Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API
  3. Key concepts

Client Assertion JWT

PreviousJWS and JWENextProof Key of Code Exchange (PKCE)

Last updated 3 months ago

This authentication method leverages PKI (Public Key Infrastructure) and eliminates the need to store or transfer shared secrets. For more details, refer to the .

How it works

The client must generate an assertion JWT containing the specified header and claims, signed with one of the private keys corresponding to the public keys included in the JWKS provided during onboarding.

Client Assertion JWT Structure

JWT Header Example

{
    "typ" : "JWT",
    "kid": "d591e152-886e-46cc-aa70-36a4431162a6",
    "alg" : "ES256"
}

JWT Header Fields

Field
Description

alg

The algorithm used for signing the JWT. Supported values are ES256, ES256K, ES384, and ES512.

kid

The Key ID associated with the signing key, matching the JWK provided during onboarding.

typ

The type of the token, typically set to "JWT".

JWT Claims

Claims
Description

sub

The client ID of the registered client.

aud

The recipient for whom this JWT is intended. This must match the issuer field in the response of the OpenID Discovery endpoint.

iss

The client ID of the registered client.

iat

exp

The expiration time on or after which the JWT must not be accepted by Corppass for processing.

jti

The unique identifier for the JWT, used to prevent token reuse.

The time at which the JWT was issued. Refer to the for details.

RFC 7523 specification
RFC specification

To avoid disruptions, please plan to update your applications accordingly to avoid any disruptions. We strongly recommend reviewing the updated API documentation and transitioning to the new requirements as soon as possible.

Corppass will reject tokens with an exp longer than 10 minutes from the iat . Refer to the for more details.

This claim is optional in the existing API version; refer to for details. However, it is strongly recommended for enhanced security, as outlined in . This claim will be mandatory in the next major API version. Implementations must ensure the jti is unique for each JWT.

Section 3 of RFC 7523
Section 4.1 of RFC 7519 specification
Section 9 of the OIDC Core Specification