The information you provide here will be included in the Open Liberty beta blog post (example), which will be published on openliberty.io/blog/, and potentially elsewhere, to promote this beta feature/function of Open Liberty. For this post to be included in the beta issue please make sure that this is completed by the end of Friday following the GM (Tuesday). The beta and release blogs are created using automation and rely on you following the template's structure. DO NOT REMOVE/ALTER THE <GHA> TAGS THROUGHOUT THIS TEMPLATE.
Please provide the following information:
Which Liberty feature(s) does your update relate to?
Human-readable name (eg WebSockets feature): OpenID Connect Client 1.0, Social Media Login 1.0
Short feature name (eg websockets-1.0): openidConnectClient-1.0, socialLogin-1.0
Who is the target persona? Who do you expect to use the update? eg application developer, operations.
Server admins.
Provide a summary of the update, including the following points:
A sentence or two that introduces the update to someone new to the general technology/concept.
What was the problem before and how does your update make their life better? (Why should they care?)
Briefly explain how to make your update work. Include screenshots, diagrams, and/or code snippets, and provide a server.xml snippet.
Where can they find out more about this specific update (eg Open Liberty docs, Javadoc) and/or the wider technology?
OpenID Connect clients in Open Liberty now support the private_key_jwt client authentication method with OpenID Connect token endpoints. OpenID Connect clients are required to provide authentication data to the OpenID Connect provider when invoking the provider's token endpoint. Clients can authenticate using several different methods, but most of those methods require a client secret. The new private_key_jwt authentication method allows clients to make use of asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients in Open Liberty using this authentication method are no longer required to have a client secret.
Server administrators can enable this functionality using the new private_key_jwt option for the tokenEndpointAuthMethod attribute, as well as the new tokenEndpointAuthSigningAlgorithm and keyAliasName attributes in either the <openidConnectClient> or <oidcLogin> elements:
The tokenEndpointAuthSigningAlgorithm attribute specifies the signing algorithm to use to sign the JWT used for client authentication. The keyAliasName attribute points to the key to use to sign the JWT.
Add the label for the beta you're targeting: target:YY00X-beta.
Make sure this blog post is linked back to the Epic for this feature/function.
Your paragraph will be included in the beta blog post. It might be edited for style and consistency.
You will be asked to review a draft before publication.
Once you've approved the code review, close this issue.
If you would also like to write a standalone blog post about your update (highly recommended), raise an issue on the Open Liberty blogs repo. State in the issue that the blog post relates to a specific release so that we can ensure it is published on an appropriate date (it won't be the same day as the beta blog post).
ayoho
commented
1 year ago
The information you provide here will be included in the Open Liberty beta blog post (example), which will be published on openliberty.io/blog/, and potentially elsewhere, to promote this beta feature/function of Open Liberty. For this post to be included in the beta issue please make sure that this is completed by the end of Friday following the GM (Tuesday). The beta and release blogs are created using automation and rely on you following the template's structure. DO NOT REMOVE/ALTER THE
<GHA>TAGS THROUGHOUT THIS TEMPLATE.Please provide the following information:
Which Liberty feature(s) does your update relate to?
Human-readable name (eg WebSockets feature): OpenID Connect Client 1.0, Social Media Login 1.0
Short feature name (eg websockets-1.0): openidConnectClient-1.0, socialLogin-1.0
Who is the target persona? Who do you expect to use the update? eg application developer, operations.
Server admins.
Provide a summary of the update, including the following points:
A sentence or two that introduces the update to someone new to the general technology/concept.
What was the problem before and how does your update make their life better? (Why should they care?)
Briefly explain how to make your update work. Include screenshots, diagrams, and/or code snippets, and provide a
server.xmlsnippet.Where can they find out more about this specific update (eg Open Liberty docs, Javadoc) and/or the wider technology?
OpenID Connect clients in Open Liberty now support the
private_key_jwtclient authentication method with OpenID Connect token endpoints. OpenID Connect clients are required to provide authentication data to the OpenID Connect provider when invoking the provider's token endpoint. Clients can authenticate using several different methods, but most of those methods require a client secret. The newprivate_key_jwtauthentication method allows clients to make use of asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients in Open Liberty using this authentication method are no longer required to have a client secret.Server administrators can enable this functionality using the new
private_key_jwtoption for thetokenEndpointAuthMethodattribute, as well as the newtokenEndpointAuthSigningAlgorithmandkeyAliasNameattributes in either the<openidConnectClient>or<oidcLogin>elements:The
tokenEndpointAuthSigningAlgorithmattribute specifies the signing algorithm to use to sign the JWT used for client authentication. ThekeyAliasNameattribute points to the key to use to sign the JWT.More information about the Liberty configuration options can be found in the docs for the openidConnectClient element and the oidcLogin element. More information about
private_key_jwtclient authentication can be found in the OpenID Connect core specification and RFC 7523.What happens next?
target:YY00X-beta.