Use this grant type when you want to use an existing trust relationship expressed as an assertion and without a direct user approval step at the OAuth Authorization Server.
The following diagram displays the Assertion Grant Type flow.
In this OAuth flow:
A user attempts to access a client application, sending a generated user assertion.
Note:The process of how the assertion is acquired is out of scope for this explanation
The client application requests an access token, and often a refresh token, by providing a user assertion or a third-party user assertion and client credentials.
Oracle Identity Cloud Service Authorization Server returns the access token to the client application.
The client application uses the access token in an API call to obtain protected data, such as a list of users.
|Requires client authentication||No|
|Requires client to have knowledge of user credentials||No|
|Browser-based end user interaction
Note:The process to generate the assertion may involve user interaction.
|Can use an external Identity Provider for authentication||Yes|
|Refresh token is allowed||Yes|
|Access token is in the context of the end user
Note:An access token will be in the context of the subject of the assertion, which may be an end user, a service, or the client itself.
See an example Assertion Grant Type authorization flow.