How does OAuth 2.0 Server know which secret should use to parse jwt token during client authentication? (client_secret_jwt)

Question

My task is to add support of client authentication using JWT in my Identity Provider (a.k.a client_secret_jwt) (https://datatracker.ietf.org/doc/html/rfc7523#section-2.2).

I've stumbled upon jwt parsing.

I see client authentication flow (client_secret_jwt) like this:

A client passes registration in IDP and get client_id and client_secret. Then it tries to authenticate its user and sends a request to "oauth2/token" endpoint with payload that contains two key-value pairs: client_assertion_type (it is a const) and client_assertion. client_assertion is a jwt token that contains information about the client. The client uses client_secret to generate the jwt token.

So the client sends the request, the idp server must handle that one, it retrieves jwt token from the request and now it must parse using secret, but which client_secret it should use? At this moment it does not know anything about the client (cause the request doen't contain the client_id), so it could not go to its database and get a specific secret for this client?

Could you give some information about the next questions:

1. The spec really doesn't contain info about the issue, does it?
2. Does it mean I should solve this issue on my own if Oauth spec says nothing about it?
3. If I have to solve this issue on my own, what do you think about the solution that is to iterate over all clients secrets of idp looking for the suitable secret?

Thank you in advance.

Answer 1

The answer to your question is in https://datatracker.ietf.org/doc/html/rfc7523#section-3 of the spec you referred to: when a client is using a JWT for client authentication, it must provide its client_id in the sub claim of the JWT assertion.

B. For client authentication, the subject MUST be the "client_id" of the OAuth client.