1. Administering Oracle Cloud Identity Management
  2. Securing Authorizations in Oracle Cloud
  3. Using REST API Calls for the User Assertion Grant
  4. Obtaining an Access Token by Using a Self-Signed User Assertion and the Client Credentials

Obtaining an Access Token by Using a Self-Signed User Assertion and the Client Credentials

The OAuth client can request an access token by providing the user assertion and client credentials.

This workflow describes an access token request that uses the self-signed user assertion and a basic client authorization header. This is a more secure workflow than when the resource owner’s credentials (user name and password) are exposed.

The user assertion grant workflow allows you to obtain an access token by using a user assertion and the client credentials that are supplied in the form of a basic authorization header. See User Assertion Workflow to identify the claims that need to be part of the user assertion.

The client application makes a request to the authorization server that includes the HTTP basic authorization header. The basic authorization header is base64encoded(client_id:client_password).

Parameters used in the access token request:

  • X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.

  • Content-Type: The type of content that’s sent in the request. It’s a URL-encoded application.

  • Authorization: Basic: The basic authorization header. The client id and client secret of the client application are base64–encoded and sent in the header. For example, the authorization header has a value of base64encoded(client_id:client_password).

  • Request: The type of request that’s sent. In the example that follows, a POST request is used to obtain an access token. This is followed by the authorization server URL which provides tokens.

  • grant_type: The grant type used to obtain the token. In the example that follows, the grant type is user assertion grant. The value of jwt-bearer is given for this grant type.

  • scope: The limit of a particular scope for an access token.

  • assertion: The value of the user token obtained.

The client identifier and password are encoded and sent in the basic authorization header. This is sent along with the self-signed user assertion to obtain an access token.

To obtain an access token by using the user assertion and the client credentials, use the following cURL command:
curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" 
-H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125'
 -H 'Authorization: Basic YTVkNTM5ZWMtOTA2Zi00M2Q2LThkNzctYTg2M2I4ZDM3Y2U0OlZkT0dVSGZIVHpFUFFNcHhVbHkx' 
--request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens 
-d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&assertion=eyJraWQiOiJPQXV0aFRlc3RUZW5hbnQxNTAuaml0aGVuLWNsaWVudDEwLmNlcnQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxM
iJ9.eyJpc3MiOiJJX0FNX0dPT0QiLCJvcmFjbGUub2ljLnRva2VuLnR5cGUiOiJVU0VSVE9LRU4iLCJleHAiOjQ1Nzk2MTcwMzQ2MTksInBybi
I6InRlbmFudEFkbWluVXNlciIsImlhdCI6MTQyNjAxNzAzNDYxOSwib3JhY2xlLm9pYy50b2tlbi51c2VyX2RuIjoidWlkPXRlbmFudEFkbWlu
VXNlciwgY249dGVzdGVyIHRlc3Rlciwgb3U9dGVzdCwgbz1vcmFjbGUsIHN0PWNhbGlmb3JuaWEsIGM9dXMifQ.elcNdSL6rl7RjmBPnS0UVN8
m7bJP7M7LUGLm6I4LXY3-mPSv1IP-Mn8r4GfMx7qCSgcCV16Lm3kBeXl9j-YUYg1j2O8Z1AmxzQx_P3OvmRokUOv1SlCvW8Z560vrX3o1bhdfn
iFOJYef5pJrgTvri9WhNSTVjcYjJFRAxr7Ysfw
&scope=http://www.example.com'
The output of the cURL command is:
{
"expires_in":3600,
"token_type":"Bearer",
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIsImtpZCI6I
k9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9vcmlnaW5faWRfdHl
wZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2VyIiwiaXNzIjoiT0F1dGhUZXN0VGVuY
W50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQyNTQyNDMxODA
wMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY2Vzc
190ayIsImV4cCI6MTQyNTQyNzkxODAwMCwiYXVkIjpbImh0dHA6Ly93d3cuZXhhbXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2VyIiw
ianRpIjoiZDM4NWNjNzEtOGYxOC00NmE1LTlhZTQtNmFiNmYwODViYWRiIiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiIzMDNhM
jQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXN
lci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbmFudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1NjYifQ.DC
2OrybsETGdXJriaVQBhMxobxu6qGL-r51X6wCUerep9WQgAsCjQrdtFPrFjqDRJEfhgZqPDH5GcCZqIJ9ckFk1WlDVBRsYudRWfgmVKPYwazU1
VUbwtfNkSDWnRJg_pE4ndMo_Ioi_D2LeP4PROgOCRHUUihtgyuKAKZk8f4VxIto4iVuUTxEy-0LU5v54WncltK24LaUwVkqTBa2MgqrMJSdpJ2
91S2-qeyY0cy9VcaxPyqZAbMRS5OhWyA_y45iqPPoUqAuRcZ9Mu9nhzmY_fewwf2nsJqoLTan4ruB0lLx7DuLs7ZfP77UCULckkxrfcY8Ahmx_
HjO3LGpuzQ"
}

The JSON web token (JWT) obtained can be decoded, and the claims in the access token can be viewed as follows:

Access Token:
{
 alg: "RS256",
 typ: "JWT",
 x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg",
 kid: "OAuthTestTenant125.cert"
}.
{
 sub: "tenantAdminUser",
 oracle.oauth.user_origin_id_type: "LDAP_UID",
 oracle.oauth.user_origin_id: "tenantAdminUser",
 iss: "OAuthTestTenant125",
 oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile",
 iat: 1425424318000,
 oracle.oauth.prn.id_type: "LDAP_UID",
 oracle.oauth.tk_context: "resource_access_tk",
 exp: 1425427918000,
 aud: [
  "http://www.example.com"
 ],
 prn: "tenantAdminUser",
 jti: "d385cc71-8f18-46a5-9ae4-6ab6f085badb",
 oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b",
 oracle.oauth.scope: "http://www.example.com",
 user.tenant.name: "OAuthTestTenant125",
 oracle.oauth.id_d_id: "13463675138302566"
}.
[signature]

Note:

In the regular flow the access token's expiry claim is obtained from the configuration and the expiry time of the access token is by default 1 hour. However for this use case the expiry time of the access token can be modified to a value up to 90 days. The OAuth Server looks for the exp claim in the user assertion to determine the expiry claim of the resulting access token. See User Assertion Workflow to determine the claims a self-signed user assertion should have.

Audience and scope claims in the output:

The audience claim in an access token contains the API path of the resource. The oracle.oauth.scope claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com. The client audience configuration has a value of http://www.example.com::*. The OAuth token service validates the incoming request scope with the value found in the client audience configuration. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim has a value of http://www.example.com, and the scope has a value of http://www.example.com.