Configuring the JWT Bearer Flow
To use JWT Bearer as a grant type in Liferay, you must create an OAuth 2 client with the Client Authentication Method set to Client Secret Basic or Post. The client must send its client ID and secret along with an assertion and grant type in return for a Liferay access token.
To validate the assertion, you must configure an incoming assertion issuer in Liferay. This is to form a trust relationship between Liferay (the Relying Party) and the issuer (the Token Service). See Assertion as Authorization Grant
-
Open the Global Menu (
) and navigate to Control Panel → Instance Settings.
-
In the OAuth 2 Incoming Assertion Configuration, click Add.
-
Enter the name of the issuer, a JSON web key set, and the user authentication type.
-
Click Save.
The issuer value should be equal to the iss
value in the issuer’s JWT assertion. The user authentication type value must match the sub
value in the JWT assertion. You may need additional configuration in your token service to map these values.
The JSON web key set is usually available at the JWKS URI of your token service. For instance, if you’re using Keycloak, the JWKS URI is available at
http://{hostname}/realms/{realm_name}/protocol/openid-connect/certs
Enabling the JWT Bearer Flow
After configuring the incoming assertion issuer, ensure you’ve enabled the JWT Bearer flow for your client.
-
Open the Global Menu (
) and navigate to Control Panel → OAuth 2 Administration.
-
Select your OAuth 2 client and scroll down to Allowed Authorization Types.
-
Check the JWT_BEARER checkbox.
-
Click Save.
Getting an Access Token from Liferay
Once you’ve configured an incoming assertion issuer and enabled the JWT_BEARER
flow for your client, you can start getting access tokens from Liferay.
If you’re using a confidential client, you must initiate a POST request to Liferay’s token URL https://{hostname}/o/oauth2/token
with the following parameters in the body (encoded as application/x-www-form-urlencoded
):
Below is a sample token request made to Liferay using a JWT assertion from Keycloak. Keycloak is configured as an incoming assertion issuer in Liferay.