2.2.3 Common Data Structures

The following table summarizes the set of common message body parameters defined by this specification.

Message body parameter

Description

requested_token_use

OPTIONAL. The OAuth 2.0 client can include this parameter in the POST body of a request to indicate what type of processing it is requesting when providing a grant_type parameter of "urn:ietf:params:oauth:grant-type:jwt-bearer".

The OAuth 2.0 client sets this parameter to a value of "on_behalf_of" when making an OAuth on-behalf-of request. An OAuth on-behalf-of request is an OAuth request in which a resource, or relying party, acts as a client and uses a previously received access token to request an access token for another resource. See section 3.1.5.2.1.1 for request details, section 3.2.5.2.1.3 for server processing details, and section 4.7 for an example.

The OAuth 2.0 client sets this parameter to a value of "logon_cert" when making an OAuth logon certificate request. An OAuth logon certificate request is an OAuth request in which a resource, or relying party, acts as a client and uses a previously received access token to request an X.509 certificate ([RFC5280]), which can be used to log the user represented in the access token onto another network resource without prompting the user for credentials. See section 3.1.5.2.1.1 for request details, section 3.2.5.2.1.3 for server processing details, and section 4.13 for an example.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

assertion

OPTIONAL. The OAuth 2.0 client includes this parameter in the POST body of a request and sets it to the value of an access token previously issued by the AD FS server when making an OAuth on-behalf-of request or an OAuth logon certificate request.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

resource (request parameter)

OPTIONAL. The OAuth 2.0 client includes this parameter in the POST body of a request to specify the resource secured by the AD FS server for which it requires an access token. It can be provided when refreshing an access token (see [RFC6749] section 6) or when making an OAuth on-behalf-of request.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

resource (response parameter)

OPTIONAL. The AD FS server includes this parameter in the response and sets it to the identifier of the current resource when providing a multi-resource refresh token. A multi-resource refresh token is one that can be redeemed for an access token for any resource registered with the AD FS server.

The AD FS server does not return this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

use_windows_client_authentication

OPTIONAL. An OAuth 2.0 confidential client includes this parameter in the POST body of a request to indicate that it will use Windows client authentication and authenticate via the mechanism described in [RFC4559].

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

csr_type

OPTIONAL. The OAuth 2.0 client includes this parameter in the POST body of a request when making an OAuth logon certificate request to indicate the format of the request provided in the csr parameter (see [MS-WCCE] section 2.2.2.6). The only value supported for this parameter is "http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10".

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

csr

OPTIONAL. The OAuth 2.0 client includes this parameter in the POST body of a request when making an OAuth logon certificate request and sets the value to a base64-encoded PKCS#10 certificate request (see [MS-WCCE] section 3.1.1.4.3.1.1).

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

x5c

OPTIONAL. The AD FS server includes this parameter in the successful response to an OAuth logon certificate request. The value is a base64-encoded CMS certificate chain or CMC full PKI response (see [MS-WCCE] section 2.2.2.8).

The AD FS server does not return this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

tbidv2

OPTIONAL. The OAuth 2.0 client includes this parameter in the POST body of a request to indicate that the client is providing a referred token-binding ID to the AD FS server for the current request. See [RFC8471] for details on referred token-bindings.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.<6>