oauth2.dev

client_assertion

IESG

Registry Context

HTTP request parameter carrying an assertion used to authenticate an OAuth client.

Technical Summary

In assertion-based client authentication, `client_assertion` contains the assertion that authenticates the client. Its serialization is defined by the applicable assertion profile.

When Used

When a client uses an assertion as its credential to authenticate to an OAuth token endpoint.

Normative Requirements

Clients

MUST
1
  1. RFC 7521 - Section 4.2

    ensure that `client_id` identifies the same client as the client assertion.

    Condition: If the `client_id` parameter is present

    If present, the value of the "client_id" parameter MUST identify the same client as is identified by the client assertion.

REQUIRED
2
  1. RFC 7521 - Section 4.2

    include the `client_assertion` parameter containing the assertion used to authenticate the client.

    Condition: When using assertions as client credentials

    client_assertion REQUIRED. The assertion being used to authenticate the client.

  2. RFC 7521 - Section 4.2

    include `client_assertion_type` as an absolute URI identifying the assertion format defined by the authorization server.

    Condition: When using assertions as client credentials

    client_assertion_type REQUIRED. The format of the assertion as defined by the authorization server.

OPTIONAL
1
  1. RFC 7521 - Section 4.2

    include the `client_id` parameter.

    Condition: When using assertions as client credentials

    client_id OPTIONAL. The client identifier as described in Section 2.2 of OAuth 2.0.

Validation Guidance

error

Reject assertion-based client-authentication requests that omit `client_assertion`.

error

Reject assertion-based client-authentication requests that omit `client_assertion_type` or provide a value that is not an absolute URI.

error

If `client_id` is present, verify that it identifies the same client as the assertion.

Reference

Details

Entry Id
client_assertion
Name
client_assertion
Parameter Usage Location
token request
Change Controller
IESG
Reference
RFC7521