3.2.5.1.4.1 Request Body

  • Article

A signed request is passed as a JSON Web Token (JWT), as specified in [OIDCCore] section 6.1, and the JWT is signed with a session key.

The format of the signed request is as follows:

 POST /token HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&request=<signed JWT>

The signed JWT format is defined in [RFC7519].

The JWT fields MUST be given the following values:

client_id (REQUIRED): The client identifier for the client ([RFC6749] section 1.1) to which an access token is to be issued. If the request is made through a broker client, then this is the client identifier of the client that the broker is acting on behalf of.

scope (REQUIRED): The scope that the client requests for the access token, as defined in [RFC6749] section 3.3. The client MUST include the scope "winhello_cert" in the request. If the scope "aza" is included in the request, the server includes a new primary refresh token in the response.

resource (REQUIRED): "urn:microsoft:winhello:cert:prov:server"

cert_token_use (REQUIRED): "winhello_cert"

csr_type (REQUIRED): "http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"

csr (REQUIRED): A base64-encoded PKCS #10 certificate request, which has been constructed as defined in section 3.1.5.1.4.3.

pctx (OPTIONAL): A value with data-store information, which has been constructed as defined in section 3.1.5.1.4.3.

krctx (OPTIONAL): A value with JWT information, which has been constructed as defined in section 2.2.2.1.

iat (REQUIRED): See [OIDCCore] section 2.

exp (REQUIRED): See [OIDCCore] section 2.

grant_type (REQUIRED): "refresh_token"

refresh_token (REQUIRED): A primary refresh token that was previously received from the server. See section 3.1.5.1.2.

The JWT header fields MUST be given the following values:

alg (REQUIRED): The supported value is "HS256", which indicates the algorithm used for the signature. See [RFC7515] section 4.

ctx (REQUIRED): The base64-encoded bytes used for signature key derivation. Refer to section 3.1.5.1.4.3 for details.

kdf_ver (OPTIONAL): If ctx was created using KDFv2, the client MUST include the JWT header with the kdf_ver field set to 2.