Signature validation on Request JWT in OAuth2.0 /authorize operation


#1

In https://developer.okta.com/docs/api/resources/oidc#parameter-details, it indicates that the Request JWT must be signed using the app’s client secret. Does that mean Okta only supports the client_secret_jwt mechanism for client authentication (http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication), and not the private_key_jwt mechanism? If private_key_jwt is not currently supported, what is the process to request that function be added to Okta?


#2

signing the request vs client authentication for the token endpoint is a little different.

If you are asking about an OpenID connect signed request

"request_object_signing_alg_values_supported": Array[3][
    "HS256",
    "HS384",
    "HS512"
  ]

signed with the client secret:

If you are asking about what the token endpoint auth methods we support, it is:

"token_endpoint_auth_methods_supported": Array[4][
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "none"
  ],

Okta already has a case logged internally to add private_key_jwt, if you want to track it or add your business case to it, you can send us an email at developers@okta.com