oauth2.dev

urn:ietf:params:oauth:grant-type:jwt-bearer

IESG

Registry Context

This URN identifies the OAuth 2.0 JWT bearer grant type. It is used as the grant_type value when a client submits a JWT as an authorization grant.

Technical Summary

RFC 7523 Section 2.1 assigns this URN as the grant_type value for JWT bearer authorization grants and requires the assertion parameter to contain one JWT. Section 8.1 registers the URN in the OAuth URI registry.

When Used

When a client submits a JWT bearer authorization grant in an OAuth 2.0 access token request.

Normative Requirements

Clients

MUST
2

  1. RFC 7521 - Section 4.1

    request a scope equal to or less than the scope originally granted to the authorized accessor..

    Condition: when including scope while exchanging a JWT assertion for an access token

    The requested scope MUST be equal to or less than the scope originally granted.

  2. RFC 7523 - Section 2.1

    ensure the assertion parameter contains a single JWT..

    Condition: when using a Bearer JWT as an authorization grant

    The value of the "assertion" parameter MUST contain a single JWT.

REQUIRED
2

  1. RFC 7521 - Section 4.1

    include the grant_type parameter as an absolute URI..

    Condition: when using a JWT assertion as an authorization grant

    grant_type REQUIRED. The value will be an absolute URI.

  2. RFC 7521 - Section 4.1

    include the assertion parameter containing the assertion used as the authorization grant..

    Condition: when using a JWT assertion as an authorization grant

    assertion REQUIRED. The assertion being used as an authorization grant.

OPTIONAL
1

  1. RFC 7521 - Section 4.1

    include a scope parameter identifying the requested scope..

    Condition: when using a JWT assertion as an authorization grant

    scope OPTIONAL. The requested scope as described in Section 3.3 of OAuth 2.0.

Authorization servers

MUST
1

  1. RFC 7521 - Section 4.1

    limit the issued access token's scope to be equal to or less than the scope originally granted to the authorized accessor..

    Condition: when exchanging a JWT assertion for an access token

    The authorization server MUST limit the scope of the issued access token.

SHOULD NOT
1

  1. RFC 7521 - Section 4.1

    issue an access token whose lifetime significantly exceeds the assertion's validity period..

    Condition: when issuing an access token for a JWT assertion grant

    Authorization servers SHOULD NOT issue access tokens with a lifetime that significantly exceeds the assertion validity period.

Validation Guidance

error

Verify that the grant_type parameter is present and is an absolute URI.

error

Verify that grant_type exactly equals "urn:ietf:params:oauth:grant-type:jwt-bearer" for this profile.

error

Verify that the assertion parameter is present.

error

Verify that the assertion parameter contains exactly one JWT.

error

When scope is requested, verify that it does not exceed the scope originally granted.

warning

Flag access-token lifetimes that significantly exceed the JWT assertion's validity period.

Reference

RFC7523 RFC-ietf-oauth-rfc7523bis-11

Details

Entry Id
urn:ietf:params:oauth:grant-type:jwt-bearer
Urn
urn:ietf:params:oauth:grant-type:jwt-bearer
Common Name
JWT Bearer Token Grant Type Profile for OAuth 2.0
Change Controller
IESG
Reference
RFC7523, RFC-ietf-oauth-rfc7523bis-11