3.2.5.1.3.1 Request Body

A signed request is passed as a JSON Web Token (JWT), as specified in [OIDCCore] section 6.1. The JWTs are signed either with a device key or session keys.

The format of the signed request is as follows:

 POST /token HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&request=<signed JWT>

The signed JWT format is defined in [RFC7519].

The JWT fields MUST be given the following values:

client_id (REQUIRED): The client identifier for the client ([RFC6749] section 1.1) to which an access token is to be issued. If the request is made through a broker client, then this is the client identifier of the client that the broker is acting on behalf of.

scope (REQUIRED): The scope that the client requests for the access token, as defined in [RFC6749] section 3.3. The client MUST include the scope "openid" in the request. If the scope "aza" is included in the request, the server includes a new primary refresh token in the response.

resource (OPTIONAL): The resource for which the access token is requested, as defined in [MS-OAPX] section 2.2.3.

iat (REQUIRED): See [OIDCCore] section 2.

exp (REQUIRED): See [OIDCCore] section 2.

grant_type (REQUIRED): "refresh_token"

refresh_token (REQUIRED): A primary refresh token that was previously received from the server.  See section 3.1.5.1.2.

The JWT header fields MUST be given the following values. See [RFC7515] section 4 for field descriptions.

alg (REQUIRED): The supported value is "HS256", which indicates the algorithm used for the signature.

ctx (REQUIRED): The base64-encoded bytes used for signature key derivation.