Obtaining an Access Token by Using a Self-Signed User Assertion and the Client Credentials
The OAuth client can request an access token by providing the user assertion and client credentials.
This workflow describes an access token request that uses the self-signed user assertion and a basic client authorization header. This is a more secure workflow than when the resource owner’s credentials (user name and password) are exposed.
The user assertion grant workflow allows you to obtain an access token by using a user assertion and the client credentials that are supplied in the form of a basic authorization header. See User Assertion Workflow to identify the claims that need to be part of the user assertion.
The client application makes a request to the authorization server that includes the HTTP basic authorization header. The basic authorization header is base64encoded(client_id:client_password)
.
-
X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.
-
Content-Type: The type of content that’s sent in the request. It’s a URL-encoded application.
-
Authorization: Basic: The basic authorization header. The client id and client secret of the client application are base64–encoded and sent in the header. For example, the authorization header has a value of
base64encoded(client_id:client_password)
. -
Request: The type of request that’s sent. In the example that follows, a
POST
request is used to obtain an access token. This is followed by the authorization server URL which provides tokens. -
grant_type: The grant type used to obtain the token. In the example that follows, the grant type is user assertion grant. The value of
jwt-bearer
is given for this grant type. -
scope: The limit of a particular scope for an access token.
-
assertion: The value of the user token obtained.
The client identifier and password are encoded and sent in the basic authorization header. This is sent along with the self-signed user assertion to obtain an access token.
cURL
command:curl -i -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' -H 'Authorization: Basic YTVkNTM5ZWMtOTA2Zi00M2Q2LThkNzctYTg2M2I4ZDM3Y2U0OlZkT0dVSGZIVHpFUFFNcHhVbHkx' --request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &assertion=eyJraWQiOiJPQXV0aFRlc3RUZW5hbnQxNTAuaml0aGVuLWNsaWVudDEwLmNlcnQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxM iJ9.eyJpc3MiOiJJX0FNX0dPT0QiLCJvcmFjbGUub2ljLnRva2VuLnR5cGUiOiJVU0VSVE9LRU4iLCJleHAiOjQ1Nzk2MTcwMzQ2MTksInBybi I6InRlbmFudEFkbWluVXNlciIsImlhdCI6MTQyNjAxNzAzNDYxOSwib3JhY2xlLm9pYy50b2tlbi51c2VyX2RuIjoidWlkPXRlbmFudEFkbWlu VXNlciwgY249dGVzdGVyIHRlc3Rlciwgb3U9dGVzdCwgbz1vcmFjbGUsIHN0PWNhbGlmb3JuaWEsIGM9dXMifQ.elcNdSL6rl7RjmBPnS0UVN8 m7bJP7M7LUGLm6I4LXY3-mPSv1IP-Mn8r4GfMx7qCSgcCV16Lm3kBeXl9j-YUYg1j2O8Z1AmxzQx_P3OvmRokUOv1SlCvW8Z560vrX3o1bhdfn iFOJYef5pJrgTvri9WhNSTVjcYjJFRAxr7Ysfw &scope=http://www.example.com'
cURL
command is:{ "expires_in":3600, "token_type":"Bearer", "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIsImtpZCI6I k9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9vcmlnaW5faWRfdHl wZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2VyIiwiaXNzIjoiT0F1dGhUZXN0VGVuY W50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQyNTQyNDMxODA wMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY2Vzc 190ayIsImV4cCI6MTQyNTQyNzkxODAwMCwiYXVkIjpbImh0dHA6Ly93d3cuZXhhbXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2VyIiw ianRpIjoiZDM4NWNjNzEtOGYxOC00NmE1LTlhZTQtNmFiNmYwODViYWRiIiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiIzMDNhM jQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXN lci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbmFudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1NjYifQ.DC 2OrybsETGdXJriaVQBhMxobxu6qGL-r51X6wCUerep9WQgAsCjQrdtFPrFjqDRJEfhgZqPDH5GcCZqIJ9ckFk1WlDVBRsYudRWfgmVKPYwazU1 VUbwtfNkSDWnRJg_pE4ndMo_Ioi_D2LeP4PROgOCRHUUihtgyuKAKZk8f4VxIto4iVuUTxEy-0LU5v54WncltK24LaUwVkqTBa2MgqrMJSdpJ2 91S2-qeyY0cy9VcaxPyqZAbMRS5OhWyA_y45iqPPoUqAuRcZ9Mu9nhzmY_fewwf2nsJqoLTan4ruB0lLx7DuLs7ZfP77UCULckkxrfcY8Ahmx_ HjO3LGpuzQ" }
The JSON web token (JWT) obtained can be decoded, and the claims in the access token can be viewed as follows:
{ alg: "RS256", typ: "JWT", x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg", kid: "OAuthTestTenant125.cert" }. { sub: "tenantAdminUser", oracle.oauth.user_origin_id_type: "LDAP_UID", oracle.oauth.user_origin_id: "tenantAdminUser", iss: "OAuthTestTenant125", oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile", iat: 1425424318000, oracle.oauth.prn.id_type: "LDAP_UID", oracle.oauth.tk_context: "resource_access_tk", exp: 1425427918000, aud: [ "http://www.example.com" ], prn: "tenantAdminUser", jti: "d385cc71-8f18-46a5-9ae4-6ab6f085badb", oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b", oracle.oauth.scope: "http://www.example.com", user.tenant.name: "OAuthTestTenant125", oracle.oauth.id_d_id: "13463675138302566" }. [signature]
Note:
In the regular flow the access token's expiry claim is obtained from the configuration and the expiry time of the access token is by default 1 hour. However for this use case the expiry time of the access token can be modified to a value up to 90 days. The OAuth Server looks for the exp
claim in the user assertion to determine the expiry claim of the resulting access token. See User Assertion Workflow to determine the claims a self-signed user assertion should have.
Audience and scope claims in the output:
The audience claim in an access token contains the API path of the resource. The oracle.oauth.scope
claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com
. The client audience configuration has a value of http://www.example.com::*
. The OAuth token service validates the incoming request scope with the value found in the client audience configuration. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim has a value of http://www.example.com
, and the scope has a value of http://www.example.com
.