jspωiki
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

Overview#

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants is defined in RFC 7523 and describes using JSON Web Token (JWT) OAuth 2.0 Profiles for OAuth 2.0 Client Authentication and Authorization Grants

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants follows the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants.

From the Introduction of RFC 7523#

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants defines how a JWT Bearer Token can be used to request an Access Token when a client wishes to utilize an existing trust relationship, expressed through the semantics of the JWT, without a direct user-approval step at the Authorization Server. RFC 7523 also defines how a JWT can be used as a client Authentication Mechanism.

The use of a security token for client authentication is orthogonal to and separable from using a security token as an Authorization Grant. They can be used either in combination or separately. Client authentication using a JWT is nothing more than an alternative way for a client to authenticate to the token endpoint and must be used in conjunction with some Grant Type to form a complete and meaningful protocol request. JWT authorization Grants may be used with or without client authentication or identification. Whether or not client authentication is needed in conjunction with a JWT Authorization Grant, as well as the supported types of client authentication, are policy decisions at the discretion of the Authorization Server.

The process by which the client obtains the JWT, prior to exchanging it with the Authorization Server or using it for client authentication, is out of scope of RFC 7523.

Submitting JWT Authorization Request#

It is a best practice to use the HTTPS protocol instead of HTTP to submit a JWT request. The Token_endpoint of the OpenID Connect Provider is used for handling HTTPS JWT requests. To determine the Token_endpoint for the OpenID Connect Provider use the OpenID Connect Discovery

The request must contain the following parameters:

  • grant_type - The value of this parameter MUST be "urn:ietf:params:oauth:grant-type:jwt-bearer"
  • assertion - The value of this parameter must contain a single signed (JWS) JSON Web Tokens .
  • scope - This parameter is optional. If scope is omitted, the Access_token that is returned does not contain any scopes.
  • client_id - The value of this parameter must match the name attribute in the client configuration of the OpenID Connect Provider.
  • Client Secret - The value of this parameter must match the secret attribute in the client configuration of the OpenID Connect Provider.
An example HTTPS request:
POST /token.oauth2 HTTP/1.1
    Host: oidc.ibm.com
    Content-Type: application/x-www-form-utlencoded

    client_id=client01
    &client_secret=secret     
    &grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer     
    &assertion=eyJhbGcxxxkIn0.eyJpcxxxA4fQ.MB6ZFlCsHg5MJ-weIHZYz6xgF1jdSZn7ErchHs8-8Rk     
    &scope=profile email

More Information#

There might be more information for this subject on one of the following: