Using access policy with the ROPC and JWT Bearer grant types
The processing flow of obtaining an OAuth grant by using the ROPC or JWT Bearer methods is much the same as using access policy.
Comparison
The key differences are:
- First factor rules do not apply because first-factor authentication occurs before an access policy is invoked.
- Access policy is only evaluated if it is enabled for the grant type that is used.
The same core process is consistent.
- Receiving an
mfa_challengetoken. - Performing an authentication factor.
- Presenting the issued JWT back to
/token.