Update for EA Additional Signing Algo for Private Key JWT Okta and OIDC#993
Open
Update for EA Additional Signing Algo for Private Key JWT Okta and OIDC#993
Conversation
avanscoy
added
the
main-docs
avanscoy
added
the
DO NOT MERGE
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
Summary
Errors per inputErrors in main/docs/get-started/applications/configure-private-key-jwt.mdx
Redirects per inputRedirects in main/docs/get-started/applications/configure-private-key-jwt.mdx
Redirects in main/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt.mdx
|
| * Set **Communication Channel** to **Back Channel**. | ||
| * Set **Authentication Method** to **Private Key JWT**. | ||
| 5. Select **Save** at the bottom of the screen. | ||
| 6. On the confirmation popup, select **Change** to implement your modifications. |
There was a problem hiding this comment.
This confirmation popup was brought back, should this remain?
| | `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:**<ul><li> By default, this property is set to `client_secret_post`. </li><li>Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`.</li></ul> | | ||
| | `token_endpoint_auth_signing_alg` | Set this property to `RS256`.<br/><br/>**Notes:** <ul><li>This feature does not currently support additional algorithms.</li><li>Omitting this property will default its value to `RS256`.</li></ul> | | ||
| | `token_endpoint_auth_method` | Authentication method used at the identity provider's token endpoint. Set to `private_key_jwt` to use a signed JWT assertion for enhanced security, or `client_secret_post` to send credentials in the request body. Defaults to `client_secret_post`. Applicable to `oidc` and `okta` strategies only. | | ||
| | `token_endpoint_auth_signing_alg` | Optional. Algorithm used to sign client assertions. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. Defaults to `RS256` if not set. Switching between RSA/PS (`RS*`, `PS*`) and EC (`ES*`) algorithm families requires generating a new signing key pair. Applicable to `oidc` and `okta` strategies only. | |
There was a problem hiding this comment.
Switching between RSA/PS (
RS*,PS*) and EC (ES*) algorithm families requires generating a new signing key pair.
Key generation happens automatically on our end and the customer need not take any action - this sentence can be removed.
| | `token_endpoint_auth_method` | Authentication method used at the identity provider's token endpoint. Set to `private_key_jwt` to use a signed JWT assertion for enhanced security, or `client_secret_post` to send credentials in the request body. Defaults to `client_secret_post`. Applicable to `oidc` and `okta` strategies only. | | ||
| | `token_endpoint_auth_signing_alg` | Optional. Algorithm used to sign client assertions. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. Defaults to `RS256` if not set. Switching between RSA/PS (`RS*`, `PS*`) and EC (`ES*`) algorithm families requires generating a new signing key pair. Applicable to `oidc` and `okta` strategies only. | | ||
| | `id_token_signed_response_algs` | Optional. List of algorithms allowed to verify ID tokens issued by the identity provider. When set, Auth0 rejects ID tokens signed with any algorithm not in this list. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. If not set, Auth0 accepts ID tokens signed with any supported algorithm. Applicable to `oidc` and `okta` strategies only. | | ||
| | `token_endpoint_jwtca_aud_format` | Optional. Specifies the format of the `aud` (audience) claim in the JWT used for client authentication at the token endpoint. Set to `issuer` to use the OIDC issuer URL, or `token_endpoint` to use the token endpoint URL. | |
There was a problem hiding this comment.
token_endpoint is the default behavior.
| | `type` | Set this property to `back_channel`. | | ||
| | `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:** <ul><li> Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`. </li></ul> | | ||
| | `token_endpoint_auth_method` | Authentication method used at the identity provider's token endpoint. Set to `private_key_jwt` to use a signed JWT assertion for enhanced security, or `client_secret_post` to send credentials in the request body. Defaults to `client_secret_post`. Applicable to `oidc` and `okta` strategies only. | | ||
| | `token_endpoint_auth_signing_alg` | Optional. Algorithm used to sign client assertions. Accepted values: `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `ES256`, `ES384`. Defaults to `RS256` if not set. Switching between RSA/PS (`RS*`, `PS*`) and EC (`ES*`) algorithm families requires generating a new signing key pair. Applicable to `oidc` and `okta` strategies only. | |
There was a problem hiding this comment.
Switching between RSA/PS (
RS*,PS*) and EC (ES*) algorithm families requires generating a new signing key pair.
Same comment as above applies about not needing this sentence.
| | `type` | Set this property to `back_channel`. | | ||
| | `token_endpoint_auth_method` | Set this property to `private_key_jwt`.<br/><br/>**Notes:**<ul><li> By default, this property is set to `client_secret_post`. </li><li>Errors may occur if this property is set to a value other than `private_key_jwt` or `client_secret_post`.</li></ul> | | ||
| | `token_endpoint_auth_signing_alg` | Set this property to `RS256`.<br/><br/>**Notes:** <ul><li>This feature does not currently support additional algorithms.</li><li>Omitting this property will default its value to `RS256`.</li></ul> | | ||
| | `token_endpoint_auth_signing_alg` | Set this property to `RS256`, `RS512`, `PS256`, `PS384`, `ES256`, or `ES384`.<br/><br/>Omitting this property will default its value to `RS256`.| |
There was a problem hiding this comment.
Is it worthwhile to mention token_endpoint_jwtca_aud_format here too?
| * With RS256, if the private key is compromised, you can implement key rotation without having to re-deploy your application or API with the new secret (which you would have to do if using HS256). | ||
|
|
||
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> | ||
| If you are configuring Private Key JWT Authentication with an Okta or OpenID Connection (OIDC) enterprise connection, you may have to choose an [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication). |
There was a problem hiding this comment.
Suggested change
| If you are configuring Private Key JWT Authentication with an Okta or OpenID Connection (OIDC) enterprise connection, you may have to choose an [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication). | |
| If you are configuring Private Key JWT Authentication with an Okta or OpenID Connection (OIDC) enterprise connection, you may have to choose [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Private Key JWT for Okta and OIDC connections release
References
Testing
Checklist
CONTRIBUTING.md.