Skip to content

Configure JWT bearer grant

You can add a trusted token issuer to exchange JWT assertion with an OAuth 2.0 access token to access protected resources on behalf of the resource owner.

Learn how to configure the OAuth 2.0 JWT bearer grant flow in Asgardeo. Refer JWT bearer grant for more information on how the flow works.

Follow this guide for instructions.

Register a trusted token issuer

To exchange a third-party token for an Asgardeo token, you need to register the third-party token issuer as a trusted token issuer in your Asgardeo organization.

To register a trusted token issuer:

  1. On the Asgardeo console, go to Connections.
  2. Click New Connections and click Create on the Trusted Token Issuer.

  3. Enter the following details of the trusted token issuer:

    Parameter Description
    Trusted token issuer name A unique name for the new trusted token issuer.
    Issuer A unique issuer value of the trusted token issuer. This is the value of the iss claim in the JWT token generated from the configured identity provider.
    Example: https://third-party-token-issuers.io/oauth2/token
    Alias The name by which the trusted token issuer knows Asgardeo. The aud claim of the token should include the Asgardeo organization's issuer value. If the aud claim doesn't include the organization's issuer value, the system validates the alias value you assign here against the aud claim.
    Example: https://third-party-token-issuers.io/oauth2/token

  4. Click Next and provide the mode of certificate configuration.

    • JWKS endpoint: The JWKS endpoint of the trusted token issuer.

    • Use PEM certificate: Upload or paste the public certificate of the trusted token issuer in the PEM format.

      Convert .crt, .cer or .der to the .pem format using OpenSSL

      Convert CRT to PEM 

      openssl x509 -in cert.crt -out cert.pem
      Convert CER to PEM: 
      openssl x509 -in cert.cer -out cert.pem
      Convert DER to PEM: 
      openssl x509 -in cert.der -out cert.pem

  5. Click Finish to add the new trusted token issuer.

Enable JWT bearer grant in your app

Before you begin

You need to register Standard-based OIDC application application types with Asgardeo.

To enable JWT bearer grant in your application:

  1. On the Asgardeo Console, go to Applications.

  2. Open your application from the list and go to the Protocol tab.

  3. Add JWT Bearer under the Allowed grant types.

  4. Click Update to save the configurations.

Try it out

Follow the steps given below.

  1. Get the JWT token received from the third-party token issuer.

  2. The application sends the access request to the token endpoint in Asgardeo with the following:

    • JWT bearer grant type.

    • JWT assertion created by the third-party token issuer.

    • Service provider's client ID and client secret.

  3. Execute the following cURL command to exchange the third-party token for an Asgardeo token.

    curl -v -k -X POST https://api.asgardeo.io/t/<organization_name>/oauth2/token \
--header "Authorization: Basic <Base64Encoded(CLIENT_ID:CLIENT_SECRET)>" \
--header "Content-Type:application/x-www-form-urlencoded" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" \
--data-urlencode "assertion=<jwt_token>"

    Upon successful execution, you will receive the exchanged token issued by Asgardeo.

Refer to JWT Bearer grant for more information on how the flow works.