1. Administering Oracle Cloud Identity Management
  2. Securing Authorizations in Oracle Cloud
  3. Using REST API Calls for the User Assertion Grant
  4. Obtaining an Access Token by Using a Self-Signed User Assertion and a Client Assertion

Obtaining an Access Token by Using a Self-Signed User Assertion and a Client Assertion

The OAuth client can request an access token by providing the user assertion and the client assertion.

This workflow has an access token request that uses a user assertion and a JSON web token (JWT) client assertion that is generated by a third party. This is a more secure workflow than when the resource owner’s credentials (user name and password) are exposed.

The user assertion grant workflow allows you to obtain an access token by using a user assertion and a client assertion. See User Assertion Workflow to identify the claims that need to be part of the user assertion. See Step-by-Step Workflow of the Client Credentials Grant to identify the claims that need to be part of the client assertion.

Parameters used in the access token request:

  • X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.

  • Content-Type: The type of content that’s sent in the request. It is a URL-encoded application.

  • Request: The type of request that’s sent. In the example that follows, a POST request is used to obtain an access token. This is followed by the URL of the authorization server, which provides tokens.

  • grant_type: The grant type used to obtain the token. In the example that follows, the grant type is a user assertion. The value of jwt-bearer is given for this grant type.

  • scope: The limit of a particular scope for an access token.

  • client_assertion_type: The type of client assertion that’s passed. In Oracle Cloud, it’s jwt_bearer.

  • client_assertion: The value of the client token obtained.

  • assertion: The value of the user token obtained.

The client credentials are available in the form of a third-party generated client assertion. This is sent along with a self-signed user assertion to obtain an access token.

To obtain an access token by using a self-signed user assertion and a client assertion, use the following cURL command: 

curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" 
-H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' 
--request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens 
-d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&assertion=eyJraWQiOiJPQXV0aFRlc3RUZW5hbnQxNTAuaml0aGVuLWNsaWVudDEwLmNlcnQiLCJ0eXAiOiJKV1QiLCJhbGciOi
JSUzUxMiJ9.eyJpc3MiOiJJX0FNX0dPT0QiLCJvcmFjbGUub2ljLnRva2VuLnR5cGUiOiJVU0VSVE9LRU4iLCJleHAiOjQ1Nzk2MTcw
MzQ2MTksInBybiI6InRlbmFudEFkbWluVXNlciIsImlhdCI6MTQyNjAxNzAzNDYxOSwib3JhY2xlLm9pYy50b2tlbi51c2VyX2RuIjo
idWlkPXRlbmFudEFkbWluVXNlciwgY249dGVzdGVyIHRlc3Rlciwgb3U9dGVzdCwgbz1vcmFjbGUsIHN0PWNhbGlmb3JuaWEsIGM9dX
MifQ.elcNdSL6rl7RjmBPnS0UVN8m7bJP7M7LUGLm6I4LXY3-mPSv1IP-Mn8r4GfMx7qCSgcCV16Lm3kBeXl9j-YUYg1j2O8Z1AmxzQ
x_P3OvmRokUOv1SlCvW8Z560vrX3o1bhdfniFOJYef5pJrgTvri9WhNSTVjcYjJFRAxr7Ysfw
&client_assertion=eyJ4NXQiOiJyb2NFQ2NaVDlheG5FdWpQMVVPQVo3ZGNyTmMiLCJraWQiOiJJX0FNX0dPT0QiLCJ0eXAiOiJ
KV1QiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiJhNWQ1MzllYy05MDZmLTQzZDYtOGQ3Ny1hODYzYjhkMzdjZTQiLCJpc3MiOiJJX0FNX
0dPT0QiLCJvcmFjbGUub2ljLnRva2VuLnR5cGUiOiJDTElFTlRUT0tFTiIsImV4cCI6NDU3OTUzOTA4MiwicHJuIjoiYTVkNTM5ZWMt
OTA2Zi00M2Q2LThkNzctYTg2M2I4ZDM3Y2U0IiwiaWF0IjoxNDI1OTM5MDgyLCJvcmFjbGUub2ljLnRva2VuLnVzZXJfZG4iOiJ1aWQ
9YTVkNTM5ZWMtOTA2Zi00M2Q2LThkNzctYTg2M2I4ZDM3Y2U0LCBjbj10ZXN0ZXIgdGVzdGVyLCBvdT10ZXN0LCBvPW9yYWNsZSwgc3
Q9Y2FsaWZvcm5pYSwgYz11cyJ9.VnFBDNzxyL8pPAjUe2ogCYeqRFIWk3_JVTBREiJnOdY79tSEf78rYDefM2znABSBW_EVow2fIglS
F_aNrvSslL9Ne4eammR9EELNDk5MvLlJOZQ5mt1ZODh2L8fYbt1nlujxYOE6qrrRNzkrase3wLv2Oe8lTsfgL89Fzbm5p9A
&scope=http://www.example.com'
The output of the cURL command is:
{
"expires_in":3600,
"token_type":"Bearer",
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6ImtoNlhyVE42V2p6dmhIOExrNnNLaWVpUDVodyIsImtp
ZCI6Ik9BdXRoVGVzdFRlbmFudDE1MC5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9vcmln
aW5faWQiOiJ0ZW5hbnRBZG1pblVzZXIiLCJpc3MiOiJPQXV0aFRlc3RUZW5hbnQxNTAiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9B
dXRoVGVzdFRlbmFudDE1MFNlcnZpY2VQcm9maWxlIiwiaWF0IjoxNDI2MDIxNjY1MDAwLCJleHAiOjE0MjYwMjUyNjUwMDAsIm9yYWNs
ZS5vYXV0aC50a19jb250ZXh0IjoicmVzb3VyY2VfYWNjZXNzX3RrIiwiYXVkIjpbImh0dHA6Ly93d3cuZXhhbXBsZS5jb20iXSwicHJu
IjoidGVuYW50QWRtaW5Vc2VyIiwianRpIjoiZjMzMDQwNmUtZmYzNy00MTUwLTg0N2EtY2Q4MzdjYzM3MDI1Iiwib3JhY2xlLm9hdXRo
LmNsaWVudF9vcmlnaW5faWQiOiJhNWQ1MzllYy05MDZmLTQzZDYtOGQ3Ny1hODYzYjhkMzdjZTQiLCJvcmFjbGUub2F1dGguc2NvcGUi
OiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXNlci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbmFudDE1MCIsIm9yYWNsZS5vYXV0
aC5pZF9kX2lkIjoiMzAxNjc0NTU5NTM0NDcwODEifQ.ZMsXIfjE3PuE_jA-jJXaSjQtXqQZUQ-nINQ1SW9T9VK8Yhx9ARptk4oYhZ6cQ
p_Wgq9Lw_hxEiOnlJY9blJBPO3f3r_SHUvNhKwPyHsQ9WyqAgOzJkjeUMrD2Z90N3mdRJqFKP7N1rphJbU6rrD0Ko_nKenwBReX0-mPj
V_-qC4JxvdVsnLHiLFQW0MlFKUTmG2NafA-t14RO63hCxKa09gjIxgWCHnBdD--YDvLsr3n6lZnKhIZg5IkKHAt2IR7wnIINOanAsvFI
RN36_pAVnGSfV7xAnrybVkyRPK13ltOfdUcvhKSvwqJaTtML8vVOfIO9qUUFjFfb_FkJFoIdA"
}

The JWT obtained can be decoded, and the claims in the access token can be viewed as follows:

Access token:
{
 alg: "RS256",
 typ: "JWT",
 x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg",
 kid: "OAuthTestTenant125.cert"
}.
{
 sub: "tenantAdminUser",
 oracle.oauth.user_origin_id_type: "LDAP_UID",
 oracle.oauth.user_origin_id: "tenantAdminUser",
 iss: "OAuthTestTenant125",
 oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile",
 iat: 1425424318000,
 oracle.oauth.prn.id_type: "LDAP_UID",
 oracle.oauth.tk_context: "resource_access_tk",
 exp: 1425427918000,
 aud: [
  "http://www.example.com"
 ],
 prn: "tenantAdminUser",
 jti: "d385cc71-8f18-46a5-9ae4-6ab6f085badb",
 oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b",
 oracle.oauth.scope: "http://www.example.com",
 user.tenant.name: "OAuthTestTenant125",
 oracle.oauth.id_d_id: "13463675138302566"
}.
[signature]

Note:

In the regular flow the access token's expiry claim is obtained from the configuration and the expiry time of the access token is by default 1 hour. The OAuth Server looks for the exp claim in the user assertion to determine the expiry claim of the resulting access token. However, only if you are using a the self-signed user assertion and client credentials flow, the expiry time of the access token can be modified to a value up to 90 days.

Audience and scope claims in the output:

The audience claim in an access token contains the API path of the resource. The oracle.oauth.scope claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com. The client audience configuration has a value of http://www.example.com::*. The OAuth token service validates the incoming request scope with the value found in the client audience configuration. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim has a value of http://www.example.com and the scope has a value of http://www.example.com.