1. Get StartedP6 EPPM Rest API
  2. Security
  3. OAuth Token Generation
  4. Using JSON Web Token (JWT) Grant Type
  5. Generating the OAuth Access Token
  6. Using JWT Client Assertion to Generate the OAuth Access Token

Using JWT Client Assertion to Generate the OAuth Access Token

IDCS supports the use of signed client assertions, in the form of JWT, to identify the client when generating an access token.

  • Signed client assertions take advantage of the public/private key cryptography, allowing IDCS to use the uploaded public certificate when validating the JWT client assertion signature (in the same manner JWT user assertions are validated).
  • Signed client assertions can be used in lieu of the base64 encoded clientId:clientSecret Authorization header when generating the access token.

To enable and use signed client assertions:

  1. Generate a base64-encoded JWT client assertion.
  2. Generate the access token using the JWT client assertion in lieu of an Authorization Header.

Generating the Client Assertion

The JWT client assertion can be encoded and signed in the same manner you generate the JWT user assertion.

The JWT client assertion must contain the following claims:

The header, that must include the following attributes:

Name Value
kid Key identifier. Used to identify the trusted third-party certificate to validate the assertion signature.  Must match the certificateAlias of the uploaded public certificate.  Either the x5t or kid claim must be present in the JWT assertion header.
x5t Base64 URL encoded X.509 certificate sha1 thumbprint. Used to identify the trusted third-party certificate to validate the assertion signature.  Either the x5t or kid claim must be present in the JWT assertion header.
type Type. Identifies the type of assertion, which is always "JWT".
alg Algorithm. Identifies the specific type of JWT signing algorithm, which is always "RS256".

The body, that must include the following claims:

Name Value
sub Subject. The Client ID value of your confidential application.
iss Issuer. The Client ID value of your confidential application.
aud Audience. Identifies the recipients for which the JWT is intended, which is always https://identity.oraclecloud.com.
exp Expiration. The time (UNIX epoch time) when the JWT assertion expires.
iat Issued at. The date (UNIX epoch time) when the assertion was issued.

Generating the Access Token in lieu of an Authorization Header

Here is an example of the endpoint with required headers and body:

POST https://<IDCSTenantURL>/oauth2/v1/token 
       
      Headers: 
        Content-Type: application/x-www-form-urlencoded 
       
      Body (newlines for clarity): 
        grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer 
        &scope=<SCOPE> 
        &assertion=<BASE64ENCODED_JWT_USER_ASSERTION> 
        &client_id=<IDCS_CONFIDENTIALAPPLICATION_CLIENTID> 
        &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer 
        &client_assertion=<BASE64ENCODED_JWT_CLIENT_ASSERTION>