3.2.5.1.2.1.2 User JWT Authentication
If authenticating the user by using a signed JWT, the client includes the following fields in the JWT described in section 3.2.5.1.2.1:
grant_type (REQUIRED): "urn:ietf:params:oauth:grant-type:jwt-bearer"
assertion (REQUIRED): A signed JWT used to authenticate the user.
-
The JWT fields for the JWT provided in the assertion field MUST be given the following values:
-
iss (REQUIRED): The username of the user for which the primary refresh token is requested.
-
iat (REQUIRED): See [OIDCCore] section 2.
-
exp (REQUIRED): See [OIDCCore] section 2.
-
aud (REQUIRED): The Issuer Identifier ([OIDCCore] section 1.2) of the server that the client is sending the request to.
-
request_nonce (REQUIRED): This is the same value as request_nonce as contained in the request body (section 3.2.5.1.2.1).
-
-
Note: The request_nonce value is supported in the assertion field by the operating systems specified in [MSFT-CVE-2023-35348], each with its related KB article download installed.
-
The signature header fields of the assertion field MUST be given the following values:
-
typ (REQUIRED): "JWT"
-
alg (REQUIRED): "RS256"
-
kid (REQUIRED): The identifier for the key used to sign the request.
-
use (REQUIRED): "ngc"
-