Home
Guides
Start typing to search…

Authenticating on the Token Endpoint

Authenticating on the Token Endpoint

Depending on the configured token endpoint method, the authentication sent to the token endpoint will differ. If you are using a client with client_secret_basic (which is not a recommended approach) then an Authorization header will be sent with a value of Basic base_64_env(${client_id}:${client_secret}).

If your client has a token endpoint authentication method of private_key_jwt you will also need a JWT when getting a token. The JWT will have the following properties in the payload:

  • iss - your client ID
  • sub - your client ID
  • jti - A unique identifier for the token, which can be used to prevent reuse
  • aud - our token endpoint, i.e. https://identity.moneyhub.co.uk/oidc/token
  • iat - the time at which the token was issued
  • exp - the time at which the token will expire

The JWT is put in the token endpoint body in the property client_assertion. The client_assertion_type will need to be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

Example JWT for Client Assertion

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRxVk1laV9XdUtqZW5HWlJUbnJpeUxXRnZuS2tzTjNvLWFuWXBqS0JEbVUifQ.eyJqdGkiOiJmRnVjb0JpZTc2MGhJcXA3Vn5CeGQiLCJpc3MiOiI5NzlhYmRhYi1mZDY0LTQyZTYtYWJkMi1lZTc0NTQyZjM0OTMiLCJpYXQiOjE2MjI4MTIzNzUsImV4cCI6MTYyMjgxMjk3NSwiYXVkIjoiaHR0cHM6Ly9pZGVudGl0eS5tb25leWh1Yi5jby51ay9vaWRjL3Rva2VuIiwic3ViIjoiOTc5YWJkYWItZmQ2NC00MmU2LWFiZDItZWU3NDU0MmYzNDkzIn0.Q0CFDaGNAv5qCnH_VLN0Hw62A0NvXqTdwKazaAoV7Vo

{
  "jti": "fFucoBie760hIqp7V~Bxd",
  "iss": "979abdab-fd64-42e6-abd2-ee74542f3493",
  "iat": 1622812375,
  "exp": 1622812975,
  "aud": "https://identity.moneyhub.co.uk/oidc/token",
  "sub": "979abdab-fd64-42e6-abd2-ee74542f3493"
}

Notes

  • You will need to provide a unique token identifier and set it to the jti property for all JWTs.
  • An "issued at"(iss) and "expiry time"(exp) will be required in the JWTs.
  • We recommend using our API Client Library to generate auth URLs and token requests when developing in JavaScript. Alternatively, you can find an OpenID Connect library for your chosen language that supports request objects.

More information about JWT requests is available here

Updated about 2 months ago