Contains information about an OAuth provider's settings for the JWT Bearer grant type.
This object is used by the following operations:
- Any operations that use the OAuthProvider object
The properties included in the JWTBearerGrantType object are listed below.
|AccessTokenExpirationTimeInSeconds||long||The expiration time, in seconds, for the access token. Example: 1296000 (15 days).|
|IssueRefreshTokens||boolean||Indicates whether or not refresh tokens are valid for this grant.|
|GrantExpirationTimeInSeconds||long||The expiration time, in seconds, for the grant.|
|AllowedClockSkewInSeconds||long||Indicates the allowable clock skew value, in seconds, for JSON web key tokens. Example: 600.|
Indicates whether the JWT token is issued by this domain.
The platform supports JWT assertions given by its own OAuth provider or another OAuth provider. One scenario is that the assertions come from PingFederate and the platform validates them; another scenario is that a cusotmer might want to use an identity provider that doesn't support JWT assertions, and wants the platform to create the assertions and also to validate them.
In the platform, this is controlled by a checkbox in the OAuth Provider Domain setup (Tab 2, Grant Types: Assertions Issued by this Provider field).
If the checkbox is checked, or this setting set to true, it implies assertions are created by the same OAuth provider domain that is validating it. When the checkbox is cleared, or the setting set to false, the platform only validates the assertions created by the resource owner authentication domain.
When selecting an identity provider domain for resource owners that cannot create JWT assertions—for example, LDAP domain—the checkbox should be checked, or the setting set to true. If the resource owner authentication domain is PingFederate or any OpenID Connect Relying Party domain, the checkbox should be cleared or this setting set to false.
|GrantType||string||The grant type. In this context, it is always urn:ietf:params:oauth:grant-type:jwt-bearer.|