2.2.2.1 krctx

Article
04/23/2024

 POST /token HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded
 grant_type={grant_type}&client_id={client_id}&redirect_uri={redirect_uri}&requested_token_use={requested_token_use}&assertion={assertion}&csr={csr}&csr_type={csr_type}&krctx={krctx}

Note: For details about the requested_token_use and assertion parameters, see [MS-OAPX] section 2.2.3.

OPTIONAL

The krctx parameter is optional and can be specified by the client role of the OAuth 2.0 Protocol Extensions for Broker Clients in the POST body when making a request to the token endpoint (section 3.1.5.1). The client provides a base64-encoded JSON value in the krctx parameter when making an OAuth logon certificate request.

The AD FS server ignores this parameter unless its AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher ([MS-OAPX] section 3.2.1.1) and the AD FS server is capable of processing the parameter, as indicated by the value "winhello_cert_kr" being included in the capabilities field of the OpenID Provider Metadata ([MS-OIDCE] section 2.2.3.2).<1>

The format for the krctx parameter is as follows:

 String = *(%x20-7E)
 krctx = String

where the value of krctx has the following structure:

 {
         "Data": {
             "type": "string"
         },
         "Format": {
             "type": "integer"
         },
         "Version": {
             "type": "integer"
         }
 }

Property	Value
Data	A base64-encoded JSON Web Token (JWT). This property is used to authorize the OAuth logon certificate request (section 3.1.5.1.4.1).
Format	MUST be set to "1".
Version	MUST be set to "1".

Share via

2.2.2.1 krctx

Additional resources