This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

Version management

Difference between version and

At line 1 added 43 lines
!!! Overview
[{$pagename}] is defined in [RFC 7523] and describes using [JSON Web Token] ([JWT]) [OAuth 2.0 Profiles] for [OAuth 2.0] [Client|OAuth Client] [Authentication] and [Authorization Grants]
[{$pagename}] follows the [Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants].
!! From the Introduction of [RFC 7523]
[{$pagename}] defines how a [JWT] [Bearer Token] can be used to request an [Access Token] when a [client|OAuth Client] wishes to utilize an existing [trust] relationship, expressed through the semantics of the [JWT], without a direct user-approval step at the [Authorization Server]. [RFC 7523] also defines how a [JWT] can be used as a [client|OAuth Client] [Authentication Mechanism|Authentication Method].
The use of a security token for [client|OAuth Client] [authentication] is orthogonal to and separable from using a security token as an [Authorization Grant]. They can be used either in combination or separately. [Client|OAuth Client] authentication using a [JWT] is nothing more than an alternative way for a [client|OAuth Client] to [authenticate] to the [token endpoint|token_endpoint] and must be used in conjunction with some [Grant Type] to form a complete and meaningful [protocol] request. [JWT] [authorization Grants] may be used with or without [client|OAuth Client] [authentication] or [identification]. Whether or not [client|OAuth Client] authentication is needed in conjunction with a [JWT] [Authorization Grant], as well as the supported types of [client|OAuth Client] authentication, are policy decisions at the discretion of the [Authorization Server].
The process by which the client obtains the [JWT], prior to exchanging it with the [Authorization Server] or using it for [client|OAuth Client] authentication, is out of scope of [RFC 7523].
!! Submitting [JWT] [Authorization Request]
It is a best practice to use the [HTTPS] [protocol] instead of HTTP to submit a [JWT] request. The [Token_endpoint] of the [OpenID Connect Provider] is used for handling [HTTPS] JWT requests. To determine the [Token_endpoint] for the OpenID Connect Provider use the
[OpenID Connect Discovery]
The request must contain the following parameters:
* [grant_type] - The value of this parameter [MUST] be "urn:ietf:params:oauth:grant-type:jwt-bearer"
* assertion - The value of this parameter must contain a single signed ([JWS]) [JSON Web Tokens] .
* [scope|OAuth Scopes] - This parameter is optional. If scope is omitted, the [Access_token] that is returned does not contain any scopes.
* [client_id] - The value of this parameter must match the name attribute in the client configuration of the OpenID Connect Provider.
* [Client Secret] - The value of this parameter must match the secret attribute in the client configuration of the OpenID Connect Provider.
An [example] [HTTPS] request:
{{{
POST /token.oauth2 HTTP/1.1
Host: oidc.ibm.com
Content-Type: application/x-www-form-utlencoded
client_id=client01
&client_secret=secret
&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGcxxxkIn0.eyJpcxxxA4fQ.MB6ZFlCsHg5MJ-weIHZYz6xgF1jdSZn7ErchHs8-8Rk
&scope=profile email
}}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
* [#2] - [Submitting JSON Web Token requests|https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/cwlp_jwttoken.html|target='_blank'] - based on information obtained 2020-02-17
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop