JSON Web Token Assertions
An assertion helps in sharing identity and security information across different domains. There are two uses for assertions:
- Authorization grants
- Client authentication
A JWT assertion is an assertion in the JWT format that contains information about a subject, the party that issued the assertion, its validity, etc. The entity that creates and signs or integrity-protects the assertion is typically known as the Issuer, and the entity that consumes the assertion and relies on its information is typically known as the Relying Party.
Assertion as Authorization Grant
When using a JWT assertion as an authorization grant, the client obtains an assertion from a third-party entity. This entity, usually referred to as the security token service (STS) or token service, can issue, renew, transform, and validate tokens. A trust relationship between this service and the relying party also exists. See Configuring the JWT Bearer Flow for more information.
The token service issues assertions after receiving requests from clients that present various credentials. The service fills the assertions with appropriate information and protects it with a signature or message authentication code.
Assertion for Client Authentication
When using JWT assertions for client authentication, the client creates assertions locally. It then applies the signatures or message authentication codes to assertions using a key. This can be a shared secret (symmetric key signing), or a private key (asymmetric key signing).
Assertions generally convey identity and security information, but self-issued assertions have another purpose. They showcase the knowledge of some secret, such as a client secret, without communicating the secret directly in the transaction.