2.2.2.1 krctx
-
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type={grant_type}&client_id={client_id}&redirect_uri={redirect_uri}&requested_token_use={requested_token_use}&assertion={assertion}&csr={csr}&csr_type={csr_type}&krctx={krctx}
Note: For details about the requested_token_use and assertion parameters, see [MS-OAPX] section 2.2.3.
OPTIONAL
The krctx parameter is optional and can be specified by the client role of the OAuth 2.0 Protocol Extensions for Broker Clients in the POST body when making a request to the token endpoint (section 3.1.5.1). The client provides a base64-encoded JSON value in the krctx parameter when making an OAuth logon certificate request.
The AD FS server ignores this parameter unless its AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher ([MS-OAPX] section 3.2.1.1) and the AD FS server is capable of processing the parameter, as indicated by the value "winhello_cert_kr" being included in the capabilities field of the OpenID Provider Metadata ([MS-OIDCE] section 2.2.3.2).<1>
The format for the krctx parameter is as follows:
-
String = *(%x20-7E) krctx = String
where the value of krctx has the following structure:
-
{ "Data": { "type": "string" }, "Format": { "type": "integer" }, "Version": { "type": "integer" } }
Property |
Value |
---|---|
Data |
A base64-encoded JSON Web Token (JWT). This property is used to authorize the OAuth logon certificate request (section 3.1.5.1.4.1). |
Format |
MUST be set to "1". |
Version |
MUST be set to "1". |