OAuth2 implementation in free5gc

Hi all,

Hi everyone,

I have been working with Free5GC and noticed that the framework uses the client credentials grant type for obtaining access tokens to access services. Typically, in this grant type, the client_id and client_secret are used to authorize client requests. However, in Free5GC, these parameters are not utilized in the client credentials grant type.

While exploring the Oauth.go code, I came across a function for generating client credentials assertions. From my understanding, this approach involves using JWT tokens for client authorization. However, I am unsure how these tokens are passed to the NRF or the authorization server during a request to acquire an access token.

Could someone please guide me through the process of token sharing in the OAuth implementation within Free5GC? Your insights would be greatly appreciated.

Thank you

Hi:
free5GC use oauth2, and client_id and client_secret aren’t directly used because these are encapsulated securely in a signed token. This followed by TS 29.510 and TS 33.501.

The detailed JWT-based client assertion as below:

1. Token request

• NF Service Consumer sends a POST request to the NRF’s /oauth2/token endpoint
  
  

  image918×1000 85.1 KB
  
  and you can see the detailed request parameter in below file
  
  

  image928×988 134 KB

2. Processing in NRF (Authorization Server)
   The NRF invokes the function called AccessTokenProcedure.Here’s what happens inside:
   a. Validation: The NRF checks that the request conforms to the expected format
   b. JWT Generation: Instead of using a client_id/client_secret pair directly, the NRF builds an AccessTokenClaims object in below code.
   
   

   image1539×1097 149 KB
   
   c. Signing the Token:
   The NRF signs the JWT using its private key (configured in its certificate files, for example in cert/nrf.key). The signing algorithm is typically RS512.
   d. Response:
   The token then return to NF Service Consumer
3. Using the Access Token
   NF Service Producer receives the token, it uses the NRF’s public key to verify the JWT’s signature and checks the claims. If everything is valid, the request is processed accordingly.

There are some reference below, if you have any further question, feel free to ask again!
https://free5gc.org/blog/20230802/20230802/#nnrf_accesstoken-service