<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
Hi,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<div style="widows: 1;"><font face="Calibri,sans-serif">We have an use case for exchanging a JWT by an access_token, exactly how is described by JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (</font><a href="http://tools.ietf.org/html/rfc7523" style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">http://tools.ietf.org/html/rfc7523</a><font face="Calibri,sans-serif">).
Basically SSO for us. We did some prototyping replacing the defaultOAuth2AuthorizationCode by a class that extends it and also recognizes trusted JWTs (consumerAuthorizationCode). The parameters necessary to create an OAuthAuthentication object are coming
from from the trusted JWT and application registration DB. This appears to be working as expected, the only thing is that the grant_type has to be “code” instead of </font><span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; widows: 1;">"urn:ietf:params:oauth:grant-</span><span style="widows: 1;"><font face="Calibri,sans-serif">type:jwt-bearer”
as defined in the RFC for this flow. </font></span></div>
<div style="widows: 1;"><span style="widows: 1;"><font face="Calibri,sans-serif"><br>
</font></span></div>
<div style="widows: 1;"><span style="widows: 1;"><font face="Calibri,sans-serif">Thoughts? Any plans to support this grant type?</font></span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif;">Regards,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
Luiz</div>
</body>
</html>