Search only in titles

---

Using JWT Client Assertion

Authentication and Session Management > Generating the OAuth Access Token

IDCS supports signed JWT client assertions to generate the access token. You must generate a signed, encoded JWT client assertion using the private key which corresponds to the public certificate uploaded to the confidential application.

As with the user assertion, to enable and use signed client assertions you must:

1. Generate a JWT client assertion.
2. Use the user assertion and client assertion to generate the access token.

A client assertion must contain a header and body.

The header comprises the following attributes:

Name	Value
kid	The key identifier identifies the trusted, third-party certificate for validating the assertion signature. The KID must match the certificateAlias of the public certificate. Choose either to use a KID or x5t. You do not need to use both.
x5t	Base64 URL encoded X.509 certificate sha1 thumbprint. Used to identify the trusted third-party certificate to validate the assertion signature. Choose either to use a x5t or KID. You do not need to use both.
type	The type identifies the type of assertion. For this process, use JWT.
alg	The algorithm identifies the specific type of JWT signing algorithm being used. For this process, use RS256.

The body, that must include the following claims:

Name	Value
sub	The client ID value of your confidential application. See: Prerequisite Setup
iss	The issuer is the client ID of the confidential application. See: Prerequisite Setup
aud	The audience defines the recipients for which the JWT is intended. For this process, use https://identity.oraclecloud.com.
exp	The expiration time of the JWT assertion, specified in UNIX epoch time.
iat	The date the assertion was issued, in UNIX epoch time.

Generating the Access Token in lieu of an Authorization Header

Here is an example of the endpoint with required headers and body:

POST https://<IDCSTenantURL>/oauth2/v1/token

Headers:
  Content-Type: application/x-www-form-urlencoded

Body (newlines for clarity):
  grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
  &scope=<SCOPE>
  &assertion=<BASE64ENCODED_JWT_USER_ASSERTION>
  &client_id=<IDCS_CONFIDENTIALAPPLICATION_CLIENTID>
  &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
  &client_assertion=<BASE64ENCODED_JWT_CLIENT_ASSERTION>

Related Topics

Generating the OAuth Access Token

Using Client ID and Secret

---

Last Published Tuesday, April 1, 2025