Creating the JWT bearer token
Use the information in this topic to create the JWT bearer token that is used in the JWT bearer flow.
JWT bearer payload claims
The JWT bearer payload must contain the following claims:| Claim name | Description | Valid values |
|---|---|---|
| iss | Unique identifier for entity that issued the JWT | The valid URI of the JWT issuer. |
| sub | Principal subject identifier | The unique identifier of a user. |
| aud | OIDC endpoint that is being called | https://<tenantId>/oidc/endpoint/default/token |
| exp | JWT expiration time | The number of seconds from 1970-01-01T0:0:0Z as measured in UTC. Note: The JWT expiration time
cannot be more than 86400 seconds in the future.
|
| jti | JWT identifier | A randomly generated opaque string. |
| Claim name | Description | Valid values |
|---|---|---|
| nbf | JWT not before time | The number of seconds from 1970-01-01T0:0:0Z as measured in UTC. |
| iat | JWT creation time | The number of seconds from 1970-01-01T0:0:0Z as measured in UTC. Note: The JWT expiration
time cannot be more than 86400 seconds in the past.
|
| realm | Principal subject realm | The identity source realm that the `sub` belongs to. |
JWT bearer payload example
```
{
"iss": "https://www.relyingparty.com",
"sub": "user@idsource.com",
"aud": "https://sometenant.ice.com/oidc/endpoint/default/token",
"exp": 1324298520,
"jti": "araiov8werli2awerlj"
}
```Supported algorithms
| Purpose | Supported algorithms |
|---|---|
| JWS 'alg' for Signing | 'RS256', 'RS384', 'RS512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512' |
| JWE 'alg' for Key Management | 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW' |
| JWE 'enc' for Content Encryption | 'A128GCM', 'A192GCM', 'A256GCM' |
Note: If the JWT bearer is both signed and encrypted, the JWE header, the outer JWT, must indicate
that it is a nested JWT by setting the content type header to 'JWT'. For example,
'cty':'JWT'.The JWT bearer must be signed, or encrypted, or both. Ensure that whatever key is used to
sign the JWT is published in the
jwks_uri. If the jwks_uri is not
available, then add the public certificate into the system. See Managing certificates. When
the JWT bearer is encrypted and an asymmetric algorithm is used, the public keys that are published
at the OpenID Connect Provider jwks endpoint
https://<tenantId>/v1.0/endpoint/default/jwks can be used. Ensure that the
signed or encrypted JWT includes the `kid` header to uniquely identify the key that
is used.
Request example
After the JWT bearer token is created, a request can be submitted to the token endpoint to exchange the JWT bearer token with an access token.```
curl -ki https://<tenantId>/v1.0/endpoint/default/token
-d "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt
-bearer&client_secret=<secret>&client_id=<clientId>
&scope=openid+email&assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJpc3Mi..."
```