OAuth 2.0 Assertion Grant Profile

Title: OAuth 2.0 Assertion Grant Profile

Description: The OAuth 2.0 Assertion Grant Profile supports the exchange of SAML 2.0 or JWT assertions for Access Tokens to be used to access federated protected resources (i.e. REST-based web services)

Reference document

Org: FMN

Pubnum

Date: 2022-12-02

Version

Title: Proposed FMN Spiral 5 Specification

Taxonomy

Standards

Obligation: MANDATORY, Lifecycle: CANDIDATE

The OAuth 2.0 Authorization Framework (RFC 6749:2012)
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521:2015)
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522:2015)
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523:2015)

Obligation: MANDATORY, Lifecycle: CANDIDATE

Resource Indicators for OAuth 2.0 (RFC 8707:2020)

Guidance

A federated Authorization Server supports this profile by providing a Security Token Service Endpoint (HTTP collection resource identified by the request URI) for a Client to make a request to exchange a Security Token (SAML or JWT assertion) from its own domain for a new Security Token (Access Token) that can be used to support chaining web services and access to federated protected resources.

How the Client receives a SAML or JWT assertion is out of scope for this profile.

The SAML assertion, if used, shall be compliant with the structure specified in the SIP for Middleware.

The JWT assertion, if used, shall be compliant with the structure specified in the SIP for Middleware.

When complying with this profile the Client must set the fields of its assertion grant token requests as follows

If the Client is exchanging a SAML assertion for an Access Token the grant_type parameter value is urn ietf params oauth grant-type saml2-bearer and the assertion parameter value is the SAML assertion.
If the Client is exchanging a JWT assertion for an Access Token the grant_type parameter value is urn ietf params oauth grant-type JWT-bearer and the assertion parameter value is the JWT assertion.
The resource parameter must be used to indicate the federated service or protected resource where the resultant Access Token is intended to be used.

The Authorization Server ensures that the assertion provided by the Client is valid and not expired.

When complying with this profile the Authorization Server must set the fields of the assertion grant token response as follows

The access_token parameter value is the Access Token issued as part of the request.
The token_type parameter value is Bearer.

Note If supporting the OAuth 2.0 DPoP Profile the token_type parameter value is DPoP. Note If supporting the OAuth 2.0 HTTP Message Signatures Profile token_type parameter value is PoP.

The Access Token format may be compliant with the OAuth 2.0 Access Token Profile.

Status

URI

History

Flag	Date	RFC	Version
added	2023-01-23	14-32	15

UUID: b91ad439-6a9a-4e30-aa46-a44c687383f9

Utilization

This profile is used by the following profiles:

Web Platform Standards Profiles - (profile)