Ping Identity PT-AM-CPE Exam - Topic 4 Question 5 Discussion

PingAM 8.0.2 supports advanced client authentication methods defined in the OpenID Connect and OAuth 2.0 specifications, including private_key_jwt and client_secret_jwt. These methods allow a client to authenticate without sending a static password/secret in the request. Instead, the client generates and signs a JSON Web Token (JWT).

According to the 'OAuth 2.0 Client Authentication' and 'JWT Profile for Client Authentication' (RFC 7523) documentation, when a client sends this JWT to the /oauth2/access_token endpoint, it must use the client_assertion parameter.

The request must also include the client_assertion_type parameter, which must be set to the constant value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

Option A (client_credentials) is a grant type, not a parameter for providing a JWT.

Option B (client_token_value) is not a standard OAuth2 parameter name.

Option C (client_id) is often included in the request, but it is the identifier of the client, not the container for the cryptographic assertion itself.

When PingAM receives a request with a client_assertion, it extracts the JWT, verifies the signature using the client's public key (stored in the client's profile or retrieved via a JWKS URI), and validates the standard claims (iss, sub, aud, exp). This method is significantly more secure than simple secrets because it proves the client possesses the private key and limits the window for replay attacks through the token's expiration claim.