Successful Authorization
During an authorization request, if the validations pass successfully, then the authorization server sends a response with an access token.
-
Validation of the client assertion, also ensuring that the client is authorized to make the request. This is done by using the client certificate that was imported when the client was registered with the authorization server.
-
Validation of the user, also ensuring that the user is authorized to make the request. Either the user’s credentials or the user assertion is validated.
-
Validation of the audience claim in the client profile in the OAuth service (information stored when the client is registered) against the scope in the incoming access token request.
Access Token in the Response
If the validations pass successfully, the authorization server sends a response with an access token.
{"expires_in":3600, "token_type":"Bearer", "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIsImtpZCI6I k9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9vcmlnaW5faWRfdH lwZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2VyIiwiaXNzIjoiT0F1dGhUZXN0VGV uYW50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2aWNlUHJvZmlsZSIsImlhdCI6MTQyNTQyNzc1 NjAwMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dGgudGtfY29udGV4dCI6InJlc291cmNlX2FjY 2Vzc190ayIsImV4cCI6MTQyNTQzMTM1NjAwMCwiYXVkIjpbImh0dHA6Ly93d3cuZXhhbXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2 VyIiwianRpIjoiZWM3ZWRhOWUtMTMyMS00MWI0LTg1MTYtMDQzNDRhMDY4MjE4Iiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiI zMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJvcmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29t IiwidXNlci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbmFudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1N jYifQ.maEhtSbOWqKZPj_Wb6vezEcusm8SHLLBrdqKRjh3aKyga4_vY8cYiug59gF7t9xeVY_wps2mOI6uaAm8J0Fw0jZo2_NZpS5nXq-PiUN CTHWiUQkb8GFv8Gd6qGc2M7Y3cBLG5w-VVRCtRVBUtpTkaTg_VWzS_iygsSIBJjp6KsIqKRtE_DjGtp_E3AaBnfmB19r754NJl3_R8BQ1Wpbj EL-8zFZzBa-4bTC0DQ58w4ssOOLT3aZWv9UhJ0Ok_pT-ZDcFxFLUGoMnTD-pms9h4m58mGDtrRi5WBPC8n3RuOrmZBJjzOWAjCC0Tb-ZdR65q 7ewaxX_V6PccCHeIoFPmg" }
The fields that are a part of the response are:
-
expires_in: An optional and recommended parameter that specifies the lifetime of the access token in seconds. In the prior example, the access token is valid for 1 hour (or 3600 seconds).
-
token_type: A mandatory parameter that specifies the type of token that’s returned in the response. In the prior example, the
.token_type
isBearer
-
access_token: A mandatory parameter that has the actual access token as its value. This is the access token, in JSON web token (JWT) format, that the client application may store and use later. The token can be decoded to see the various claims in the access token response.
An example of a decoded JWT:
{ alg: "RS256", typ: "JWT", x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg", kid: "OAuthTestTenant125.cert" }. { sub: "tenantAdminUser", oracle.oauth.user_origin_id_type: "LDAP_UID", oracle.oauth.user_origin_id: "tenantAdminUser", iss: "OAuthTestTenant125", oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile", iat: 1425424318000, oracle.oauth.prn.id_type: "LDAP_UID", oracle.oauth.tk_context: "resource_access_tk", exp: 1425427918000, aud: [ "http://www.example.com" ], prn: "tenantAdminUser", jti: "d385cc71-8f18-46a5-9ae4-6ab6f085badb", oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b", oracle.oauth.scope: "http://www.example.com", user.tenant.name: "OAuthTestTenant125", oracle.oauth.id_d_id: "13463675138302566" }. [signature]
Claims in the Access Token
An access token has a header, and standard and custom claims.
Claim Name | Type | Description | Sample |
alg |
Header | The algorithm used to sign the token. | RS256 |
typ |
Header | The classification type of the token. The default value is JWT . This indicates that this is a JSON web token (JWT).
|
JWT |
x5t |
Header | The X.509 certificate thumbprint (x5t ) header parameter provides a base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate that can be used to match a certificate.
|
_hVX9pXq7pUxkk5ry-8vK8qb8L8 |
kid |
Header | The key ID (kid ) header parameter is a hint indicating which specific key owned by the signer should be used to validate the signature. This allows signers to signal a change of the key to recipients explicitly. Omitting this parameter is equivalent to setting it to an empty string. The interpretation of the contents of the kid parameter is unspecified.
|
oauth_psrtenantx3.cert |
sub |
Standard Claim | The subject (sub ) claim identifies the principal that’s the subject of the JWT.
|
MyAdmin@oracle1.com |
prn |
Standard Claim | The principal (prn ) claim identifies the principal that is the subject of the JWT.
|
MyAdmin@oracle1.com |
iss
|
Standard Claim | The issuer (iss ) claim identifies the principal that supplied the JWT.
|
oauth_psrtenantx3 |
iat |
Standard Claim | The issued at (iat ) claim identifies the time at which the JWT was supplied.
|
1429128747000 |
exp |
Standard Claim | The expiration time (exp ) claim identifies the expiration time on or after which the JWT must not be accepted for processing.
|
1429128747000 |
aud |
Standard Claim | The audience (aud ) claim identifies the recipients for which the JWT is intended.
|
(a list of audiences) |
jti |
Standard Claim | The JWT ID (jti ) claim provides a unique identifier for the JWT.
|
0565e04e-3823-404f-b950-e970ea17f41f |
oracle.oauth.svc_p_n |
Custom Claim | IDM OAuth service profile name. | oauth_psrtenantx3ServiceProfile |
oracle.oauth.prn.id_type |
Custom Claim | Principal ID type. For user assertion, the value is always LDAP_UID .
|
LDAP_UID |
oracle.oauth.sub.id_type |
Custom Claim | Subject ID type. For user assertion, the value is always LDAP_UID .
|
LDAP_UID
|
oracle.oauth.id_d_id |
Custom Claim | IDM OAuth server domain ID. | 20625897169639935 |
oracle.oauth.client_origin_id |
Custom Claim | Subject ID for client used when user assertion is generated. | 4457b326-fe88-4851-baad-b9488895e808 |
user.tenant.name |
Custom Claim | User tenancy for the OAuth token generated by IDM OAuth server. | oauth_psrtenantx3 |