3.2.5.1.4.1 Request Body
A signed request is passed as a JSON Web Token (JWT), as specified in [OIDCCore] section 6.1, and the JWT is signed with a session key.
The format of the signed request is as follows:
-
POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&request=<signed JWT>
The signed JWT format is defined in [RFC7519].
The JWT fields MUST be given the following values:
client_id (REQUIRED): The client identifier for the client ([RFC6749] section 1.1) to which an access token is to be issued. If the request is made through a broker client, then this is the client identifier of the client that the broker is acting on behalf of.
scope (REQUIRED): The scope that the client requests for the access token, as defined in [RFC6749] section 3.3. The client MUST include the scope "winhello_cert" in the request. If the scope "aza" is included in the request, the server includes a new primary refresh token in the response.
resource (REQUIRED): "urn:microsoft:winhello:cert:prov:server"
cert_token_use (REQUIRED): "winhello_cert"
csr_type (REQUIRED): "http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
csr (REQUIRED): A base64-encoded PKCS #10 certificate request, which has been constructed as defined in section 3.1.5.1.4.3.
pctx (OPTIONAL): A value with data-store information, which has been constructed as defined in section 3.1.5.1.4.3.
krctx (OPTIONAL): A value with JWT information, which has been constructed as defined in section 2.2.2.1.
iat (REQUIRED): See [OIDCCore] section 2.
exp (REQUIRED): See [OIDCCore] section 2.
grant_type (REQUIRED): "refresh_token"
refresh_token (REQUIRED): A primary refresh token that was previously received from the server. See section 3.1.5.1.2.
The JWT header fields MUST be given the following values:
alg (REQUIRED): The supported value is "HS256", which indicates the algorithm used for the signature. See [RFC7515] section 4.
ctx (REQUIRED): The base64-encoded bytes used for signature key derivation. Refer to section 3.1.5.1.4.3 for details.
kdf_ver (OPTIONAL): If ctx was created using KDFv2, the client MUST include the JWT header with the kdf_ver field set to 2.