...
getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. A PKI is not required for authentication, a self-signed certificate works as well.
The client to server TLS connection is usually terminated at a HTTP proxy (e.g. , a load balancer) and the SHA1 fingerprint (as hex) of the TLS client certificate is transferred to the authentication server via the a header, e.g., "X-SSL-Client-SHA1 header".
Result is provided both as a JWT in compact format as well as a serialized JWT header/payload to ease parsing. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:
...