Pushed Authorization Request (PRIVATE_KEY_JWT)
POST {{authPath}}/{{envID}}/as/par
For applications in which the application's tokenEndpointAuthMethod is set to PRIVATE_KEY_JWT, the token endpoint uses a JWT signed by an external private key file. For information about creating the JWT (signed by the private key file) and the claims in the JWT, see Create a private key JWT. Token requests that use this auth method require the client_assertion and client_assertion_type OAuth properties to specify the JWT.
Prerequisites
See OpenID Connect/OAuth 2 for important overview information.
Create an application to get an
appID. See Application Operations. Run Read All Applications to find an existing application.Run Read All Templates to find a
templateName.Run Read All Contents to find a
variantName.
| Property | Type | Required? |
|---|---|---|
acr_values | String | Optional |
client_assertion | String | Required |
client_assertion_type | String | Required |
login_hint | String | Optional |
mobilePayload | String | Optional |
max_age | String | Optional |
nonce | String | Optional |
prompt | String | Optional |
redirect_uri | String | Required |
request | String | Optional |
response_mode | String | Optional |
response_type | String | Required |
scope | String | Optional |
state | String | Optional |
See the OpenID Connect/OAuth2 data model for full property descriptions.
| Parameter | Description |
|---|---|
code_challenge_method | Specifies the computation logic used to generate the codechallenge string. The token endpoint uses this method to verify the codeverifier for PKCE authorization requests. Options are: plainand S256. |
nonce | A string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code. |
redirect_uri | A string that specifies the URL that specifies the return entry point of the application. This is a required property. |
response_type | The code or token type returned by an authorization request. Options are token, id_token, and code. |
scope | Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. |
Request Params
| Key | Datatype | Required | Description |
|---|---|---|---|
code_challenge_method | string | Specifies the computation logic used to generate the code_challenge string. | |
nonce | string | A string that is used to associate a client session with a token to mitigate replay attacks. | |
redirect_uri | string | A string that specifies the URL that specifies the return entry point of the application. This is a required property. | |
response_type | string | The code or token type returned by an authorization request. | |
scope | string | Permissions that determine the resources that the application can access. |
Request Body
[{"name"=>"response_type", "value"=>"token", "datatype"=>"string"}, {"name"=>"redirect_uri", "value"=>"{{redirect_uri}}", "datatype"=>"string"}, {"name"=>"scope", "value"=>"openid", "datatype"=>"string"}, {"name"=>"client_assertion", "value"=>"{{privateKeyJWT}}", "datatype"=>"string"}, {"name"=>"client_assertion_type", "value"=>"urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "datatype"=>"string"}]
RESPONSES
status: Created
{"request_uri":"urn:ietf:params:oauth:request_uri:03669195-99bc-410d-af5d-a0f125eea9b6","expires_in":60}