Mutual TLS with client id and secret using OIDC

Hasanthi Purnima Dissanayake
2 min readMar 17, 2019

How to use Mutual TLS with client id and client secret In wso2 IS 5.5.0

This authenticator has the same architecture as the mutual authenticator, https://docs.wso2.com/display/IS550/Mutual+TLS+for+OAuth+Clients.

The only difference is we need to pass the client secret as an query param in the token request. In order to consume the request we need to follow the steps as below. 1. Verify whether the org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret-1.0.7.jar exists in <IS_Home/repository/components/dropins 2. To enable this feature put following configurations in identity.xml which is located in <IS_HOME>/repository/conf/identity

<EventListener type=”org.wso2.carbon.identity.core.handler.AbstractIdentityHandler” name=”org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator” orderId=”200" enable=”true”>

3. In order to get a successful authentication, the certificate which is imported to the client-truststore.jks and the certificate which is available in the token request and the service provider certificate should be equal. If we need to skip the validation of the service provider certificate we need to disable the MandateMutualSSL property as below.

<EventListener type=”org.wso2.carbon.identity.core.handler.AbstractIdentityHandler” name=”org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator” orderId=”200" enable=”false”>

<Property name=”MandateMutualSSL”>true</Property>

4. Create a service provider and generate a client id and client secret. 5. Generate a certificate and import it to the client-truststore.jks which is located in <IS_Home>/repository/resources/security 6. Use the following commands to generate certificate and get private key in pem format. Generate a private RSA key openssl genrsa -out cert.key 2048 Create a X509 certificate

openssl req -x509 -new -nodes -key cert.key -sha256 -days 1024 -out cert.pem

Create a PKCS12 keystore from provate key and public certificate openssl pkcs12 -export -name server-cert -in cert.pem -inkey cert.key -out serverkeystore.p12 Export the private key as a PEM file

openssl pkcs12 -in serverkeystore.p12 -out key.pem

Sample Request :

curl -k -d "grant_type=password&username=admin&password=admin&client_id=2fjjjsCfTlLqptsj_goJcplgTyka&client_secret=dSw8sxIFG83N8gmLDqz5HPwrKT4a" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token -i  --cert cert.pem --key key.pem

Sample Response :

{"access_token":"ad25a42e-1a54-35a4-bc8b-4da5c9122ecc","refresh_token":"3b7cf936-4143-3539-b0fb-e11856ea5b46","token_type":"Bearer","expires_in":188}

Originally published at hasanthipurnima.blogspot.com.

--

--