OAuth Grant Type JWT Bearer Flow
We are working on the use-case where we need to use authorization using OAuth Grant Type JWT Bearer Flow.
At a high level, what we know is that the grantype( grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) should be passed along with the jwt assertion for obtaining the access token.
Questions :
1. What kind of use-case fits for this kind of grant type ?
2 .Who would create a jwt assertion ? Is it something custom, that should be implemented based on the successful authentication of a user.
3.What are the validations that should be done on JWT assertions and access tokens?
- Can anyone explain the whole flow with sample.
oauth-2.0
add a comment |
We are working on the use-case where we need to use authorization using OAuth Grant Type JWT Bearer Flow.
At a high level, what we know is that the grantype( grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) should be passed along with the jwt assertion for obtaining the access token.
Questions :
1. What kind of use-case fits for this kind of grant type ?
2 .Who would create a jwt assertion ? Is it something custom, that should be implemented based on the successful authentication of a user.
3.What are the validations that should be done on JWT assertions and access tokens?
- Can anyone explain the whole flow with sample.
oauth-2.0
add a comment |
We are working on the use-case where we need to use authorization using OAuth Grant Type JWT Bearer Flow.
At a high level, what we know is that the grantype( grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) should be passed along with the jwt assertion for obtaining the access token.
Questions :
1. What kind of use-case fits for this kind of grant type ?
2 .Who would create a jwt assertion ? Is it something custom, that should be implemented based on the successful authentication of a user.
3.What are the validations that should be done on JWT assertions and access tokens?
- Can anyone explain the whole flow with sample.
oauth-2.0
We are working on the use-case where we need to use authorization using OAuth Grant Type JWT Bearer Flow.
At a high level, what we know is that the grantype( grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) should be passed along with the jwt assertion for obtaining the access token.
Questions :
1. What kind of use-case fits for this kind of grant type ?
2 .Who would create a jwt assertion ? Is it something custom, that should be implemented based on the successful authentication of a user.
3.What are the validations that should be done on JWT assertions and access tokens?
- Can anyone explain the whole flow with sample.
oauth-2.0
oauth-2.0
asked Nov 19 '18 at 8:58
TechieProTechiePro
84
84
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This grant type flow can be used for the following cases:
The JWT is issued by the client itself: this claim
iss
(issuer) andsub
(subject) refer to the client ID. As the subject is the client, it can be compared to the Client Credentials grant type flow. This is very useful for clients that don’t want to expose their credentials.The JWT is issued by a trusted third party (trusted by the authorization server): in this case the subject could be the client itself, another client or a end user.
The section 3 of the RFC7523 is quite clear regarding the claims to check:
- The
iss
: the issuer of the token (client or trusted 3rd party) - The
aud
: should contain at least the authorization server. For case 2., should also contain the client ID - The
sub
: the subject corresponds to the resource owner - The
exp
: expiration time - If present, other claims such as the
iat
,nbf
,jti
or custom claims should be checked and understood. - The signature of the JWT depending on the issuer.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53371199%2foauth-grant-type-jwt-bearer-flow%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This grant type flow can be used for the following cases:
The JWT is issued by the client itself: this claim
iss
(issuer) andsub
(subject) refer to the client ID. As the subject is the client, it can be compared to the Client Credentials grant type flow. This is very useful for clients that don’t want to expose their credentials.The JWT is issued by a trusted third party (trusted by the authorization server): in this case the subject could be the client itself, another client or a end user.
The section 3 of the RFC7523 is quite clear regarding the claims to check:
- The
iss
: the issuer of the token (client or trusted 3rd party) - The
aud
: should contain at least the authorization server. For case 2., should also contain the client ID - The
sub
: the subject corresponds to the resource owner - The
exp
: expiration time - If present, other claims such as the
iat
,nbf
,jti
or custom claims should be checked and understood. - The signature of the JWT depending on the issuer.
add a comment |
This grant type flow can be used for the following cases:
The JWT is issued by the client itself: this claim
iss
(issuer) andsub
(subject) refer to the client ID. As the subject is the client, it can be compared to the Client Credentials grant type flow. This is very useful for clients that don’t want to expose their credentials.The JWT is issued by a trusted third party (trusted by the authorization server): in this case the subject could be the client itself, another client or a end user.
The section 3 of the RFC7523 is quite clear regarding the claims to check:
- The
iss
: the issuer of the token (client or trusted 3rd party) - The
aud
: should contain at least the authorization server. For case 2., should also contain the client ID - The
sub
: the subject corresponds to the resource owner - The
exp
: expiration time - If present, other claims such as the
iat
,nbf
,jti
or custom claims should be checked and understood. - The signature of the JWT depending on the issuer.
add a comment |
This grant type flow can be used for the following cases:
The JWT is issued by the client itself: this claim
iss
(issuer) andsub
(subject) refer to the client ID. As the subject is the client, it can be compared to the Client Credentials grant type flow. This is very useful for clients that don’t want to expose their credentials.The JWT is issued by a trusted third party (trusted by the authorization server): in this case the subject could be the client itself, another client or a end user.
The section 3 of the RFC7523 is quite clear regarding the claims to check:
- The
iss
: the issuer of the token (client or trusted 3rd party) - The
aud
: should contain at least the authorization server. For case 2., should also contain the client ID - The
sub
: the subject corresponds to the resource owner - The
exp
: expiration time - If present, other claims such as the
iat
,nbf
,jti
or custom claims should be checked and understood. - The signature of the JWT depending on the issuer.
This grant type flow can be used for the following cases:
The JWT is issued by the client itself: this claim
iss
(issuer) andsub
(subject) refer to the client ID. As the subject is the client, it can be compared to the Client Credentials grant type flow. This is very useful for clients that don’t want to expose their credentials.The JWT is issued by a trusted third party (trusted by the authorization server): in this case the subject could be the client itself, another client or a end user.
The section 3 of the RFC7523 is quite clear regarding the claims to check:
- The
iss
: the issuer of the token (client or trusted 3rd party) - The
aud
: should contain at least the authorization server. For case 2., should also contain the client ID - The
sub
: the subject corresponds to the resource owner - The
exp
: expiration time - If present, other claims such as the
iat
,nbf
,jti
or custom claims should be checked and understood. - The signature of the JWT depending on the issuer.
answered Nov 21 '18 at 22:14
Florent MorselliFlorent Morselli
6,75531941
6,75531941
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53371199%2foauth-grant-type-jwt-bearer-flow%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown