To support federation with external applications, allowing the delegation of authorization and authentication, you can request JWT-formatted Access Tokens.
To obtain a JWT access token, an opaque token is exchanged against a JWT through the introspection endpoint when an "audience" parameter is sent with the request (the "audience" in question being the identifier of the external Resource Provider, for example, its HTTP URL).
ActivID AS signs the response of the introspection endpoint, so that it can be validated by the resource owner without requiring it to call the introspection endpoint of the ActivID AS server.
The typical usage flow is similar to that of domain federation (see Configuring Security Domain Federation).
- The client application uses the token endpoint, for example by resource owner password grant flow or the Authorization Code Flow to retrieve an access token (and optionally, ID Token).
- Calls the authorization server's introspection endpoint to retrieve the access token's information as a JWT signed by the authorization server.
- Passes the JWT to the resource server, which grants access by trusting the JWT's signature and the permissions embedded in this JWT token (typically based on the content of the sub, scope, and roles claims, and possibly check the aud and/or jti claims as well).
Topics in this section:
