3.2.5.1.2.1.4 User Certificate Authentication
If authenticating the user by using a signed JWT, the client includes the following fields in the JWT described in section 3.2.5.1.2.1:
grant_type (REQUIRED): "urn:ietf:params:oauth:grant-type:jwt-bearer"
assertion (REQUIRED): A signed JWT used to authenticate the user based upon a certificate that identifies the user.
-
The JWT fields for the JWT that is provided in the assertion field MUST be given the following values:
-
iss (REQUIRED): The username of the user for which the primary refresh token is requested.
-
iat (REQUIRED): See [OIDCCore] section 2.
-
exp (REQUIRED): See [OIDCCore] section 2.
-
aud (REQUIRED): The Issuer Identifier ([OIDCCore] section 1.2) of the server that the client is sending the request to.
-
-
The signature header fields of the assertion field MUST be given the following values:
-
typ (REQUIRED): "JWT"
-
alg (REQUIRED): "RS256"
-
x5c (REQUIRED): The certificate used to sign the request, following the format described in [RFC7515] section 4.1.6.
-