How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I understand the OAuth2 and OIDC JWTs that are generated or accepted by Identity Cloud or AM (All versions)?

Last updated Sep 22, 2021

The purpose of this article is to provide information on the JSON Web Tokens (JWTs) used in OAuth2 and OpenID Connect 1.0 (OIDC) that are generated or accepted by Identity Cloud or AM.

5 readers recommend this article


The following table provides details on all the JWTs used in OAuth2 and OIDC that Identity Cloud or AM generates or accepts:

Name Description Standards link Generated by Received by Further information Identity Cloud and AM versions
ID Token Used to get a representation of the authenticated user. OpenID Connect Core 1.0: ID Token  Identity Cloud or AM Client OpenID Connect Grant Flows All
Access Token Used to access a resource. RFC 6749: Access Token   Identity Cloud or AM Client, Resource Server OAuth 2.0 Grant Flows All
Refresh Token Used to generate a new access token. RFC 6749: Refresh Token   Identity Cloud or AM Client Refresh Tokens All
Client Credentials

Used to authenticate the client application. By checking the signature, Identity Cloud or AM can be certain that the request was made by the client application, without needing the client credential in the POST parameter.

This is the recommended way to authenticate the client.

RFC 7523: Using JWTs for Client Authentication  Client and Resource Server Identity Cloud or AM Authenticating Clients Using JWT Profiles All
Bearer Token Used to request access tokens in environments where end users authenticate to a service other than Identity Cloud or AM, provided that the authentication relationship/session information can be expressed as a JWT bearer token. As the authorization server, Identity Cloud or AM validates the bearer JWT and issues the access token to the client. RFC 7523: Using JWTs as Authorization Grants   Client Identity Cloud or AM  JWT Profile for OAuth 2.0 Authorization Grant Identity Cloud; AM 6.5.2 and later
Software Statement

Used to dynamically register clients. 

A software statement is a JWT that holds registration claims about the client, such as the issuer and the redirection URIs that it will register.

RFC 7591: Dynamic Client Registration Protocol   Client Identity Cloud or AM Dynamic Client Registration Identity Cloud; AM 5.5 and later
UserInfo Response You can encrypt an ID token to hide user information from the other party. If you need this feature, then you probably want to encrypt the user information response to ensure only the client application can access the users' information. OpenID Connect Core 1.0: Successful UserInfo Response  Identity Cloud or AM Client /oauth2/userinfo All
Request Parameter

There are several reasons to use a request parameter (request or request_uri), including the ability to obscure the request from the user by encrypting the request parameter.

Using the request parameter with the authorization code grant flow is advised since this grant requires the user to interact; however, they will be able to read the request unless it is encrypted.

There are other reasons to use the request parameter, which you can find in the standards section 6.

OpenID Connect Core 1.0: Passing Request Parameters as JWTs  Client Identity Cloud or AM /oauth2/authorize All
Consent Request

A Remote Consent Service handles the consent-gathering part of an OAuth 2.0 flow.

AM creates the consent request JWT that contains the necessary information to render a consent gathering page.

-- Identity Cloud or AM Remote Consent Service The Remote Consent Service Identity Cloud; AM 5.5 and later
Consent Response The Remote Consent Service then uses the above JWT to render the consent page and gather the result. It then signs and encrypts the result, and returns a consent response JWT to Identity Cloud or AM.  -- Remote Consent Service Identity Cloud or AM The Remote Consent Service Identity Cloud; AM 5.5 and later
Backchannel Request

Used to identify the user when performing Client Initiated Backchannel Authentication (CIBA).

CIBA allows a client application, known as the consumption device, to obtain authentication and consent from a user, without requiring the user to interact with the client directly.

OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02   Identity Cloud or AM Client  Backchannel Request Grant Identity Cloud; AM 6.5.2 and later
Logout Token  Used to notify relying parties that an end-user session linked to an ID token has become invalid. OpenID Connect Back-Channel Logout 1.0 Draft 06  AM Client Informing Relying Parties that a Session has Expired AM 7.1 and later

See Also

What federation standards does AM support?

Supported Standards

OAuth 2.0 in AM

OpenID Connect 1.0 Guide

OAuth 2.0 Guide

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.