Assertion Grant Type

Use this grant type when you want to use an existing trust relationship expressed as an assertion and without a direct user approval step at the OAuth Authorization Server.

The following diagram displays the Assertion Grant Type flow.

A diagram that illustrates the Assertion Grant Type flow.

In this OAuth flow:

  1. A user attempts to access a client application, sending a generated user assertion.


    The process of how the assertion is acquired is out of scope for this explanation
  2. The client application requests an access token, and often a refresh token, by providing a user assertion or a third-party user assertion and client credentials.

  3. Oracle Identity Cloud Service Authorization Server returns the access token to the client application.

  4. The client application uses the access token in an API call to obtain protected data, such as a list of users.

Function Available
Requires client authentication Yes
Requires client to have knowledge of user credentials No
Browser-based end user interaction


The process to generate the assertion may involve user interaction.
Can use an external Identity Provider for authentication Yes
Refresh token is allowed Yes
Access token is in the context of the end user


An access token will be in the context of the subject of the assertion, which may be an end user, a service, or the client itself.

See an example Assertion Grant Type authorization flow.