Client Assertion

Authentication by client assertion is similar to authentication by client secret, except instead of transmitting the shared secret over the network, the client creates a JWT and signs it with its private key. Aritma Id only stores the corresponding public key to validate the signature.

Token request

Once you have received your authorization code it's time to translate it into a usable access token. This is done using the /connect/token endpoint. In short you send a token request with grant_type=authorization_code together with the supplied code and client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer, also include your client_assertion and the redirect_uri.

POST /connect/token

RequestResponse

Copy

Copied

POST https://id.aritma.io/{tenant}/connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

  client_assertion=YOUR_JWT_SIGNED_TOKEN&
  client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
  grant_type=client_credentials&

Copy

Copied

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

Parameter	Description
`grant_type` (required)	Denotes the flow you are using. For Client secret use `client_credentials`.
`client_assertion_type` (required)	must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
`client_assertion` (required)	A JWT token signed with your private key. Must include a subject claim with the application's `client_id`.
`scope` (required)	The scope for the access token, can't be an OpenID scope.