oauth2.dev

urn:ietf:params:oauth:client-assertion-type:saml2-bearer

IESG

Registry Context

This URN identifies the SAML 2.0 bearer assertion profile used for OAuth 2.0 client authentication.

Technical Summary

For SAML bearer client authentication, client_assertion_type has this URN as its value. The client_assertion contains one SAML 2.0 Assertion whose XML is base64url-encoded according to RFC 4648 Section 5 with zero padding bits. The encoding should not be line-wrapped or include pad characters.

When Used

When a client uses a SAML 2.0 bearer assertion to authenticate to an OAuth 2.0 authorization server.

Normative Requirements

Clients

MUST
2
  1. RFC 7522 - Section 2.2

    ensure the client_assertion parameter contains a single SAML 2.0 Assertion.

    Condition: When using a SAML bearer assertion for client authentication.

    The value of the "client_assertion" parameter MUST contain a single SAML 2.0 Assertion.

  2. RFC 7522 - Section 2.2

    encode the SAML Assertion XML using base64url as defined by RFC 4648 Section 5, with padding bits set to zero.

    Condition: When using a SAML bearer assertion for client authentication.

    The SAML Assertion XML data MUST be encoded using base64url ... where the padding bits are set to zero.

SHOULD NOT
2
  1. RFC 7522 - Section 2.2

    line-wrap the base64url-encoded assertion.

    Condition: When using a SAML bearer assertion for client authentication.

    the base64url-encoded data SHOULD NOT be line wrapped

  2. RFC 7522 - Section 2.2

    include pad characters ("=") in the base64url-encoded assertion.

    Condition: When using a SAML bearer assertion for client authentication.

    pad characters ("=") SHOULD NOT be included

Validation Guidance

error

Verify that client_assertion_type exactly equals urn:ietf:params:oauth:client-assertion-type:saml2-bearer for SAML bearer client authentication.

error

Verify that client_assertion contains one SAML 2.0 Assertion and that its XML is base64url-encoded according to RFC 4648 Section 5 with zero padding bits.

warning

Warn if the encoded assertion is line-wrapped or contains '=' pad characters.

Reference

Details

Entry Id
urn:ietf:params:oauth:client-assertion-type:saml2-bearer
Urn
urn:ietf:params:oauth:client-assertion-type:saml2-bearer
Common Name
SAML 2.0 Bearer Assertion Profile for OAuth 2.0 Client Authentication
Change Controller
IESG
Reference
RFC7522, RFC-ietf-oauth-rfc7523bis-11