Skip to content

OAuth 2.0 JWT Grant#

The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants spec .

JWT Grant is identified by grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer at Token Endpoint.

AS requires client authentication during JWT Grant usage.

Assertion validation 1. Client's jwks or jwks_uri is used to get keys for assertion signature validation 2. aud claim of assertion must contain AS issuer or otherwise any aud claim value must starts from AS issuer (for example if Token Endpoint address is set in aud claim value) 3. iss must not be blank. If AS trustedSsaIssuers configuration property is set then AS will validate iss value against trustedSsaIssuers configuration property. 4. AS validates exp on expiration 5. AS validates nbf if it's present 6. sub value must be not empty and not blank

Sample of decoded assertion payload

{
  "iss":"https://jwt-idp.example.com",
  "sub":"mailto:mike@example.com",
  "aud":"https://jwt-as.example.net",
  "nbf":1300815780,
  "exp":1300819380,
  "http://claims.example.com/member":true
}

User identification in JWT Grant

By default there is no user in assertion and thus no user in JWT Grant. It means that User Info Endpoint can't be called with access token obtains with JWT Grant.

However it's possible to associate user with JWT Grant for this two things has to be done: 1. explicitly allow it by setting jwtGrantAllowUserByUidInAssertion AS configuration property to true 2. add uid claim to assertion payload.

If jwtGrantAllowUserByUidInAssertion is true and uid claim value points to valid user AS will associate JWT Grant with this user.

Sample request to Token Endpoint

POST /token HTTP/1.1
Host: authz.example.net
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
eyJpc3Mi[...omitted for brevity...].J9l-ZhwP[...omitted for brevity...]

Full sample request and response to Token Endpoint

POST /jans-auth/restv1/token HTTP/1.1
Host: authz.example.net
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MmExY2UzZjMtOTM0ZS00ZGJkLThkNDEtNzdjOTU5N2IxOTM5OjNmYzI1ZGFjLTRjMjgtNDAzZS04MTA0LWY4ZGQwYmZkMDFlYg==

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&redirect_uri=https%3A%2F%2Fauthz.example.net%2Fjans-auth-rp%2Fhome.htm&scope=openid+profile+address+email+phone+user_name&assertion=eyJraWQiOiI4Mzk0ODg0ZS02ZGMwLTQxYWUtOWU3YS0yOWY1NDEzMGY2NTRfc2lnX3JzMjU2IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIyYTFjZTNmMy05MzRlLTRkYmQtOGQ0MS03N2M5NTk3YjE5MzkiLCJhdWQiOiJodHRwczovL3l1cml5ei1sZWdpYmxlLWJ1bm55LmdsdXUuaW5mbyIsImlzcyI6IjJhMWNlM2YzLTkzNGUtNGRiZC04ZDQxLTc3Yzk1OTdiMTkzOSIsImV4cCI6MTc1NzU5MzEwMCwiaWF0IjoxNzU3NTkyODAwLCJqdGkiOiIyZmYxY2M1YS1mYWRjLTQ1MDgtOTkxMi1hZmE1Y2MyNjY1ODEifQ.t0bQW6olusFFcV3WVM08pTdqSH-tk_BuTSx6XROfSn72nboCAGcPxv0ow1FWYcwX05polAbFzcGLFRdSaZvunJ-OiQrHENlJxZUJNuou58bbg4mj08o9UnVMrXaEnIW19QQJC17G3b5R-y-_nKtC3P-hV1AJPxAChr0YQErAXZDoapmANKos6IbmoSQ03J2AmvzFvnpm8vFUKhpnyGyXbMPWViqojWfqMRaDgDDRyVQl1qzK4sBSTGj0CbTHN-xptNHgOBkl3fnBGYZMixw4kz50mjGHnP2r0MOfxrLvEwpuwy1FNxTSxxHjV_8d_h_HLLnqGyO4U7QaFVyC6j_2Bg


HTTP/1.1 200
Cache-Control: no-store
Connection: Keep-Alive
Content-Length: 179
Content-Type: application/json
Pragma: no-cache

{"access_token":"f7da6d49-08b4-4027-97c9-182a4ce6d6a5","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","scope":"openid","token_type":"Bearer","expires_in":300}