Assertion Grant Type
Use this grant type when you want to use an existing trust relationship expressed as an assertion and without a direct user approval step at the OAuth Authorization Server.
The following diagram displays the Assertion Grant Type flow.
In this OAuth flow:
-
A user attempts to access a client application, sending a generated user assertion.
Note:
The process of how the assertion is acquired is out of scope for this explanation -
The client application requests an access token, and often a refresh token, by providing a user assertion or a third-party user assertion and client credentials.
-
Oracle Identity Cloud Service Authorization Server returns the access token to the client application.
-
The client application uses the access token in an API call to obtain protected data, such as a list of users.
| Function | Available |
|---|---|
| Requires client authentication | Yes |
| Requires client to have knowledge of user credentials | No |
| Browser-based end user interaction
Note: The process to generate the assertion may involve user interaction. |
No |
| Can use an external Identity Provider for authentication | Yes |
| Refresh token is allowed | Yes |
| Access token is in the context of the end user
Note: An access token will be in the context of the subject of the assertion, which may be an end user, a service, or the client itself. |
Maybe |
See an example Assertion Grant Type authorization flow.