Obtaining an Access Token by Using the User Credentials and a JWT Client Assertion
The OAuth client can request an access token by providing the user’s credentials (that is, the user name and password) and a JSON web token (JWT) client assertion.
This workflow has a resource owner request that uses the user identifier and password of the resource owner, and a JWT client assertion generated by a third party. When using the resource owner password credentials grant workflow, you can obtain an access token by providing the user’s credentials and a client assertion. See Step-by-Step Workflow of the Client Credentials Grant to identify the claims that need to be part of the client assertion.
-
X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.
-
Content-Type: The type of content that’s sent in the request. It’s a URL-encoded application.
-
Request: The type of request that’s sent. The example uses a
POST
request to obtain an access token. This is followed by the authorization server URL, which provides tokens. -
grant_type: The grant type used to obtain the token. In the example that follows, the grant type is resource owner password credentials grant. The value of
password
is given for this grant type. -
username: The name of the user.
-
password: The name of the password.
-
client_assertion_type: The type of client assertion. In Oracle Cloud, it is
jwt_bearer
. -
client_assertion: The value of the client token obtained.
-
scope: The limit of a particular scope for an access token.
The client credentials are available in the form of an already-generated JWT client assertion. This is sent along with the user’s credentials to obtain an access token.
To obtain an access token, use the following cURL
command:
curl -i -H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' -H 'Authorization: Basic MzAzYTI0OTItZDY0Zi00ZTA0LWI3OGYtYjQzMzAwNDczMTJiOll5Sk5NSkdFc0ZqUkxWZVZsdVMz' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens -d 'grant_type=password &username=tenantAdminUser &password=Fusionapps1 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZK ZyIsImtpZCI6Ik9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6ImNsaWVudF9hc3Nlc nRpb24iLCJleHAiOjE0MjYwMzI4MzgwMDAsInN1YiI6IjMwM2EyNDkyLWQ2NGYtNGUwNC1iNzhmLWI0MzMwMDQ3MzEyYiIsImlzcy I6Ik9BdXRoVGVzdFRlbmFudDEyNSIsInBybiI6IjMwM2EyNDkyLWQ2NGYtNGUwNC1iNzhmLWI0MzMwMDQ3MzEyYiIsImp0aSI6IjY yNzZhYTI0LTUxNjQtNGEwZC1iYzQxLTlmMzVjMGU1ZjgxZiIsIm9yYWNsZS5vYXV0aC5zdmNfcF9uIjoiT0F1dGhUZXN0VGVuYW50 MTI1U2VydmljZVByb2ZpbGUiLCJpYXQiOjE0MjU0MjgwMzgwMDAsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzM DI1NjYiLCJ1c2VyLnRlbmFudC5uYW1lIjoiT0F1dGhUZXN0VGVuYW50MTI1Iiwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiQ2 xpZW50SUQifQ.OCHS9FhKJEXpIg3IvE6qWdTz3tRY449LZoBAcc3yDoaMbjS4CZxDDuKx6MUBpHmkmVoHRZSmkrILOzel51sT_kjE HfNtzwMCIs2re_JcSfGkvnzv0aCV1r_V5dvmmZulhGaOUTu9nkEFzCq-JNa23eO_dEq8jfP7-Y7H2KGMvuC5lHGGQViw1ega-4mFu ZBJlSvzEqDcYIPde0m8gSUF--IFuiovgGTKCe97-0MF34za6SZ0HJv9p3WesvCS8YV1bcWVwTGEXCZ3qA1mA-IOKvaMZNOxM_D9tT 5KVCub-i-H6r0uHpkovOCzunffcuL4cOg5ptrFv-abn-JP47eNag &scope=http://www.example.com'
cURL
command is:{ "expires_in":3600, "token_type":"Bearer", "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIs ImtpZCI6Ik9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNl cl9vcmlnaW5faWRfdHlwZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2Vy IiwiaXNzIjoiT0F1dGhUZXN0VGVuYW50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2 aWNlUHJvZmlsZSIsImlhdCI6MTQyNTQyODA2ODAwMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFj bGUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY2Vzc190ayIsImV4cCI6MTQyNTQzMTY2ODAwMCwiYXVkIjpbImh0dHA6 Ly93d3cuZXhhbXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2VyIiwianRpIjoiMGZmNTM4NzQtZTJhYS00OTYwLTg0NTU tZWUzZjQ2N2ZjNDEzIiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiIzMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDM zMDA0NzMxMmIiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXNlci50ZW5hbnQubmFtZSI 6Ik9BdXRoVGVzdFRlbmFudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1NjYifQ.q9yLvZ9RTX1d fJ-B8bcR6sQHKylSuXol02tOTbCmuRKgb9Ej5QxjPea35_Y0bMlOiRaUPk-elE0tpx7m4b7tLsCHDYo2YtRWkOrKbSPWyVulPsXA rTvtiy3qz5UX4mLhXXbWRwxUfNuUmUTen7hhqigJzxk_V3_BO85OT57aQBCp4QYBJ7HOmCeVjR4McyufTZEsRL8v_D9CP85IxF9G MrxZzLD8-VTprmcirgAOlwdDUlWRMUtBwAmui5jfMJK0K0tkC8ABaUqPA58Af_HjUCT8wn0qY_b1mJH0tq0Is5i_n9tJ3fDjxcQB 5yoAGMBp2CQgb4b1Hh7BWo5TY8HneA" }
The JSON web token (JWT) obtained can be decoded and the claims in the access token can be viewed as follows:
{ alg: "RS256", typ: "JWT", x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg", kid: "OAuthTestTenant125.cert" }. { sub: "tenantAdminUser", oracle.oauth.user_origin_id_type: "LDAP_UID", oracle.oauth.user_origin_id: "tenantAdminUser", iss: "OAuthTestTenant125", oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile", iat: 1425423619000, oracle.oauth.prn.id_type: "LDAP_UID", oracle.oauth.tk_context: "resource_access_tk", exp: 1425427219000, aud: [ "http://www.example.com" ], prn: "tenantAdminUser", jti: "fa46cc79-91ab-4553-96d4-a4aef1c8ffc7", oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b", oracle.oauth.scope: "http://www.example.com", user.tenant.name: "OAuthTestTenant125", oracle.oauth.id_d_id: "13463675138302566" }. [signature]
Audience and scope claims in the output:
The audience claim in an access token contains the API path of the resource. The oracle.oauth.scope
claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com
. The client audience configuration also has a value of http://www.example.com::*
. The OAuth token service validates the incoming request scope with the value in the client audience configuration values. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim has a value of http://www.example.com
and the scope has a value of http://www.example.com
.