Signature validation on Request JWT in OAuth2.0 /authorize operation

In OpenID Connect & OAuth 2.0 API | Okta Developer, it indicates that the Request JWT must be signed using the app’s client secret. Does that mean Okta only supports the client_secret_jwt mechanism for client authentication (Final: OpenID Connect Core 1.0 incorporating errata set 1), and not the private_key_jwt mechanism? If private_key_jwt is not currently supported, what is the process to request that function be added to Okta?

signing the request vs client authentication for the token endpoint is a little different.

If you are asking about an OpenID connect signed request

"request_object_signing_alg_values_supported": Array[3][
    "HS256",
    "HS384",
    "HS512"
  ]

signed with the client secret:

If you are asking about what the token endpoint auth methods we support, it is:

"token_endpoint_auth_methods_supported": Array[4][
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "none"
  ],

Okta already has a case logged internally to add private_key_jwt, if you want to track it or add your business case to it, you can send us an email at developers@okta.com

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.