4.2 Security Token Self-Issued by Client
In this example, the client tries to access a resource on the server. The server responds with an HTTP 401 challenge that indicates the security token issuers it trusts in the trusted_issuers field. An example of such a challenge is as follows.
-
HTTP/1.1 401 Unauthorized Server: Fabrikam/7.5 request-id: 443ce338-377a-4c16-b6bc-c169a75f7b00 X-FEServer: DUXYI01CA101 WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0001-0000-c000-000000000000@*" WWW-Authenticate: Basic Realm="" X-Powered-By: ASP.NET Date: Thu, 19 Apr 2012 17:04:16 GMT Content-Length: 0
The client is one of the token issuers trusted by the server, so it creates an actor token and signs it with its credentials.
The client uses the actor token to access the resource it requested on the server.
The following is an example of an actor token that is self-issued by a client. For more information about the claim values contained in this security token, see section 2.2.
-
actor: { "typ":"JWT", "alg":"RS256", "x5t":"mH-TTlt-HAXC9-vjKVFtX6bAsR0" }.{ "aud":"00000003-0000-0ff1-ce00-000000000000/contoso.com@EXHB-88371dom.extest.contoso.com", "iss":"00000002-0000-0ff1-ce00-000000000000@EXHB-88371dom.extest.contoso.com", "nbf":"1323380605", "exp":"1323409405", "nameid":"00000002-0000-0ff1-ce00-000000000000@EXHB-88371dom.extest.contoso.com", "trustedfordelegation":"true" }