1. Administering Oracle Cloud Identity Management
  2. Securing Authorizations in Oracle Cloud
  3. Using REST API Calls for the Resource Owner Password Credentials Grant
  4. Obtaining an Access Token by Using the User Credentials and a JWT Client Assertion

Obtaining an Access Token by Using the User Credentials and a JWT Client Assertion

The OAuth client can request an access token by providing the user’s credentials (that is, the user name and password) and a JSON web token (JWT) client assertion.

This workflow has a resource owner request that uses the user identifier and password of the resource owner, and a JWT client assertion generated by a third party. When using the resource owner password credentials grant workflow, you can obtain an access token by providing the user’s credentials and a client assertion. See Step-by-Step Workflow of the Client Credentials Grant to identify the claims that need to be part of the client assertion.

Parameters used in the access token request:

  • X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.

  • Content-Type: The type of content that’s sent in the request. It’s a URL-encoded application.

  • Request: The type of request that’s sent. The example uses a POST request to obtain an access token. This is followed by the authorization server URL, which provides tokens.

  • grant_type: The grant type used to obtain the token. In the example that follows, the grant type is resource owner password credentials grant. The value of password is given for this grant type.

  • username: The name of the user.

  • password: The name of the password.

  • client_assertion_type: The type of client assertion. In Oracle Cloud, it is jwt_bearer.

  • client_assertion: The value of the client token obtained.

  • scope: The limit of a particular scope for an access token.

The client credentials are available in the form of an already-generated JWT client assertion. This is sent along with the user’s credentials to obtain an access token.

To obtain an access token, use the following cURL command: 

curl -i -H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' 
-H 'Authorization: Basic MzAzYTI0OTItZDY0Zi00ZTA0LWI3OGYtYjQzMzAwNDczMTJiOll5Sk5NSkdFc0ZqUkxWZVZsdVMz' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens   
-d 'grant_type=password
&username=tenantAdminUser
&password=Fusionapps1
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZK
ZyIsImtpZCI6Ik9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6ImNsaWVudF9hc3Nlc
nRpb24iLCJleHAiOjE0MjYwMzI4MzgwMDAsInN1YiI6IjMwM2EyNDkyLWQ2NGYtNGUwNC1iNzhmLWI0MzMwMDQ3MzEyYiIsImlzcy
I6Ik9BdXRoVGVzdFRlbmFudDEyNSIsInBybiI6IjMwM2EyNDkyLWQ2NGYtNGUwNC1iNzhmLWI0MzMwMDQ3MzEyYiIsImp0aSI6IjY
yNzZhYTI0LTUxNjQtNGEwZC1iYzQxLTlmMzVjMGU1ZjgxZiIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhUZXN0VGVuYW50
MTI1U2VydmljZVByb2ZpbGUiLCJpYXQiOjE0MjU0MjgwMzgwMDAsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzM
DI1NjYiLCJ1c2VyLnRlbmFudC5uYW1lIjoiT0F1dGhUZXN0VGVuYW50MTI1Iiwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiQ2
xpZW50SUQifQ.OCHS9FhKJEXpIg3IvE6qWdTz3tRY449LZoBAcc3yDoaMbjS4CZxDDuKx6MUBpHmkmVoHRZSmkrILOzel51sT_kjE
HfNtzwMCIs2re_JcSfGkvnzv0aCV1r_V5dvmmZulhGaOUTu9nkEFzCq-JNa23eO_dEq8jfP7-Y7H2KGMvuC5lHGGQViw1ega-4mFu
ZBJlSvzEqDcYIPde0m8gSUF--IFuiovgGTKCe97-0MF34za6SZ0HJv9p3WesvCS8YV1bcWVwTGEXCZ3qA1mA-IOKvaMZNOxM_D9tT
5KVCub-i-H6r0uHpkovOCzunffcuL4cOg5ptrFv-abn-JP47eNag
&scope=http://www.example.com'
The output of the cURL command is:
{
"expires_in":3600,
"token_type":"Bearer",
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIs
ImtpZCI6Ik9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNl
cl9vcmlnaW5faWRfdHlwZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2Vy
IiwiaXNzIjoiT0F1dGhUZXN0VGVuYW50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2
aWNlUHJvZmlsZSIsImlhdCI6MTQyNTQyODA2ODAwMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFj
bGUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY2Vzc190ayIsImV4cCI6MTQyNTQzMTY2ODAwMCwiYXVkIjpbImh0dHA6
Ly93d3cuZXhhbXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2VyIiwianRpIjoiMGZmNTM4NzQtZTJhYS00OTYwLTg0NTU
tZWUzZjQ2N2ZjNDEzIiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiIzMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDM
zMDA0NzMxMmIiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXNlci50ZW5hbnQubmFtZSI
6Ik9BdXRoVGVzdFRlbmFudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1NjYifQ.q9yLvZ9RTX1d
fJ-B8bcR6sQHKylSuXol02tOTbCmuRKgb9Ej5QxjPea35_Y0bMlOiRaUPk-elE0tpx7m4b7tLsCHDYo2YtRWkOrKbSPWyVulPsXA
rTvtiy3qz5UX4mLhXXbWRwxUfNuUmUTen7hhqigJzxk_V3_BO85OT57aQBCp4QYBJ7HOmCeVjR4McyufTZEsRL8v_D9CP85IxF9G
MrxZzLD8-VTprmcirgAOlwdDUlWRMUtBwAmui5jfMJK0K0tkC8ABaUqPA58Af_HjUCT8wn0qY_b1mJH0tq0Is5i_n9tJ3fDjxcQB
5yoAGMBp2CQgb4b1Hh7BWo5TY8HneA"
}

The JSON web token (JWT) obtained can be decoded and the claims in the access token can be viewed as follows:

Access token:
{
 alg: "RS256",
 typ: "JWT",
 x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg",
 kid: "OAuthTestTenant125.cert"
}.
{
 sub: "tenantAdminUser",
 oracle.oauth.user_origin_id_type: "LDAP_UID",
 oracle.oauth.user_origin_id: "tenantAdminUser",
 iss: "OAuthTestTenant125",
 oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile",
 iat: 1425423619000,
 oracle.oauth.prn.id_type: "LDAP_UID",
 oracle.oauth.tk_context: "resource_access_tk",
 exp: 1425427219000,
 aud: [
  "http://www.example.com"
 ],
 prn: "tenantAdminUser",
 jti: "fa46cc79-91ab-4553-96d4-a4aef1c8ffc7",
 oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b",
 oracle.oauth.scope: "http://www.example.com",
 user.tenant.name: "OAuthTestTenant125",
 oracle.oauth.id_d_id: "13463675138302566"
}.
[signature]

Audience and scope claims in the output:

The audience claim in an access token contains the API path of the resource. The oracle.oauth.scope claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com. The client audience configuration also has a value of http://www.example.com::*. The OAuth token service validates the incoming request scope with the value in the client audience configuration values. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim has a value of http://www.example.com and the scope has a value of http://www.example.com.