Using JWT Client Assertion
Primavera Data Service supports signed JWT client assertions to generate access tokens. You must generate a signed, encoded JWT client assertion using the private key which corresponds to the public certificate uploaded to the confidential application.
As with the user assertion, to enable and use signed client assertions you must:
- Generate a JWT client assertion.
- Use the user assertion and client assertion to generate the access token.
A client assertion must contain a header and body.
The header comprises the following attributes:
| Name | Value |
| kid |
The key identifier identifies the trusted, third-party certificate for validating the assertion signature. The KID must match the certificateAlias of the public certificate in your Oracle IAM confidential application. Choose either to use a KID or x5t. You do not need to use both. |
| x5t |
Base64 URL encoded X.509 certificate SHA-1 thumbprint. Used to identify the trusted third-party certificate to validate the assertion signature. Choose either to use a x5t or KID. You do not need to use both. |
| type | The type identifies the type of assertion. For Primavera Data Service, use
JWT.
|
| alg | The algorithm identifies the specific type of JWT signing algorithm being used. For Primavera Data Service, use
RS256.
|
The body, that must include the following claims:
| Name | Value |
| sub |
The Client ID value of your confidential application. See: Prerequisite Setup |
| iss |
The issuer is the client ID of the confidential application. See: Prerequisite Setup |
| aud | The audience defines the recipients for which the JWT is intended. For Primavera Data Service, use
https://identity.oraclecloud.com.
|
| exp | The expiration time of the JWT assertion, specified in UNIX epoch time. |
| iat | The date the assertion was issued, in UNIX epoch time. |
Generating the Access Token
Use the client assertion in lieu of an authorization header.
The variables in this example must be replaced with the following information:
- <identity_domain_url>: The URL of your OCI identity domain.
- <scope>: The scope of your identity provider.
- <base64_encoded_JWT_user_assertion>: The user assertion generated by your identity provider.
- <IdP_confidential_application_clientID>: The client ID of your identity provider's confidential application.
- <base64_encoded_JWT_client_assertion>: The Base64 encoded client assertion generated by your identity provider.
Here is an example of the endpoint with required headers and body:
POST https://<identity_domain_url>/oauth2/v1/token
Headers:
Content-Type: application/x-www-form-urlencoded
Body (newlines for clarity):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&scope=<scope>
&assertion=<base64_encoded_JWT_user_assertion>
&client_id=<IdP_confidential_application_clientID>
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=<base64_encoded_JWT_client_assertion>