220.127.116.11.3.1 Request Body
The format of the signed request is as follows:
POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&request=<signed JWT>
The signed JWT format is defined in [RFC7519].
The JWT fields MUST be given the following values:
client_id (REQUIRED): The client identifier for the client ([RFC6749] section 1.1) to which an access token is to be issued. If the request is made through a broker client, then this is the client identifier of the client that the broker is acting on behalf of.
scope (REQUIRED): The scope that the client requests for the access token, as defined in [RFC6749] section 3.3. The client MUST include the scope "openid" in the request. If the scope "aza" is included in the request, the server includes a new primary refresh token in the response.
resource (OPTIONAL): The resource for which the access token is requested, as defined in [MS-OAPX] section 2.2.3.
iat (REQUIRED): See [OIDCCore] section 2.
exp (REQUIRED): See [OIDCCore] section 2.
grant_type (REQUIRED): "refresh_token"
refresh_token (REQUIRED): A primary refresh token that was previously received from the server. See section 18.104.22.168.2.
The JWT header fields MUST be given the following values. See [RFC7515] section 4 for field descriptions.
alg (REQUIRED): The supported value is "HS256", which indicates the algorithm used for the signature.
ctx (REQUIRED): The base64-encoded bytes used for signature key derivation.