Building Backend OAuth 2.0 App for JWT Assertions

In OAuth 2.0 there is a way for backend services to authenticate with servers known as JWT assertions. In this protocol, we need to send a JWT to auth server to get back another JWT to be used for authorization/authentication of the subsequent requests of different server resources. These types of protocols are implemented on backend services that serve more sensitive data like health records, financial data, etc.

For this specific implementation, we usually follow the below-mentioned steps:

Registering your backend app on Auth server and getting the client ID

When you register your app on Auth server, you will be assigned a client to which you will need to send in your assertion token when requesting an access token grant.

Generate public/private key pairs for signing your JWT

You can use these commands for getting public/private keys:

openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem \\n -out rsa_cert.pem -subj "/CN=unused"

Build JWT

This code snap above shows how a JWT should be built. I am using C# to build a JWT and signing it with the private key we generated in a previous step.

JWT Breakdown

While building the JWT you should keep in mind a few things

1. JWT expiry should not be more than 4 minutes.

2. It should have a unique Jti claim.

Header

Your header will look like this it contains the algorithm your auth server using and a key ID which will be the identifier of your public for Auth server to verify your JWT signature.

Payload

This is your payload in which iss, sub is the client ID of your app registered on Auth server. nbf is the JWT usage time which should be before 30 milliseconds of the JWT issue time, exp is expiry which should not be more than 4 minutes, and aud is the exact URL you are using for auth grant from the server.

Signature

You will sign your JWT using the private key you generated earlier with your server’s supported algorithm, for example, some use sha256. In this case, we are using rsasha384.

Providing access to your public key

Now that you have built your JWT and want to send this to Auth server to get an access token, the server needs to verify your JWT signature and for verification, your server needs to access your public key. Remember not to share the private key with servers as more tokens can be signed using a private key but from the public key you can only verify the signature and cannot sign a new JWT.

We have two ways to give the public key to the server.

1. The simplest way is to simply upload your public key to the server.

2. Expose your public key as JSON Web Key on some URL like

This is the format of a JWK (JSON Web Key) and you can provide this URL to the Auth server so whenever they need to verify your JWT they can call this URL to fetch your keys and match using the kid which you provided in the header of your JWT to verify the signature. Remember the signature verification will only be down using the n (Modulus of your public key) property of this object.
This can be calculated using this formula

Base64.encode(rsa_public_cert.GetModulus().ToString())

When everything is ready, you can send your request to Auth server for an access grant.

I hope you liked the read. Let me know about your feedback and if you run into any issues, you can always reach out to me.

Possible errors could be you might mess up with the JWT expiry time or jti claim.