User Assertion

A user assertion is a user token that contains identity and security information about the user. Use the user assertion to authenticate the user instead of providing a user name and a password.

Signing the User Assertion

User assertions received by the OAuth service must be signed by a signing algorithm. The signing algorithm must be RS256:RSASSA-PKCS-v1_5 using the SHA-256 algorithm. Use this algorithm when building assertions to send to the OAuth service.

The certificate of the OAuth client is already registered with the authorization server. This certificate is used to sign the user assertion. The clients sign the user assertion, using their own private keys. The OAuth service uses the registered clients’ public key to validate the client and user assertions.

Format of a User Assertion

The format of the user assertion includes the following:
  • For trusted clients, the OAuth client application signs the user assertion.

  • iss: This identifies the principal that provided the token. This is the client ID of the OAuth client application.

  • jti: This is the unique ID of the request.

  • prn: This is the user name of the resource owner.

  • exp: This is the expiration time of the user token.

  • iat: This is the issue time of the user token.

  • This is the name of the identity domain.

  • aud: This is the audience claim. The IDM OAuth-generated user assertion has an audience claim and the audience values is This means that the self-signed user assertion is meant only to be used by the OAuth server.

Claims in the User Assertion

A user assertion has a header, and standard and custom claims. These items are covered in the following table:

Claim Name Type Description Sample
alg Header The algorithm used to sign the token. RS256
typ Header The classification type of the token. The default value is JWT. This indicates that this is a JSON web token (JWT). JWT
x5t Header The X.509 certificate thumbprint (x5t) header parameter provides a base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate that can be used to match a certificate. _hVX9pXq7pUxkk5ry-8vK8qb8L8
kid Header The key ID (kid) header parameter is a hint indicating which specific key owned by the signer should be used to validate the signature. This allows signers to signal a change of the key to recipients explicitly. Omitting this parameter is equivalent to setting it to an empty string. The interpretation of the contents of the kid parameter is unspecified. oauth_psrtenantx3.cert
sub Standard Claim The subject (sub) claim identifies the principal that’s the subject of the JWT.
prn Standard Claim The principal (prn) claim identifies the principal that is the subject of the JWT.
iss Standard Claim The issuer (iss) claim identifies the principal that supplied the JWT. oauth_psrtenantx3
iat Standard Claim The issued at (iat) claim identifies the time at which the JWT was supplied. 1429128747000
exp Standard Claim The expiration time (exp) claim identifies the expiration time on or after which the JWT must notbe accepted for processing. 1429128747000
aud Standard Claim The audience (aud) claim identifies the recipients for which the JWT is intended. (a list of audiences)
jti Standard Claim The JWT ID (jti) claim provides a unique identifier for the JWT. 0565e04e-3823-404f-b950-e970ea17f41f
oracle.oauth.svc_p_n Custom Claim IDM OAuth service profile name. oauth_psrtenantx3ServiceProfile
oracle.oauth.prn.id_type Custom Claim Principal ID type. For user assertion, the value is always LDAP_UID. LDAP_UID
oracle.oauth.sub.id_type Custom Claim Subject ID type. For user assertion, the value is always LDAP_UID. LDAP_UID
oracle.oauth.id_d_id Custom Claim IDM OAuth server domain ID. 20625897169639935
oracle.oauth.client_origin_id Custom Claim Subject ID for client used when user assertion is generated. 4457b326-fe88-4851-baad-b9488895e808 Custom Claim User tenancy for the OAuth token generated by IDM OAuth server. oauth_psrtenantx3