Create the pre-authorized request
Use this information to create a pre-authorized JWT request that is used in the pre-authorized code flow.
Pre-authorized request payload claims
The pre-authorized request payload must contain the following claims.
| Claim name | Description | Valid values |
|---|---|---|
| iss | Unique identifier of credential issuer that issued the JWT | Valid URI of the credential issuer. |
| sub | Principal subject identifier | The unique identifier of a user. |
| exp | JWT expiration time | The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
Note: The JWT expiration time cannot be more than 3600 seconds in the future.
|
| jti | JWT identifier | A randomly generated opaque string. |
The pre-authorized request payload can contain the following claims.
| Claim name | Description | Valid values |
|---|---|---|
| aud | The authorization server's issuer published in well-known endpoint. | Valid URI of the credential issuer. |
| sub_type | Principal subject identifier type. | Either 'uid', 'username', or 'externalId'. The default is 'uid'. |
| realm | Principal subject realm | The identity source realm that the sub belongs to. |
| iat | JWT creation time | The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
Note: The JWT creation time cannot be more than 3600 seconds in the past.
|
| tx_code | Credential issuer's override of pre-authorized settings. | A JSON object having claims as described in the Transaction code claims table. |
| issuer_state | An opaque value to bind credential issuer context with the access token generated. | Any string. It can also be a JWT. |
The tx_code claim only take effect when such override is allowed in pre-authorized settings. In this mode, when the tx_code claim presents, a transaction code is generated. The Transaction code claims tables describe possible override options.
| Claim name | Description | Valid value |
|---|---|---|
| input_mode | Determine the transaction code character-set. | Either 'numeric' (only numbers) or 'text' (alphanumeric) |
| length | Determine the length of transaction code. | A numeric value between 4-10 |
| description | The message for wallet application to show to the end-user. | Any string |
| channel | Describe how to deliver the transaction code to the end-user. | A JSON object having claims as described in Table 4 below. |
Three channels are available to deliver the transaction code: email, sms, or other means that are determine by credential issuer. For the last option, the authorization server just returns the transaction code to the credential issuer.
| Claim name | Description | Valid value |
|---|---|---|
| type | Channel type to deliver transaction code to end-user. | Either 'email', 'sms' or 'issuer' |
| value | End-user email address (for type = email) or phone number (for type = sms). |
Valid email address or phone number. |
Pre-uthorized request payload example
{
"iss": "https://www.credential-issuer.com",
"sub": "user@idsource.com",
"sub_type": "username",
"aud": "https://sometenant.ice.com/oauth2",
"exp": 1324298520,
"jti": "araiov8werli2awerlj",
"tx_code": {
"input_mode": "text",
"length": 6,
"description": "Please provide this transaction code:",
"channel": {
"type": "email",
"value": "bob@ibm.com"
},
},
"issuer_state": "sa82jpawfagnns"
}
Supported algorithms
The pre-authorized request JWT can be signed using any of these algorithms RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, and PS512.
This JWT is validated based on the credential issuer's JWKS URI. Ensure that the signed JWT includes the kid header to uniquely identify the key that is used because the JWKS URI might publish multiple keys. The configuration of the credential issuer's JWKS URI is done at the federation settings. Ensure that the issuer's identifier matches with the iss claim in the request payload.
Request example
curl -ki -X POST https://<tenantId>/oauth2/preauth --data "eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJpc3Mi..." -H "Content-Type:application/jwt"