Custom Client Authentication/Signature Validation Logic

[dewijones92]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Version

5.8.0

Question

Hi, first off, thanks for this AMAZING library 😊 😄

I'm working on implementing an LTI Advantage platform using OpenIddict, and I'm running into a scenario where I need more control over the client authentication and signature validation process.

Currently, I'm seeing the following error when a client attempts to authenticate using a JWT client assertion:

trce: OpenIddict.Server.OpenIddictServerDispatcher[0]
      An error occurred while validating the token 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIxOGI1OTM2ZGEyZWQwZjhiIiwic3ViIjoiMThiNTkzNmRhMmVkMGY4YiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9jb25uZWN0L3Rva2VuIiwiaWF0IjoiMTczMjI3Mjg1NSIsIm5iZiI6IjE3MzIyNzI4NTAiLCJleHAiOiIxNzMyMjczMTU1IiwianRpIjoiOVUyRTd4ODJzWC9MK3g0Slc3V0c4MngvejBwNENKbEdaN3Mxb1RmdTA3az0ifQ.niupy0DaQA7n2zpodV-UveGbPU9ySiw08iy2NhgXldYecJ1aqPt_08SzIsJWVl2hFwWU4SKy_Jk3pNXvNcfbD5_a0tkq_jLA24O20J7tVXsD3cRpwkfUofIvF5EN8UMLCurcrO6cKOVF-oVuhcWkSzfknznX2IOpb7PeL4QBHxgtqdTF4gEFO-70JmT9gI_Txcyd2zf4VSwLq8aBczkrgs1C9py8EoX2AyzLoXVNj0LxwXA8ep32ysXfuGebjoub3IksiE6u1dMGdK5WC-TM36nAKR6-DsvfAKVOHw6iGKgJEJ26BORVHMHPSpvtLMvjJYGzhW1H4xL9hMkZDTXccQ'.
      Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
        ...
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The response was successfully returned as a JSON document: {
        "error": "invalid_client",
        "error_description": "The signing key associated to the specified token was not found.",
        "error_uri": "https://documentation.openiddict.com/errors/ID2090"
      }.

This is expected, as I haven't configured any signing keys yet. However, my requirements are a bit more complex than just providing a static set of keys:

1. Selective Signature Validation: For certain clients (identified by their client_id), I want to completely bypass signature validation. These clients are trusted and don't require this level of security.
2. Dynamic Key Retrieval: For other clients, I need to dynamically retrieve their public keys from a well-known URL (e.g., a JWKS endpoint provided by the client) and then validate the JWT signature against the retrieved key. The specific URL might vary per client.

Here's a snippet of the token request being made:

REQUEST BODY: scope=https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Fscope%2Flineitem+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-ags%2Fscope%2Fresult.readonly+https%3A%2F%2Fpurl.imsglobal.org%2Fspec%2Flti-nrps%2Fscope%2Fcontextmembership.readonly&grant_type=client_credentials&client_id=18b5936da2ed0f8b&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=[redacted]

My Question:

What is the recommended approach to implement this custom client authentication and signature validation logic in OpenIddict? Specifically:

• How can I conditionally skip signature validation based on the client_id?
• How can I dynamically retrieve and use public keys from a client-specific URL for signature validation when required?

Any guidance or examples on how to achieve this would be greatly appreciated.

Thanks!

[kevinchalet]

Hey,

Many people have tried to abuse the sponsorship model used here, but you're actually the first one trying to abuse it using a one-time $1 sponsorship: congratulations for this new record! 🤣

I'm really impressed by your audacity, but of course, I'll have to close this ticket... 🤣

[dewijones92]

@kevinchalet hey, what is the minimum amount required?