OAuth 2.0 Client Authentication
⚠️ UNDER DEVELOPMENT: This feature is under development and not ready for production use. Please use only for testing.
Register the Application
The application needs to be pre-registered i Momentum Fastighet to obtain the client_id and optionally secrets if the client is a confidential client.
Client Authentication
Requests that require client identification or authentication should include additional paramters as follows.
Public Clients
A public clients is typically a SPA (single-page app) or a native mobile app running on a mobile phone or computer. Public clients MUST NOT include a client_secret or client_assertion since these client cannot store secrets privately.
| Name | Description |
|---|---|
| client_id | Required Client id issued to application on installation |
Confidential Clients
A confidential client runs on a server and never on a client device of for example an end user. A confidential client is able to store a secret on the server or key vault and should use JWTs for Client Authentication, see RFC 7523, section 2.2:
| Name | Description |
|---|---|
| client_assertion_type | Required Use urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
| client_assertion | Required Token signed by the private key of the client issued at installation. |
The client_assertion is a token issued by the application using the private key of the application. Please see RFC 7523, section 3 for a full list of requirements. The token must include the following claims:
| Name | Description |
|---|---|
| iss | Required The issuer of the token, use the client_id issued to your application, e g EAP-123-000-1. |
| sub | Required The subject of the token, use the client_id issued to your application, e g EAP-123-000-1. |
| aud | Required The audience name of the Login service, use the base address of the Momentum Login security service. The federation member guid of the installation can also be used. |
| exp | Required Token expiration time, maximum 20 minutes in the future. Please use a shorter lifetime, such as 15 minutes to allow for clock skew. |
Confidential Clients for Testing Only
IMPORTANT: Client authentication using client_secret should be avoided and is disabled in production and may be deprecated in the future. Use only for development and testing:
| Name | Description |
|---|---|
| client_id | Required Client id issued to application on installation |
| client_secret | Required Client secret issued to application on installation |
Momentum Login also support the use of the authorization-header with scheme Basic for basic authentication of clients. If used, use the client_id as username and client_secret as password. See RFC 6749 section 2.3.1 for further information.