Setup Client Assertion
A Client Assertion is a JWT directly produced by a client application using a cryptographic key and is presented as proof of the client's identity. Client Assertions provide a strong method of authenticating clients before returning an access_token for them to access the data.
Relying Party (RP) is required to present an assertion JWT in the request body when calling the token endpoint. Singpass will then verify this JWT against a JWK provided by the RP in the Application configuration.
RP is required to generate an assertion JWT that has the following header and claims, and is signed with the JWK indicated in the Application configuration.
Step 1: Define Client Assertion
The JWK Header should have the following attributes:
Example of JWT Header
The JWK Claims should have the following attributes:
sub
aud
iss
iat
exp
code
(Optional) This should be the auth code
which is used to exchange for an ID token. It should be identical to the code
form param sent outside the client_assertion
. This enables increased security by signing the code
so that the client_assertion
can only be used once for a specific request.
Example of JWT Claims
The JWK Signature
The JWT assertion signature is a crucial component. RP to ensure the JWT assertion is signed with the JWK private key to the public keys provided by the RP in the Application configuration.
Example of JWT Client Assertion
Step 2: Add the Client Assertion function to the Application
Here is a sample code that can be referenced as a function to generate client assertion.
Create a new function file in your application called generateClientAssertion.js.
Install the JOSE (JSON Object Signing and Encryption) package which will be used to generate and sign the client assertion. Open the terminal, use
npm install jose
to install the package.
Copy the following code into the generateClientAssertion.js file. Update the signature keys, JWT claims value, and the key ID as explained above.
Run the function. Below is the sample client assertion output of the console.log.
If you passed the verification, your client assertion is ready to be used for the later steps.
Next steps
Proceed to call the Token Endpoint to receive the ID Token.
Was this helpful?