, are different for each client authentication method. This table describes configuration tips for some of the methods supported by Authlete.| Authentication Method | Client Behavior | Authlete Settings | Authorization Server Settings |
|---|---|---|---|
| CLIENT_SECRET_BASIC | The client sets its ID and secret in the Authorization header when sending a token request. | No additional settings required; Authlete automatically generates and manages the client’s ID and secret. | Extracts the client’s ID and secret and include them as parameters in the POST /auth/token |
| CLIENT_SECRET_POST | The client includes its ID and secret as parameters in the token request. | No additional settings required, similar to CLIENT_SECRET_BASIC. | No additional operations needed; the client’s ID and secret are part of the token request content. |
| CLIENT_SECRET_JWT | The client generates a JWT assertion containing a MAC (message authentication code) calculated using the client’s secret and adds it as a parameter in the token request. For more details, see Client authentication using client_secret_jwt method | Specify the “assertion signing algorithm” for the JWT assertion in Authlete. Authlete automatically generates and manages the client’s secret. | No additional operations needed; the JWT assertion is part of the token request content. |
| PRIVATE_KEY_JWT | The client generates a digitally signed JWT assertion using public key cryptography and adds it as a parameter in the token request. For more details, see Client authentication using private_key_jwt method | You have to Specify the “assertion signing algorithm” of the JWT assertion and register the client’s public key in Authlete. | The server doesn’t have to do additional operations; the JWT assertion is part of the token request content. |
| TLS_CLIENT_AUTH | The client establishes a mutual TLS connection and is authenticated using the client’s certificate obtained from the connection. For more details, see Client authentication using tls_client_auth method. | You have to specify the “subject name” of the client’s certificate in Authlete. | Extracts the client’s certificate from the mutual TLS connection and includes it as a parameter in the POST /auth/token. |