Client Assertion

A client assertion contains information that validates the client.

It provides an alternative client authentication mechanism (one that doesn't send client secrets). Once you register your OAuth client, the OAuth service will provide client credentials in the form of a client identifier and a client secret. The client secret authenticates the identity of the client to the service API when the client requests to access.

Signing the Client Assertion

Client assertions received by the OAuth service must be signed by a signing algorithm. The signing algorithm must be RS256:RSASSA-PKCS-v1_5 using SHA-256 algorithm. You must use this algorithm when building client assertions to send to the OAuth service.

The OAuth token service already has the certificate of the OAuth client registered with it. This certificate is used to verify the client assertion. The client assertion is trusted with the help of the client certificate present in the client profile. This certificate is made available during client registration.

Format of a Client Assertion

The format of the client assertion includes the following:
  • For trusted clients, the client assertion is signed by the client certificate. The algorithm used (RS256), type of token (JWT), thumbprint of the client public key (the thumbprint is the result of a hash function applied to the certificate itself) and the alias of the certificate are included in the header.

  • iss: This identifies the principal that supplied the token. This is the client ID of the OAuth client application.

  • jti: This is the unique ID of the request.

  • prn: This identifies the principal that’s the subject of the token. This is the client ID of the OAuth client application.

  • exp: This is the expiration time of the client token.

  • iat: This is the issue time of the client token.

  • user.tenant.name: This is the name of the identity domain.

  • aud: This is the audience claim. An identity management OAuth-generated client assertion has an audience claim and its audience value is oauth.idm.oracle.com. This means that the self-signed client assertion can only be used by the OAuth server.

Claims in a Client Assertion

A client assertion has a header, standard claims, and custom claims,. as described in the following table:

Claim Name Type Description Sample
alg Header The algorithm used to sign the token. RS256
typ Header The classification type of the token. The default value is JWT. This indicates that this is a JSON web token (JWT). JWT
x5t Header The X.509 certificate thumbprint (x5t) header parameter provides a base64 url-encoded SHA-256 thumbprint of the Distinguished Encoding Rules (DER) encoding of an X.509 certificate that can be used to match a certificate. _hVX9pXq7pUxkk5ry-8vK8qb8L8
kid Header The key ID ( kid) header parameter is a hint indicating which specific key owned by the signer should be used to validate the signature. This allows signers to signal a change of the key to recipients explicitly. Omitting this parameter is equivalent to setting it to an empty string. The interpretation of the contents of the kid parameter is unspecified. oauth_psrtenantx3.cert
sub Standard Claim The subject ( sub) claim identifies the principal that is the subject of the JSON web token. 4457b326-fe88-4851-baad-b9488895e808
prn Standard Claim The principal (prn) claim identifies the principal that is the subject of the JSON web token. 4457b326-fe88-4851-baad-b9488895e808
iss Standard Claim The issuer (iss) claim identifies the principal that issued the JSON web token. 987e4dbe19c94be0aa47ff3ca8c62385
iat Standard Claim The issued at (iat) claim identifies the time at which the JSON web token was supplied. 1429128747000
exp Standard Claim The expiration time (exp) claim identifies the expiration time on or after which the JSON web token must not be accepted for processing. 1429128747000
aud Standard Claim The audience (aud) claim identifies the recipients for which the JSON web token is intended. (a list of audiences)
jti Standard Claim The JSON web token ID (jti) claim provides a unique identifier for the JSON web token. 0565e04e-3823-404f-b950-e970ea17f41f
oracle.oauth.svc_p_n Custom Claim IDM OAuth service profile name. oauth_psrtenantx3ServiceProfile
oracle.oauth.prn.id_type Custom Claim Principal ID type. For client assertion, the value is always ClientID. ClientID
oracle.oauth.sub.id_type Custom Claim Subject ID type. For client assertion, the value is always ClientID. ClientID
oracle.oauth.id_d_id Custom Claim IDM OAuth server domain ID. 20625897169639935
user.tenant.name Custom Claim User tenancy for the OAuth token generated by the IDM OAuth server. oauth_psrtenantx3