3.2.5.1.2.1.2 User JWT Authentication

If authenticating the user by using a signed JWT, the client includes the following fields in the JWT described in section 3.2.5.1.2.1:

grant_type (REQUIRED): "urn:ietf:params:oauth:grant-type:jwt-bearer"

assertion (REQUIRED): A signed JWT used to authenticate the user.

The JWT fields for the JWT provided in the assertion field MUST be given the following values:

iss (REQUIRED): The username of the user for which the primary refresh token is requested.

iat (REQUIRED): See [OIDCCore] section 2.

exp (REQUIRED): See [OIDCCore] section 2.

aud (REQUIRED): The Issuer Identifier ([OIDCCore] section 1.2) of the server that the client is sending the request to.

request_nonce (REQUIRED): This is the same value as request_nonce as contained in the request body (section 3.2.5.1.2.1).

Note: The request_nonce value is supported in the assertion field by the operating systems specified in [MSFT-CVE-2023-35348], each with its related KB article download installed.

The signature header fields of the assertion field MUST be given the following values:

typ (REQUIRED): "JWT"

alg (REQUIRED): "RS256"

kid (REQUIRED): The identifier for the key used to sign the request.

use (REQUIRED): "ngc"