3.2.5.1.2.1 Request Body
A signed request is passed as a JSON Web Token (JWT), as specified in [OIDCCore] section 6.1, and the JWT is signed with a device key.
The format of the signed request is as follows:
-
POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&request=<signed JWT>
The signed JWT format is defined in [RFC7519].
The JWT fields MUST be given the following values:
client_id (REQUIRED): A unique identifier for the broker client.<4>
scope (REQUIRED): MUST contain at least the scopes "aza" and "openid". Additional scopes can be included and follow the format described in [RFC6749] section 3.3.
request_nonce (REQUIRED): A nonce previously obtained from the server by making the request described in section 3.1.5.1.1.
Additionally, the client MUST provide user authentication in the request. The client does this by including the JWT fields from one of the following:
Section 3.2.5.1.2.1.1 for username and password authentication.
Section 3.2.5.1.2.1.2 if using a signed JWT for authentication.
Section 3.2.5.1.2.1.3 if using a previous refresh token for authentication.
The signature header fields MUST be given the following values:
alg (REQUIRED): "RS256"
x5c (REQUIRED): The certificate used to sign the request, following the format described in [RFC7515] section 4.1.6.
kdf_ver (OPTIONAL): If the capabilities field of the OpenID Provider Metadata ([MS-OIDCE] section 2.2.3.2) from the server includes the value "kdf_ver2", the client can use KDFv2 version for creating context, which is used in deriving the Session Key. This is used in flows to exchange a Primary Refresh token for another token or user authentication certificate, as defined in sections 3.1.5.1.3 and 3.1.5.1.4.