Skip to content

Mutual TLS with client id and secret using OIDC

This authenticator has the same architecture as Mutual TLS for OAuth Clients except for the fact that we need to pass the client secret as a query parameter in the token request.

In order to consume the request, follow the steps given below.

  1. Verify that the org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls-x.x.x.jar file exists in <IS_HOME>/repository/components/dropins.

  2. For this feature two configuration steps needs to be satisfied

    1. Enabling this feature.

    2. For the authentication to be successful, the certificate which is imported to the client-truststore.jks in <IS_Home>/repository/resources/security should be the same as the certificate which is available in the token request and the service provider. This validation needs to be skipped.

    For achieving both above requirements add the following configuration to the <IS-HOME>/repository/conf/deployment.toml

     id = "mutual_ssl"
     type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
     name = "org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator"
     order = 200
     "MandateMutualSSL" = true
  3. Create a service provider and generate a client id and client secret. For further details on how to do this, click here.

  4. Generate a certificate and import it to the client-truststore.jks in <IS_HOME>/repository/resources/security .Use the following commands to generate the certificate and get the private key in the pem format.

    Generate a private RSA key

    openssl genrsa -out cert.key 2048
    Create an X509 certificate
    openssl req -x509 -new -nodes -key cert.key -sha256 -days 1024 -out cert.pem
    Create a PKCS12 key store from the private key and the public certificate
    openssl pkcs12 -export -name server-cert -in cert.pem -inkey cert.key -out serverkeystore.p12
    Export the private key as a PEM file
    openssl pkcs12 -in serverkeystore.p12 -out key.pem

    Following is a sample request and response for configuring Mutual TLS with client id and secret using OIDC.

    Sample Request

    curl -k -d "grant_type=password&username=admin&password=admin&client_id=2fjjjsCfTlLqptsj_goJcplgTyka
    &client_secret=dSw8sxIFG83N8gmLDqz5HPwrKT4a" -H "Content-Type: application/x-www-form-urlencoded" -i --cert cert.pem --key key.pem https://localhost:9443/oauth2/token 
    Sample Response