Configure JWT Assertions for Outbound Use

Perform the following prerequisites to use JWT assertions.

Take the private key you generated in Configure a Confidential Application to Use the JWT User Assertion Security Policy and upload it on the Certificates page. See Upload a Certificate to Connect with External Services.
The service provider typically provides instructions on how to generate the signing keys and the format. For an example, see Required Keys and OCIDs.

Create the JWT header and JWT payload JSON files. You upload both files on the Connections page when configuring the adapter to support JWT assertions. For example:

JWT Header JSON File Example JWT Payload JSON File Example

JWT Header JSON File Example	JWT Payload JSON File Example
`{ "alg" : "RS256", "typ": "JWT", "kid": "fajwt2" }` Where: `alg`: The algorithm to use. `typ`: A JWT assertion typically set to `JWT`. `kid`: A key identifier that is uniquely-generated and associated with the uploaded signing key.	`{ "iss": "f6c9d437eed64e2a8f2b045e39e2e03f", "sub": "admin.user", "aud": "https://identity.oraclecloud.com/", "prn": "f1c1h437erd14e2a3f2b045e39e9e12f", "exp": "1739412427" "iat": "1727372629" "jti": "12345" }` Where: JWT issuer (`iss`): A unique identifier for the entity that issued the assertion. This is typically the entity that holds the key material used to sign or integrity-protect the assertion. Examples of issuers are OAuth clients (when assertions are self-issued) and third-party security token services. If the assertion is self-issued, the issuer value is the client identifier (`client_id`). If the assertion was issued by a security token service (STS), the issuer must identify the STS in a manner recognized by the authorization server. The assertion must contain an issuer. JWT subject (`sub`): The subject typically identifies an authorized accessor for which the access token is being requested (that is, the resource owner or an authorized delegate). In some cases, this may be a pseudo anonymous identifier or other value denoting an anonymous user. When the client is acting on behalf of itself, the subject must be the value of the client's `client_id`. The assertion must contain a subject. JWT audience (`aud`): A value that identifies the party or parties to process the assertion. The assertion must contain an audience that identifies the authorization server as the intended audience. The authorization server must reject any assertion that does not contain its own identity as the intended audience (in this case, for Oracle Identity Cloud Service, `https://identity.oraclecloud.com/`). Principal (`prn`): Identifies the subject of the JWT, typically the user. The value is application-specific. Expires at (`exp`): The time at which the assertion expires. While the serialization may differ by assertion format, the time must be expressed in UTC format with no time zone component. The assertion must contain an expires-at entity that limits the window during which the assertion can be used. The authorization server must reject expired assertions (subject to allowable clock skew between systems). The authorization server may reject assertions with an expires-at attribute value that is unreasonably far in the future. Issued at (`iat`): The time at which the JWT was issued. JWT identifier (`jti`): A unique identifier for the JWT. This helps to prevent replay attacks and ensures the token is only used once.

{
    "alg" : "RS256",
    "typ": "JWT",
    "kid": "fajwt2"
}

Where:

alg: The algorithm to use.
typ: A JWT assertion typically set to JWT.
kid: A key identifier that is uniquely-generated and associated with the uploaded signing key.

{
    "iss": "f6c9d437eed64e2a8f2b045e39e2e03f",
    "sub": "admin.user",
    "aud": "https://identity.oraclecloud.com/",
    "prn": "f1c1h437erd14e2a3f2b045e39e9e12f",
    "exp": "1739412427"
    "iat": "1727372629"
    "jti": "12345"
  }

Where:

JWT issuer (iss): A unique identifier for the entity that issued the assertion. This is typically the entity that holds the key material used to sign or integrity-protect the assertion. Examples of issuers are OAuth clients (when assertions are self-issued) and third-party security token services. If the assertion is self-issued, the issuer value is the client identifier (client_id). If the assertion was issued by a security token service (STS), the issuer must identify the STS in a manner recognized by the authorization server. The assertion must contain an issuer.
JWT subject (sub): The subject typically identifies an authorized accessor for which the access token is being requested (that is, the resource owner or an authorized delegate). In some cases, this may be a pseudo anonymous identifier or other value denoting an anonymous user. When the client is acting on behalf of itself, the subject must be the value of the client's client_id. The assertion must contain a subject.
JWT audience (aud): A value that identifies the party or parties to process the assertion. The assertion must contain an audience that identifies the authorization server as the intended audience. The authorization server must reject any assertion that does not contain its own identity as the intended audience (in this case, for Oracle Identity Cloud Service, https://identity.oraclecloud.com/).
Principal (prn): Identifies the subject of the JWT, typically the user. The value is application-specific.
Expires at (exp): The time at which the assertion expires. While the serialization may differ by assertion format, the time must be expressed in UTC format with no time zone component. The assertion must contain an expires-at entity that limits the window during which the assertion can be used. The authorization server must reject expired assertions (subject to allowable clock skew between systems). The authorization server may reject assertions with an expires-at attribute value that is unreasonably far in the future.
Issued at (iat): The time at which the JWT was issued.
JWT identifier (jti): A unique identifier for the JWT. This helps to prevent replay attacks and ensures the token is only used once.