Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. A PKI is not required for authentication, a self-signed certificate works as well. 

The client to server TLS connection is usually terminated at a HTTP proxy (e.g. , a load balancer) and the SHA1 fingerprint (as hex) of the TLS client certificate is transferred to the authentication server via the a header, e.g., "X-SSL-Client-SHA1 header".

Result is provided both as a JWT in compact format as well as a serialized JWT header/payload to ease parsing. In addition to the standard JWT claims, BoB JWTs contains the following additional claims: