4.7.5 OAuth on-behalf-of Request
In this example sequence of requests and responses, the first resource, "https://resource_server1", having received the original access token shown in section 4.7.4, acts as a client and plays that access token to the AD FS server in order to request an access token for a new resource, "https://resource_server2".
Note that the grant_type is "urn:ietf:params:oauth:grant-type:jwt-bearer", the requested_token_use is "on_behalf_of", the assertion is the access token returned in section 4.7.3, the client_id is the same as the resource given in the initial request in section 4.7.1, that this is a confidential client, and that the resource parameter is for the new resource, "https://resource_server2".
-
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&requested_token_use=on_behalf_of&assertion=2YotnFZFEjr1zCsicMWpAA&client_id=https%3A%2F%2Fresource_server1&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw&resource=https%3A%2F%2Fresource_server2