client_ assertion
Registry Context
HTTP request parameter carrying an assertion used to authenticate an OAuth client.
Technical Summary
In assertion-based client authentication, `client_assertion` contains the assertion that authenticates the client. Its serialization is defined by the applicable assertion profile.
When Used
When a client uses an assertion as its credential to authenticate to an OAuth token endpoint.
Normative Requirements
Clients
RFC 7521 - Section 4.2
ensure that `client_id` identifies the same client as the client assertion.
Condition: If the `client_id` parameter is present
If present, the value of the "client_id" parameter MUST identify the same client as is identified by the client assertion.
RFC 7521 - Section 4.2
include the `client_assertion` parameter containing the assertion used to authenticate the client.
Condition: When using assertions as client credentials
client_assertion REQUIRED. The assertion being used to authenticate the client.
RFC 7521 - Section 4.2
include `client_assertion_type` as an absolute URI identifying the assertion format defined by the authorization server.
Condition: When using assertions as client credentials
client_assertion_type REQUIRED. The format of the assertion as defined by the authorization server.
RFC 7521 - Section 4.2
include the `client_id` parameter.
Condition: When using assertions as client credentials
client_id OPTIONAL. The client identifier as described in Section 2.2 of OAuth 2.0.
Validation Guidance
Reject assertion-based client-authentication requests that omit `client_assertion`.
Reject assertion-based client-authentication requests that omit `client_assertion_type` or provide a value that is not an absolute URI.
If `client_id` is present, verify that it identifies the same client as the assertion.
Reference
Details
- Entry Id
client_assertion - Name
client_assertion - Parameter Usage Location
token request- Change Controller
IESG- Reference
RFC7521