4.7.5 OAuth on-behalf-of Request

In this example sequence of requests and responses, the first resource, "https://resource_server1", having received the original access token shown in section 4.7.4, acts as a client and plays that access token to the AD FS server in order to request an access token for a new resource, "https://resource_server2".

Note that the grant_type is "urn:ietf:params:oauth:grant-type:jwt-bearer", the requested_token_use is "on_behalf_of", the assertion is the access token returned in section 4.7.3, the client_id is the same as the resource given in the initial request in section 4.7.1, that this is a confidential client, and that the resource parameter is for the new resource, "https://resource_server2".

 POST /token HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded