Using JWTs in token exchange instead of SAML assertion

[kitohe]

I was wondering whether is is possible to use JWTs instead of SAML assertions to get the gateway access token?

I believe that using SAML assertions could be an issue for companies not using software which doesn't directly support working with SAML such as .NET Core. Examples on Kombit website are using .NET Framework 4.8.2 with WCF, support for which does not exist in .NET Core.

Kombit with Serviceplatformen added support for fetching Bearer tokens in 2023 - Section - Adgangsstyring for webservices - Ny version af Security Token Service (https://digitaliseringskataloget.dk/l%C3%B8sninger/adgangsstyring-systemer) Would it be possible to add support to use those tokens in token exchange?

I believe request would look similarly:

POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token
Headers: 
    Content-Type=application/x-www-form-urlencoded
Body: 
    client_id=eoj
    client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicn...
    grant_type=urn:ietf:params:oauth:grant-type:token-exchange
    subject_issuer=kombit-sts
    subject_token_type=urn:ietf:params:oauth:token-type:access_token
    subject_token=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicn... // token from Kombit STS

Is this approach with JWTs something that would be considered?

[Kirstinerosenbeck]

I am no expert, but your client-id seems to be the generic one from the documentation. Did you obtain a specific solteq client_id, as described here https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2187362305/SAML+Assertion+to+JWT+Exchange#JWT-Client-Authentication

Other that that. Trifork / @jkiddo would you take a look at this.

[kitohe]

Hi Kirstine, thanks for your reply.

Yeah, client_id in my example is from documentation as this is just generic idea that I was wondering whether is supported on Trifrok.

Regarding fetching ours client_id, I cannot find in documentation you provided how to obtain a client_id. It just says: The system has a client in Keycloak with a client_id, and I don't know how can I access a Keycloak (unless I am looking in a wrong place). Would you be able to provide us with our client_id?

[Kirstinerosenbeck]

Hi again

I have talked to KL. We are not doing further development at the Gateway, before the end of this project, so Bearer tokens will not be supported at this point. I also talked to Trifork on Friday. They promised to look at your other question as soon as possible.

[ohetrifork]

Hi @kitohe. Your client_id on the TEST001 environment is currently named "solteq-test".

[kitohe]

Thank you all. I was able to get the access token so I am closing this issue.