2.2.3.5 csr

 POST /token HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded
 grant_type={grant_type}&client_id={client_id}&redirect_uri={redirect_uri}&requested_token_use={requested_token_use}&assertion={assertion}&csr={csr}&csr_type={csr_type}

OPTIONAL

The csr parameter is optional, and can be specified by the client role of the OAuth 2.0 Protocol Extensions in the POST body when making a request to the token endpoint (section 3.1.5.2). The client provides a base64-encoded PKCS#10 certificate request ([MS-WCCE] section 3.1.1.4.3.1.1) in the csr parameter when making an OAuth logon certificate request.

The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

For an example of the csr parameter being used, see section 4.13.

The format for the csr parameter is as follows.

 String = *(%x20-7E)
 csr = String