F5 oAuth Federation with client assertion type = jwt-bearer

awan_m · ‎21-Mar-2023

Hi -

i am trying to setup user authentication with oAuth and F5 is the Client + Resour provider - that needs to authenticate the user -

Question - the options available are to send clientid and secret to get information

is it possible to use

client_assertion_type	urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion	A JWT that the client has signed

thanks

Leslie_Hubertus · ‎27-Mar-2023

Hi @awan_m - have you been able to figure this one out yet? I see nobody in the community had an answer, so I'm trying to find a colleague who can help. Hopefully someone can reply in the mean time!

awan_m · ‎27-Mar-2023

Thanks for following it up - No i have not succeeded in implementing this solution

i need to generate a JWT and send it to my IDP - thats where i am failing

Matt_Dierick · ‎28-Mar-2023

Hi,

If I understand correctly, APM is set as Client and RS. It means APM will redirect the user to your AS in order to authenticate and get a token (Client role). Which grant is set in your AS ? Authorization code grant ?

Then APM will validate the JWT token (RS role).

By default, APM uses JWT-BEARER as insertion type, and JWT signed (not encrypted by default)

awan_m · ‎28-Mar-2023

Thanks for the response

for openidconnect - i have setup flow type as Hybrid - and Hybrid response type as code-idtoken-token

my identity provider is forgerock asn the attached image shows teh flow

DevCentral

F5 oAuth Federation with client assertion type = jwt-bearer

MFA required on DevCentral