OAuth 2.0 JWT (JSON Web Token) Bearer Grant

JWT Bearer Grant is used to send a JWT token signed by EmpowerID, along with the Client ID and Client Secret of the OAuth application you registered in EmpowerID to the EmpowerID token endpoint in exchange for an access token, a refresh token, and an ID token (when scope=openid). This article describes how to use this grant in your applications.

tip

You can download sample .NET framework code at https://dl1.empowerid.com/files/OAuthTestSampleCode.zip.

JWT (JSON Web Token) Bearer Grant

1. Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token

   POST /oauth/v2/token HTTP/1.1
   Host: <EID Server>
   Content-Type: application/x-www-form-urlencoded
   Cache-Control: no-cache
   
   client_id={The Client ID of the OAuth app you registered in EmpowerID}
   &client_secret={The Client Secret of the OAuth app you registered in EmpowerID}
   &grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
   &assertion=xxxxxxxxxxxxxxxxxx
   &scope=openid

   Header Parameter	Required/Optional	Description
   Content-Type	required	Must be application/x-www-form-urlencoded.

   Post Body Parameter	Required/Optional	Description
   client_id	required	Must be the EmpowerID OAuth application client identifier.
   client_secret	required	Must be the EmpowerID OAuth application client secret.
   grant_type	required	Must be urn:ietf:params:oauth:grant-type:jwt-bearer
   scope	required	A space-separated list of strings that the user consents to. Values include openid for OpenID Connect flow.
   assertion	required	Must be JWT assertion string.

2. Returns access token and refresh token (optionally ID token) in the response

   {
     "access_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "token_type": "Bearer",
     "expires_in": 3600,
     "refresh_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "id_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "id": "xxxxxxxxxxxxxxxxxxxxxx"
   }

Generate JWT Assertion

The JWT assertion should follow the below format and be signed with the signing certificate and converted to Base64 string - base64(sign(<JWT Assertion>))

{
  "Issuer": "<EmpowerID OAuth application client identifier>",
  "Subject": "<Signing Certificate Thumbprint>",
  "Audience": "https://<EID Server>/WebIdPForms/OAuth/v2",
  "IssuedAt": "UnixTime(DateTime.UtcNow)",
  "NotBefore": "UnixTime(DateTime.UtcNow – 5 minutes)",
  "Expiration": "UnixTime(DateTime.UtcNow + 5 minutes)"
}

JWT Bearer Grant using .NET Client Library

1. Initialize ClientSettings by passing the client_id, client_secret, redirect_uri, token_endpoint, authorization_endpoint, tokeninfo_endpoint and userinfo_endpoint. Also initialize a new JWTBearerGrant by passing the clientSettings model.

   var clientSettings = new ClientSettings(
     "client_id",
     "client_secret",
     "redirect_uri",
     "https://<EID Server>/oauth/v2/token",
     "https://<EID Server>/oauth/v2/ui/authorize",
     "https://<EID Server>/oauth/v2/tokeninfo",
     "https://<EID Server>/oauth/v2/userinfo");
               
   var handler = new JWTBearerGrant(clientSettings);

2. Call the GetAccessToken() method to retrieve the access_token, refresh_token, and other token related information.

   AccessTokenResponseModel responseModel = null;
   string certificateThumbprint = "xxxxxxxxxxxxxxxxxxxxx";
   try
   {
     var signingCert = handler.GetSigningCertificate(certificateThumbprint);
     responseModel = handler.GetAccessToken<AccessTokenResponseModel>
         (RequestMethod.POST,
         ParameterFormat.Json,
         signingCert);           
   }
   catch (Exception e)
   {
     //Handle error
   }