- Title
- OAuth 2.0 Assertion Grant Profile
- Description
- The OAuth 2.0 Assertion Grant Profile supports the exchange of SAML 2.0 or JWT assertions for Access Tokens to be used to access federated protected resources (i.e. REST-based web services)
Taxonomy
Standards
Guidance
A federated Authorization Server supports this profile by providing a Security Token Service Endpoint (HTTP collection resource identified by the request URI) for a Client to make a request to exchange a Security Token (SAML or JWT assertion) from its own domain for a new Security Token (Access Token) that can be used to support chaining web services and access to federated protected resources.
How the Client receives a SAML or JWT assertion is out of scope for this profile.
The SAML assertion, if used, shall be compliant with the structure specified in the SIP for Middleware.
The JWT assertion, if used, shall be compliant with the structure specified in the SIP for Middleware.
When complying with this profile the Client must set the fields of its assertion grant token requests as follows
-
If the Client is exchanging a SAML assertion for an Access Token the grant_type parameter value is urn ietf params oauth grant-type saml2-bearer and the assertion parameter value is the SAML assertion.
-
If the Client is exchanging a JWT assertion for an Access Token the grant_type parameter value is urn ietf params oauth grant-type JWT-bearer and the assertion parameter value is the JWT assertion.
-
The resource parameter must be used to indicate the federated service or protected resource where the resultant Access Token is intended to be used.
The Authorization Server ensures that the assertion provided by the Client is valid and not expired.
When complying with this profile the Authorization Server must set the fields of the assertion grant token response as follows
- The access_token parameter value is the Access Token issued as part of the request.
- The token_type parameter value is Bearer.
Note If supporting the OAuth 2.0 DPoP Profile the token_type parameter value is DPoP. Note If supporting the OAuth 2.0 HTTP Message Signatures Profile token_type parameter value is PoP.
The Access Token format may be compliant with the OAuth 2.0 Access Token Profile.
-