How do I understand the OAuth2 and OIDC JWTs that are generated or accepted by Identity Cloud or AM (All versions)?
The purpose of this article is to provide information on the JSON Web Tokens (JWTs) used in OAuth2 and OpenID Connect 1.0 (OIDC) that are generated or accepted by Identity Cloud or AM.
5 readers recommend this article
| Name | Description | Standards link | Generated by | Received by | Further information | Identity Cloud and AM versions |
|---|---|---|---|---|---|---|
| ID Token | Used to get a representation of the authenticated user. | OpenID Connect Core 1.0: ID Token | Identity Cloud or AM | Client | OpenID Connect Grant Flows | All |
| Access Token | Used to access a resource. | RFC 6749: Access Token | Identity Cloud or AM | Client, Resource Server | OAuth 2.0 Grant Flows | All |
| Refresh Token | Used to generate a new access token. | RFC 6749: Refresh Token | Identity Cloud or AM | Client | Refresh Tokens | All |
| Client Credentials |
Used to authenticate the client application. By checking the signature, Identity Cloud or AM can be certain that the request was made by the client application, without needing the client credential in the POST parameter. This is the recommended way to authenticate the client. |
RFC 7523: Using JWTs for Client Authentication | Client and Resource Server | Identity Cloud or AM | Authenticating Clients Using JWT Profiles | All |
| Bearer Token | Used to request access tokens in environments where end users authenticate to a service other than Identity Cloud or AM, provided that the authentication relationship/session information can be expressed as a JWT bearer token. As the authorization server, Identity Cloud or AM validates the bearer JWT and issues the access token to the client. | RFC 7523: Using JWTs as Authorization Grants | Client | Identity Cloud or AM | JWT Profile for OAuth 2.0 Authorization Grant | Identity Cloud; AM 6.5.2 and later |
| Software Statement |
Used to dynamically register clients. A software statement is a JWT that holds registration claims about the client, such as the issuer and the redirection URIs that it will register. |
RFC 7591: Dynamic Client Registration Protocol | Client | Identity Cloud or AM | Dynamic Client Registration | Identity Cloud; AM 5.5 and later |
| UserInfo Response | You can encrypt an ID token to hide user information from the other party. If you need this feature, then you probably want to encrypt the user information response to ensure only the client application can access the users' information. | OpenID Connect Core 1.0: Successful UserInfo Response | Identity Cloud or AM | Client | /oauth2/userinfo | All |
| Request Parameter |
There are several reasons to use a request parameter (request or request_uri), including the ability to obscure the request from the user by encrypting the request parameter. Using the request parameter with the authorization code grant flow is advised since this grant requires the user to interact; however, they will be able to read the request unless it is encrypted. There are other reasons to use the request parameter, which you can find in the standards section 6. |
OpenID Connect Core 1.0: Passing Request Parameters as JWTs | Client | Identity Cloud or AM | /oauth2/authorize | All |
| Consent Request |
A Remote Consent Service handles the consent-gathering part of an OAuth 2.0 flow. AM creates the consent request JWT that contains the necessary information to render a consent gathering page. |
-- | Identity Cloud or AM | Remote Consent Service | The Remote Consent Service | Identity Cloud; AM 5.5 and later |
| Consent Response | The Remote Consent Service then uses the above JWT to render the consent page and gather the result. It then signs and encrypts the result, and returns a consent response JWT to Identity Cloud or AM. | -- | Remote Consent Service | Identity Cloud or AM | The Remote Consent Service | Identity Cloud; AM 5.5 and later |
| Backchannel Request |
Used to identify the user when performing Client Initiated Backchannel Authentication (CIBA). CIBA allows a client application, known as the consumption device, to obtain authentication and consent from a user, without requiring the user to interact with the client directly. |
OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02 | Identity Cloud or AM | Client | Backchannel Request Grant | Identity Cloud; AM 6.5.2 and later |
| Logout Token | Used to notify relying parties that an end-user session linked to an ID token has become invalid. | OpenID Connect Back-Channel Logout 1.0 Draft 06 | AM | Client | Informing Relying Parties that a Session has Expired | AM 7.1 and later |
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A