...
getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. A PKI is not required for authentication, a self-signed certificate works as well.
The client to server TLS client certificate is normally transferred from connection is usually terminated at a HTTP proxy (e.g., a load balancer or HTTP proxy to the API endpoint as a ) and the SHA1 fingerprint (as hex) using of the TLS client certificate is transferred to the authentication server via the X-SSL-Client-SHA1 header. A PKI is not required for authentication, a self-signed certificate works as well.
The result Result is provided both as a JWT in compact format as well as a serialized JWT header/payload to ease parsing. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:
...