Using JWT Client Assertion

IDCS supports signed JWT client assertions to generate the access token. You must generate a signed, encoded JWT client assertion using the private key which corresponds to the public certificate uploaded to the confidential application.

As with the user assertion, to enable and use signed client assertions you must:

  1. Generate a JWT client assertion.
  2. Use the user assertion and client assertion to generate the access token.

A client assertion must contain a header and body.

The header comprises the following attributes:

Name Value
kid

The key identifier identifies the trusted, third-party certificate for validating the assertion signature. The KID must match the certificateAlias of the public certificate.

Choose either to use a KID or x5t. You do not need to use both.
x5t

Base64 URL encoded X.509 certificate sha1 thumbprint. Used to identify the trusted third-party certificate to validate the assertion signature.

Choose either to use a x5t or KID. You do not need to use both.
type The type identifies the type of assertion. For this process, use JWT.
alg The algorithm identifies the specific type of JWT signing algorithm being used. For this process, use RS256.

The body, that must include the following claims:

Name Value
sub

The client ID value of your confidential application.

See: Prerequisite Setup
iss

The issuer is the client ID of the confidential application.

See: Prerequisite Setup
aud The audience defines the recipients for which the JWT is intended. For this process, use https://identity.oraclecloud.com.
exp The expiration time of the JWT assertion, specified in UNIX epoch time.
iat The date the assertion was issued, in UNIX epoch time.

Generating the Access Token

Use the client assertion in lieu of an Authorization Header.

Here is an example of the endpoint with required headers and body:

POST https://<IDCSTenantURL>/oauth2/v1/token 
       
      Headers: 
        Content-Type: application/x-www-form-urlencoded 
       
      Body (newlines for clarity): 
        grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer 
        &scope=<SCOPE> 
        &assertion=<BASE64ENCODED_JWT_USER_ASSERTION> 
        &client_id=<IDCS_CONFIDENTIALAPPLICATION_CLIENTID> 
        &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer 
        &client_assertion=<BASE64ENCODED_JWT_CLIENT_ASSERTION>