The Client Assertion Token enables Mobile Connect Polling Token requests to be passed in a signed JSON object containing the values in the table below. The object, encoded as a JWT string is passed to the ID Gateway in the request parameter.

  • When using a signature, the alg header parameter value of the header MUST be set to an appropriate algorithm as defined in JSON Web Algorithms.
  • The Private Key used to sign the content MUST be associated with a Public Key
  • The Public Key used for signature verification must be published in the registered applications JWK set (via the JWKS URI).
  • If there are multiple keys in the referenced JWK set, a kid value MUST be provided.
  • The key usage of the respective keys MUST support signing.

To create the Client Assertion Token use the same multi-step process as detailed in the Request Object page. The Client Assertion Token payload will have the following parameters:

Parameter Usage Description

iss

REQUIRED

This must be the client_id of the SP that is registered with the ID Gateway.

sub

REQUIRED

This must be the client_id of the SP that is registered with the ID Gateway.

aud

REQUIRED

The value must be the polling endpoint of the ID Gateway. The value identifies the ID Gateway as an intended audience for this token

exp

REQUIRED

The expiration time on or after which the ID Token and Access Tokens will be accepted for processing. If the expiration time is elapsed then the IDGW will an error, instead of processing the request.

iat

REQUIRED

The JWT Creation time. It should be used in conjunction with exp parameter to determine whether to process the request to return ID Token and Access Token.

More details on using private_key_jet for token requests can be found in the Client Authentication section of the OpenID Connect Core 1.0 specification.

Note: It is strongly recommended to make use of common libraries for JWT and JWS processing to avoid introducing implementation specific bugs. A useful list of libraries can be found on the OpenID site.