urn:ietf:params:oauth:client-assertion-type:saml2-bearer
Registry Context
This URN identifies the SAML 2.0 bearer assertion profile used for OAuth 2.0 client authentication.
Technical Summary
For SAML bearer client authentication, client_assertion_type has this URN as its value. The client_assertion contains one SAML 2.0 Assertion whose XML is base64url-encoded according to RFC 4648 Section 5 with zero padding bits. The encoding should not be line-wrapped or include pad characters.
When Used
When a client uses a SAML 2.0 bearer assertion to authenticate to an OAuth 2.0 authorization server.
Normative Requirements
Clients
RFC 7522 - Section 2.2
ensure the client_assertion parameter contains a single SAML 2.0 Assertion.
Condition: When using a SAML bearer assertion for client authentication.
The value of the "client_assertion" parameter MUST contain a single SAML 2.0 Assertion.
RFC 7522 - Section 2.2
encode the SAML Assertion XML using base64url as defined by RFC 4648 Section 5, with padding bits set to zero.
Condition: When using a SAML bearer assertion for client authentication.
The SAML Assertion XML data MUST be encoded using base64url ... where the padding bits are set to zero.
RFC 7522 - Section 2.2
line-wrap the base64url-encoded assertion.
Condition: When using a SAML bearer assertion for client authentication.
the base64url-encoded data SHOULD NOT be line wrapped
RFC 7522 - Section 2.2
include pad characters ("=") in the base64url-encoded assertion.
Condition: When using a SAML bearer assertion for client authentication.
pad characters ("=") SHOULD NOT be included
Validation Guidance
Verify that client_assertion_type exactly equals urn:ietf:params:oauth:client-assertion-type:saml2-bearer for SAML bearer client authentication.
Verify that client_assertion contains one SAML 2.0 Assertion and that its XML is base64url-encoded according to RFC 4648 Section 5 with zero padding bits.
Warn if the encoded assertion is line-wrapped or contains '=' pad characters.
Reference
Details
- Entry Id
urn:ietf:params:oauth:client-assertion-type:saml2-bearer- Urn
urn:ietf:params:oauth:client-assertion-type:saml2-bearer- Common Name
SAML 2.0 Bearer Assertion Profile for OAuth 2.0 Client Authentication- Change Controller
IESG- Reference
RFC7522, RFC-ietf-oauth-rfc7523bis-11