Client Assertions support

[omon77]

I went through documentation and code base, but couldn't get the in-depth answers...
Could you please provide more information on the scope of built-in support for client assertions (RFC 7523)?
What options are built-in and what do we need to implement?

1. Is the per-client mtls support built-in? If it is, where is the trust configuration persisted? Is this the doc? https://docs.duendesoftware.com/identityserver/tokens/client-authentication/#mutual-tls-client-certificates
2. Client assertion with keys provided by remote party:
   • via x509 certificate
   • via jwks (key persisted or provided via discovery url/ or jwks url)
   • JAR uri JWT

If you prefer me emailing priority support, please let me know.
Thank you!

[wcabus]

Yes, per-client mutual TLS support is built-in. You can specify the certificate name or thumbprint on a per-client basis in the ClientSecrets property, and this information is persisted in the configuration database. The documentation link you mention is indeed the correct one.

Regarding client assertion support, IdentityServer currently supports private key JWT using an X.509 certificate or a JWK formatted RSA key, both of which would be provided by the client. You need to add the public key material as a client secret on the client configuration, ensuring to set the appropriate secret type:

• IdentityServerConstants.SecretTypes.X509CertificateBase64 for a base64-encoded X.509 certificate
• IdentityServerConstants.SecretTypes.JsonWebKey for a JWK formatted RSA key

IdentityServer currently does not support loading or discovering client key material using a trust relationship, such as using a discovery document from the client to retrieve the public key material. You can of course extend your IdentityServer by implementing your own client assertion key discovery service.

[omon77]

Thank you @wcabus !