3.1.5.2.1.1 Request Body

The format of the request is defined in [RFC6749] sections 4.1.3 (Access Token Request) and 6 (Refreshing an Access Token), and in [RFC8628] section 3.4 (Device Access Token Request).

The client can also provide the additional request parameters listed in section 3.2.5.2.1.1.

If making an OAuth on-behalf-of request, the client sends a request with the following: the grant_type parameter set to "urn:ietf:params:oauth:grant-type:jwt-bearer", the requested_token_use parameter set to "on_behalf_of", the assertion parameter set to an access token that the client previously received from the AD FS server (the token MUST have been issued to a resource having the same identifier as the client), and the resource parameter set to the identifier of the new resource that an access token is being requested for. An OAuth on-behalf-of request is supported only for confidential clients, and the access token presented MUST have been originally issued with the scope "user_impersonation".

If making an OAuth logon certificate request, the client sends a request with the following: the grant_type parameter set to "urn:ietf:params:oauth:grant-type:jwt-bearer", the requested_token_use parameter set to "logon_cert", the assertion parameter set to an access token that the client previously received from the AD FS server (the token MUST have been issued to a resource having the same identifier as the client), the csr_type parameter set to "http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10", and the csr parameter set to a base64-encoded PKCS#10 certificate request ([MS-WCCE] section 2.2.2.6.1). An OAuth logon certificate request is supported only for confidential clients, and the access token presented MUST have been originally issued with the scope "logon_cert".