<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is defined in [RFC 7523] and describes using [JSON Web Token] ([JWT]) [OAuth 2.0 Profiles] for [OAuth 2.0] [Client|OAuth Client] [Authentication] and [Authorization Grants]


[{$pagename}] follows the [Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants].

!! From the Introduction of [RFC 7523]
[{$pagename}] defines how a [JWT] [Bearer Token] can be used to request an [Access Token] when a [client|OAuth Client] wishes to utilize an existing [trust] relationship, expressed through the semantics of the [JWT], without a direct user-approval step at the [Authorization Server]. [RFC 7523] also defines how a [JWT] can be used as a [client|OAuth Client] [Authentication Mechanism|Authentication Method].

The use of a security token for [client|OAuth Client] [authentication] is orthogonal to and separable from using a security token as an [Authorization Grant].  They can be used either in combination or separately. [Client|OAuth Client] authentication using a [JWT] is nothing more than an alternative way for a [client|OAuth Client] to [authenticate] to the [token endpoint|token_endpoint] and must be used in conjunction with some [Grant Type] to form a complete and meaningful [protocol] request.  [JWT] [authorization Grants] may be used with or without [client|OAuth Client] [authentication] or [identification].  Whether or not [client|OAuth Client] authentication is needed in conjunction with a [JWT] [Authorization Grant], as well as the supported types of [client|OAuth Client] authentication, are policy decisions at the discretion of the [Authorization Server].

The process by which the client obtains the [JWT], prior to exchanging it with the [Authorization Server] or using it for [client|OAuth Client] authentication, is out of scope of [RFC 7523].

!! Submitting [JWT] [Authorization Request]
It is a best practice to use the [HTTPS] [protocol] instead of HTTP to submit a [JWT] request. The [Token_endpoint] of the [OpenID Connect Provider] is used for handling [HTTPS] JWT requests. To determine the [Token_endpoint] for the OpenID Connect Provider use the 
[OpenID Connect Discovery]

The request must contain the following parameters:

* [grant_type] - The value of this parameter [MUST] be &quot;urn:ietf:params:oauth:grant-type:jwt-bearer&quot;
* assertion - The value of this parameter must contain a single signed ([JWS]) [JSON Web Tokens] .
* [scope|OAuth Scopes] - This parameter is optional. If scope is omitted, the [Access_token] that is returned does not contain any scopes.
* [client_id] - The value of this parameter must match the name attribute in the client configuration of the OpenID Connect Provider.
* [Client Secret] - The value of this parameter must match the secret attribute in the client configuration of the OpenID Connect Provider.
An [example] [HTTPS] request:
{{{
POST /token.oauth2 HTTP/1.1
    Host: oidc.ibm.com
    Content-Type: application/x-www-form-utlencoded

    client_id=client01
    &amp;client_secret=secret     
    &amp;grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer     
    &amp;assertion=eyJhbGcxxxkIn0.eyJpcxxxA4fQ.MB6ZFlCsHg5MJ-weIHZYz6xgF1jdSZn7ErchHs8-8Rk     
    &amp;scope=profile email
}}}

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]


* [#2] - [Submitting JSON Web Token requests|https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/cwlp_jwttoken.html|target='_blank'] - based on information obtained 2020-02-17 
</pre>