Client Assertion JWT
This authentication method leverages PKI (Public Key Infrastructure) and eliminates the need to store or transfer shared secrets. For more details, refer to the RFC 7523 specification.
How it works
The client must generate an assertion JWT containing the specified header and claims, signed with one of the private keys corresponding to the public keys included in the JWKS provided during onboarding.
Client Assertion JWT Structure
JWT Header Example
{
"typ" : "JWT",
"kid": "d591e152-886e-46cc-aa70-36a4431162a6",
"alg" : "ES256"
}JWT Header Fields
alg
The algorithm used for signing the JWT. Supported values are ES256, ES256K, ES384, and ES512.
kid
The Key ID associated with the signing key, matching the JWK provided during onboarding.
typ
The type of the token, typically set to "JWT".
JWT Claims
sub
The client ID of the registered client.
aud
The recipient for whom this JWT is intended. This must match the issuer field in the response of the OpenID Discovery endpoint.
iss
The client ID of the registered client.
iat
The time at which the JWT was issued. Refer to the RFC specification for details.
exp
The expiration time on or after which the JWT must not be accepted by Corppass for processing.
Corppass will reject tokens with an exp longer than 10 minutes from the iat . Refer to the Section 3 of RFC 7523 for more details.
jti
The unique identifier for the JWT, used to prevent token reuse.
This claim is optional in the existing API version; refer to Section 4.1 of RFC 7519 specification for details. However, it is strongly recommended for enhanced security, as outlined in Section 9 of the OIDC Core Specification. This claim will be mandatory in the next major API version. Implementations must ensure the jti is unique for each JWT.
To avoid disruptions, please plan to update your applications accordingly to avoid any disruptions. We strongly recommend reviewing the updated API documentation and transitioning to the new requirements as soon as possible.
Last updated