back to all blogsSee all blog posts

OIDC Clients gain PKCE and Private Key JWT authentication support in Open Liberty 23.0.0.6-beta

image of author
Michal Broz on Jun 13, 2023
Post available in languages:

Open Liberty 23.0.0.6-beta includes support for Private Key JWT authentication and Proof Key for Code Exchange (PKCE) for OpenID Connect clients.

This release also includes the latest updates to our ongoing InstantOn functionality, which provides incredibly fast startup times, as well as the latest Jakarta Data preview.

If you’d like to know what else the team is currently considering or actively working on, refer to the Open Liberty Roadmap and the in progress work items.

The Open Liberty 23.0.0.6-beta includes the following beta features (along with all GA features):

You can also check out our previous Open Liberty beta blog posts.

Private Key JWT authentication support for OpenID Connect clients

OpenID Connect clients in Liberty now support the private_key_jwt client authentication method with OpenID Connect token endpoints.

OpenID Connect clients are required to provide authentication data to the OpenID Connect provider when they invoke the provider’s token endpoint. Clients can authenticate using several different methods, but most of those methods require a client secret. The new private_key_jwt authentication method enables clients to use asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients using this authentication method are no longer required to have a client secret.

Server administrators can enable this functionality using the new private_key_jwt option for the tokenEndpointAuthMethod attribute, as well as the new tokenEndpointAuthSigningAlgorithm and keyAliasName attributes in either the openidConnectClient or oidcLogin elements in their server.xml file.

For example, when you use the OpenID Connect Client feature, include configuration similar to the following example:

    <featureManager>
        <feature>openidConnectClient-1.0</feature>
    </featureManager>
    ...
    <openidConnectClient tokenEndpointAuthMethod="private_key_jwt" keyAliasName="privatekeyaliasRS512" ... />

If you are using the Social Media Login feature, include configuration similar to the following example:

    <featureManager>
        <feature>socialLogin-1.0</feature>
    </featureManager>
    ...
    <oidcLogin tokenEndpointAuthMethod="private_key_jwt" tokenEndpointAuthSigningAlgorithm="E512" keyAliasName="privatekeyaliasES512" ... />

The tokenEndpointAuthSigningAlgorithm attribute specifies the signing algorithm to sign the JWT that is used for client authentication. The keyAliasName attribute points to the key to use to sign the JWT.

For more information about the configuration options, refer to the docs for the openidConnectClient element and the oidcLogin element.

For more information about private_key_jwt client authentication, refer to the OpenID Connect core specification and RFC 7523.

PKCE support for OpenID Connect clients

OpenID Connect clients in Open Liberty now support Proof Key for Code Exchange (PKCE) (RFC 7636). PKCE is an extension of the OAuth 2.0 specification that provides protection from authorization code interception attacks for OAuth 2.0 public clients. In very specific scenarios, a malicious application can intercept an authorization code intended for a legitimate OAuth 2.0 public client and use the authorization code to obtain access and ID tokens on behalf of the client. PKCE introduces additional steps and request parameters to prevent such interception attacks.

Server administrators can enable this functionality using the pkceCodeChallengeMethod attribute in either the <openidConnectClient> or <oidcLogin> elements in their server.xml.

For example, when you use the OpenID Connect Client feature, include configuration similar to the following example:

    <featureManager>
        <feature>openidConnectClient-1.0</feature>
    </featureManager>
    ...
    <openidConnectClient pkceCodeChallengeMethod="S256" ... />

If you are using the Social Media Login feature, include configuration similar to the following example:

    <featureManager>
        <feature>socialLogin-1.0</feature>
    </featureManager>
    ...
    <oidcLogin pkceCodeChallengeMethod="S256" ... />

For more information about the configuration options, refer to the docs for the openidConnectClient element and the oidcLogin element. . For more information about PKCE, refer to RFC 7636.

Try it now

To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 20, Java SE 17, Java SE 11, and Java SE 8.

If you’re using Maven, you can install the All Beta Features package using:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>RELEASE</version>
    <configuration>
        <runtimeArtifact>
          <groupId>io.openliberty.beta</groupId>
          <artifactId>openliberty-runtime</artifactId>
          <version>23.0.0.6-beta</version>
          <type>zip</type>
        </runtimeArtifact>
    </configuration>
</plugin>

You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, for Jakarta Data beta 2, you would include:

<dependency>
  <groupId>jakarta.data</groupId>
  <artifactId>jakarta-data-api</artifactId>
  <version>1.0.0-b2</version>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[23.0.0.6-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.