Using JWT Client Assertion to Generate the OAuth Access Token
Authentication and Session Management > Using JSON Web Token (JWT) Grant Type > Generating the OAuth Access Token
IDCS supports the use of signed client assertions, in the form of JWT, to identify the client when generating an access token.
- Signed client assertions take advantage of the public/private key cryptography, allowing IDCS to use the uploaded public certificate when validating the JWT client assertion signature (in the same manner JWT user assertions are validated).
- Signed client assertions can be used in lieu of the base64 encoded clientId:clientSecret Authorization header when generating the access token.
To enable and use signed client assertions:
- Generate a base64-encoded JWT client assertion.
- Generate the access token using the JWT client assertion in lieu of an Authorization Header.
Generating the Client Assertion
The JWT client assertion can be encoded and signed in the same manner you generate the JWT user assertion.
The JWT client assertion must contain the following claims:
The header, that must include the following attributes:
Name | Value |
|---|---|
kid | Key identifier. Used to identify the trusted third-party certificate to validate the assertion signature. Must match the certificateAlias of the uploaded public certificate. Either the x5t or kid claim must be present in the JWT assertion header. |
x5t | Base64 URL encoded X.509 certificate sha1 thumbprint. Used to identify the trusted third-party certificate to validate the assertion signature. Either the x5t or kid claim must be present in the JWT assertion header. |
type | Type. Identifies the type of assertion, which is always "JWT". |
alg | Algorithm. Identifies the specific type of JWT signing algorithm, which is always "RS256". |
The body, that must include the following claims:
Name | Value |
|---|---|
sub | Subject. The Client ID value of your confidential application. |
iss | Issuer. The Client ID value of your confidential application. |
aud | Audience. Identifies the recipients for which the JWT is intended, which is always |
exp | Expiration. The time (UNIX epoch time) when the JWT assertion expires. |
iat | Issued at. The date (UNIX epoch time) when the assertion was issued. |
Generating the Access Token in lieu of an Authorization Header
Here is an example of the endpoint with required headers and body:
POST https://<IDCSTenantURL>/oauth2/v1/token
Headers:
Content-Type: application/x-www-form-urlencoded
Body (newlines for clarity):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&scope=<SCOPE>
&assertion=<BASE64ENCODED_JWT_USER_ASSERTION>
&client_id=<IDCS_CONFIDENTIALAPPLICATION_CLIENTID>
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=<BASE64ENCODED_JWT_CLIENT_ASSERTION>
Related Topics
Generating the OAuth Access Token
Using Client ID and Secret to Generate the OAuth Access Token
Last Published Friday, November 29, 2024