Authentication flows that requires credentials as Resource Owner and Client Credentials now accepts client assertions.
It's important to avoid passing the raw secret on requests.
In this case the client application sends a JWT that is signed with it's private key and we verify it's signature using the public key stored on the ResourceManager. The required claims on JWT are exp, iat, nbf, iss, aud, jti, sub, typ.
The request payload should send the following new params:
client_assertions (JWT signed by private key and containing the required claims);
client_assertion_type (should be urn:ietf:params:oauth:client-assertion-type:jwt-bearer);
Authentication flows that requires credentials as
Resource Owner
andClient Credentials
now accepts client assertions. It's important to avoid passing the raw secret on requests.In this case the client application sends a JWT that is signed with it's private key and we verify it's signature using the public key stored on the
ResourceManager
. The required claims on JWT areexp
,iat
,nbf
,iss
,aud
,jti
,sub
,typ
.The request payload should send the following new params:
client_assertions
(JWT signed by private key and containing the required claims);client_assertion_type
(should beurn:ietf:params:oauth:client-assertion-type:jwt-bearer
);