9/10/2023 0 Comments Platform docs kids![]() The "sub" (subject) claim identifies the subject of the JWT, in this case also your application. The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. ![]() The "jti" value is a case-sensitive string. The identifier value must be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" (JWT ID) claim provides a unique identifier for the JWT. The "iss" (issuer) claim identifies the principal that issued the JWT, in this case your client application. Azure AD does not place restrictions on the exp time currently. ![]() This allows the assertion to be used until then, so keep it short - 5-10 minutes after nbf at most. The "exp" (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. In this case, that recipient is the login server (). The "aud" (audience) claim identifies the recipients that the JWT is intended for (here Azure AD) See RFC 7519, Section 4.1.3. For example, given an X.509 certificate hash of 84E05C1D98BCE3A5421D225B140B36E86A3D5534 (Hex), the x5t claim would be hOBcHZi846VCHSJbFAs26Go9VTQ (Base64url). Header Parameterīase64url-encoded SHA-1 thumbprint of the X.509 certificate's DER encoding. The information is carried by the token in its Header, Claims, and Signature. To compute the assertion, you can use one of the many JWT libraries in the language of your choice - MSAL supports this using. If you're interested in using a JWT issued by another identity provider as a credential for your application, please see workload identity federation for how to set up a federation policy. This is described in the OpenID Connect specification for the private_key_jwt client authentication option. One form of credential that an application can use for authentication is a JSON Web Token (JWT) assertion signed with a certificate that the application owns. The Microsoft identity platform allows an application to use its own credentials for authentication anywhere a client secret could be used, for example, in the OAuth 2.0 client credentials grant flow and the on-behalf-of (OBO) flow.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |