Skip to end of banner
Go to start of banner

JWT (JSON Web Token) Bearer Grant

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This topic describes how to consume the EmpowerID REST API with the different OAuth 2.0 flows. Please note that before you can use the framework with your application, you must register that application in EmpowerID. This generates an API Key, Client Secret and Client ID for your application.

You can download sample .NET framework code at https://dl1.empowerid.com/files/OAuthTestSamplecode.zip

OAuth Discovery Endpoint

https://<EID Server>/oauth/.well-know/openid-configuration

JWT (JSON Web Token) Bearer Grant

1. Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token

POST /oauth/v2/token HTTP/1.1
Host: <EID Server>
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
 
client_id={The Client ID of the OAuth app you registered in EmpowerID}
&client_secret={The Client Secret of the OAuth app you registered in EmpowerID}
&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&assertion=xxxxxxxxxxxxxxxxxx
&scope=openid

Header Parameter

Required/Optional

Description

Content-Type

required

Must be application/x-www-form-urlencoded.

Post Body Parameter

Required/Optional

Description

client_id 

required

Must be the EmpowerID OAuth application client identifier.

client_secret

required

Must be the EmpowerID OAuth application client secret.

grant_type

required

Must be urn:ietf:params:oauth:grant-type:jwt-bearer

scope

required

A space-separated list of strings that the user consents to. Values include openid for OpenID Connect flow.

assertion

required

Must be JWT assertion string. Please refer to the Generate JWT Assertion section below.

2. Returns access token and refresh token (optionally ID token) in the response

{
    "access_token": "xxxxxxxxxxxxxxxxxxxxxx",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "xxxxxxxxxxxxxxxxxxxxxx",
    "id_token": "xxxxxxxxxxxxxxxxxxxxxx",
    "id": "xxxxxxxxxxxxxxxxxxxxxx"
}

Generate JWT Assertion

1. The JWT assertion should follow the below format and be signed with the signing certificate and converted to Base64 string - base64(sign(<JWT Assertion>))

{
    Issuer: <EmpowerID OAuth application client identifier>
    Subject: <Signing Certificate Thumbprint>
    Audience:  https://<EID Server>/WebIdPForms/OAuth/v2
    IssuedAt: UnixTime(DateTime.UtcNow)
    NotBefore: UnixTime(DateTime.UtcNow – 5 minutes)
    Expiration: UnixTime(DateTime.UtcNow + 5 minutes)
}

JWT Bearer Grant using .NET Client Library

1. Initialize ClientSettings by passing the client_id, client_secret, redirect_uri, token_endpoint, authorization_endpoint, tokeninfo_endpoint and userinfo_endpoint. Also initialize a new JWTBearerGrant by passing the clientSettings model.

var clientSettings = new ClientSettings(
   “client_id”,
   “client_secret”,
   “redirect_uri”,
   “https://<EID Server>/oauth/v2/token”,
   “https://<EID Server>/oauth/v2/ui/authorize”,
   “https://<EID Server>/oauth/v2/tokeninfo”,
   “https://<EID Server>/oauth/v2/userinfo”);
            
var handler = new JWTBearerGrant (clientSettings);

2. Call the GetAccessToken() method to retrieve the access_tokenrefresh_token, and other token related information.

AccessTokenResponseModel responseModel = null;
String certificateThumbprint= “xxxxxxxxxxxxxxxxxxxxx”;
try
{
   var signingCert = handler.GetSigningCertificate(certificateThumbprint);
   responseModel = handler.GetAccessToken<AccessTokenResponseModel>
        (RequestMethod.POST,
         ParameterFormat.Json,
         signingCert);           
}
catch (Exception e)
{
     //Handle error
}

  • No labels