Obtaining an Access Token by Using a Self-Signed User Assertion and a Client Assertion
The OAuth client can request an access token by providing the user assertion and the client assertion.
This workflow has an access token request that uses a user assertion and a JSON web token (JWT) client assertion that is generated by a third party. This is a more secure workflow than when the resource owner’s credentials (user name and password) are exposed.
The user assertion grant workflow allows you to obtain an access token by using a user assertion and a client assertion. See User Assertion Workflow to identify the claims that need to be part of the user assertion. See Step-by-Step Workflow of the Client Credentials Grant to identify the claims that need to be part of the client assertion.
-
X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.
-
Content-Type: The type of content that’s sent in the request. It is a URL-encoded application.
-
Request: The type of request that’s sent. In the example that follows, a
POST
request is used to obtain an access token. This is followed by the URL of the authorization server, which provides tokens. -
grant_type: The grant type used to obtain the token. In the example that follows, the grant type is a user assertion. The value of
jwt-bearer
is given for this grant type. -
scope: The limit of a particular scope for an access token.
-
client_assertion_type: The type of client assertion that’s passed. In Oracle Cloud, it’s
jwt_bearer
. -
client_assertion: The value of the client token obtained.
-
assertion: The value of the user token obtained.
The client credentials are available in the form of a third-party generated client assertion. This is sent along with a self-signed user assertion to obtain an access token.
To obtain an access token by using a self-signed user assertion and a client assertion, use the following cURL
command:
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' --request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &assertion=eyJraWQiOiJPQXV0aFRlc3RUZW5hbnQxNTAuaml0aGVuLWNsaWVudDEwLmNlcnQiLCJ0eXAiOiJKV1QiLCJhbGciOi JSUzUxMiJ9.eyJpc3MiOiJJX0FNX0dPT0QiLCJvcmFjbGUub2ljLnRva2VuLnR5cGUiOiJVU0VSVE9LRU4iLCJleHAiOjQ1Nzk2MTcw MzQ2MTksInBybiI6InRlbmFudEFkbWluVXNlciIsImlhdCI6MTQyNjAxNzAzNDYxOSwib3JhY2xlLm9pYy50b2tlbi51c2VyX2RuIjo idWlkPXRlbmFudEFkbWluVXNlciwgY249dGVzdGVyIHRlc3Rlciwgb3U9dGVzdCwgbz1vcmFjbGUsIHN0PWNhbGlmb3JuaWEsIGM9dX MifQ.elcNdSL6rl7RjmBPnS0UVN8m7bJP7M7LUGLm6I4LXY3-mPSv1IP-Mn8r4GfMx7qCSgcCV16Lm3kBeXl9j-YUYg1j2O8Z1AmxzQ x_P3OvmRokUOv1SlCvW8Z560vrX3o1bhdfniFOJYef5pJrgTvri9WhNSTVjcYjJFRAxr7Ysfw &client_assertion=eyJ4NXQiOiJyb2NFQ2NaVDlheG5FdWpQMVVPQVo3ZGNyTmMiLCJraWQiOiJJX0FNX0dPT0QiLCJ0eXAiOiJ KV1QiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiJhNWQ1MzllYy05MDZmLTQzZDYtOGQ3Ny1hODYzYjhkMzdjZTQiLCJpc3MiOiJJX0FNX 0dPT0QiLCJvcmFjbGUub2ljLnRva2VuLnR5cGUiOiJDTElFTlRUT0tFTiIsImV4cCI6NDU3OTUzOTA4MiwicHJuIjoiYTVkNTM5ZWMt OTA2Zi00M2Q2LThkNzctYTg2M2I4ZDM3Y2U0IiwiaWF0IjoxNDI1OTM5MDgyLCJvcmFjbGUub2ljLnRva2VuLnVzZXJfZG4iOiJ1aWQ 9YTVkNTM5ZWMtOTA2Zi00M2Q2LThkNzctYTg2M2I4ZDM3Y2U0LCBjbj10ZXN0ZXIgdGVzdGVyLCBvdT10ZXN0LCBvPW9yYWNsZSwgc3 Q9Y2FsaWZvcm5pYSwgYz11cyJ9.VnFBDNzxyL8pPAjUe2ogCYeqRFIWk3_JVTBREiJnOdY79tSEf78rYDefM2znABSBW_EVow2fIglS F_aNrvSslL9Ne4eammR9EELNDk5MvLlJOZQ5mt1ZODh2L8fYbt1nlujxYOE6qrrRNzkrase3wLv2Oe8lTsfgL89Fzbm5p9A &scope=http://www.example.com'
cURL
command is:{ "expires_in":3600, "token_type":"Bearer", "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6ImtoNlhyVE42V2p6dmhIOExrNnNLaWVpUDVodyIsImtp ZCI6Ik9BdXRoVGVzdFRlbmFudDE1MC5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9vcmln aW5faWQiOiJ0ZW5hbnRBZG1pblVzZXIiLCJpc3MiOiJPQXV0aFRlc3RUZW5hbnQxNTAiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9B dXRoVGVzdFRlbmFudDE1MFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDI2MDIxNjY1MDAwLCJleHAiOjE0MjYwMjUyNjUwMDAsIm9yYWNs ZS5vYXV0aC50a19jb250ZXh0IjoicmVzb3VyY2VfYWNjZXNzX3RrIiwiYXVkIjpbImh0dHA6Ly93d3cuZXhhbXBsZS5jb20iXSwicHJu IjoidGVuYW50QWRtaW5Vc2VyIiwianRpIjoiZjMzMDQwNmUtZmYzNy00MTUwLTg0N2EtY2Q4MzdjYzM3MDI1Iiwib3JhY2xlLm9hdXRo LmNsaWVudF9vcmlnaW5faWQiOiJhNWQ1MzllYy05MDZmLTQzZDYtOGQ3Ny1hODYzYjhkMzdjZTQiLCJvcmFjbGUub2F1dGguc2NvcGUi OiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXNlci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbmFudDE1MCIsIm9yYWNsZS5vYXV0 aC5pZF9kX2lkIjoiMzAxNjc0NTU5NTM0NDcwODEifQ.ZMsXIfjE3PuE_jA-jJXaSjQtXqQZUQ-nINQ1SW9T9VK8Yhx9ARptk4oYhZ6cQ p_Wgq9Lw_hxEiOnlJY9blJBPO3f3r_SHUvNhKwPyHsQ9WyqAgOzJkjeUMrD2Z90N3mdRJqFKP7N1rphJbU6rrD0Ko_nKenwBReX0-mPj V_-qC4JxvdVsnLHiLFQW0MlFKUTmG2NafA-t14RO63hCxKa09gjIxgWCHnBdD--YDvLsr3n6lZnKhIZg5IkKHAt2IR7wnIINOanAsvFI RN36_pAVnGSfV7xAnrybVkyRPK13ltOfdUcvhKSvwqJaTtML8vVOfIO9qUUFjFfb_FkJFoIdA" }
The JWT obtained can be decoded, and the claims in the access token can be viewed as follows:
{ alg: "RS256", typ: "JWT", x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg", kid: "OAuthTestTenant125.cert" }. { sub: "tenantAdminUser", oracle.oauth.user_origin_id_type: "LDAP_UID", oracle.oauth.user_origin_id: "tenantAdminUser", iss: "OAuthTestTenant125", oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile", iat: 1425424318000, oracle.oauth.prn.id_type: "LDAP_UID", oracle.oauth.tk_context: "resource_access_tk", exp: 1425427918000, aud: [ "http://www.example.com" ], prn: "tenantAdminUser", jti: "d385cc71-8f18-46a5-9ae4-6ab6f085badb", oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b", oracle.oauth.scope: "http://www.example.com", user.tenant.name: "OAuthTestTenant125", oracle.oauth.id_d_id: "13463675138302566" }. [signature]
Note:
In the regular flow the access token's expiry claim is obtained from the configuration and the expiry time of the access token is by default 1 hour. The OAuth Server looks for the exp
claim in the user assertion to determine the expiry claim of the resulting access token. However, only if you are using a the self-signed user assertion and client credentials flow, the expiry time of the access token can be modified to a value up to 90 days.
Audience and scope claims in the output:
The audience claim in an access token contains the API path of the resource. The oracle.oauth.scope
claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com
. The client audience configuration has a value of http://www.example.com::*
. The OAuth token service validates the incoming request scope with the value found in the client audience configuration. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim has a value of http://www.example.com
and the scope has a value of http://www.example.com
.