3.2.5.1.2.1.4 User Certificate Authentication

If authenticating the user by using a signed JWT, the client includes the following fields in the JWT described in section 3.2.5.1.2.1:

grant_type (REQUIRED): "urn:ietf:params:oauth:grant-type:jwt-bearer"

assertion (REQUIRED): A signed JWT used to authenticate the user based upon a certificate that identifies the user.

The JWT fields for the JWT that is provided in the assertion field MUST be given the following values:

iss (REQUIRED): The username of the user for which the primary refresh token is requested.

iat (REQUIRED): See [OIDCCore] section 2.

exp (REQUIRED): See [OIDCCore] section 2.

aud (REQUIRED): The Issuer Identifier ([OIDCCore] section 1.2) of the server that the client is sending the request to.

The signature header fields of the assertion field MUST be given the following values:

typ (REQUIRED): "JWT"

alg (REQUIRED): "RS256"

x5c (REQUIRED): The certificate used to sign the request, following the format described in [RFC7515] section 4.1.6.