--- title: Pushed Authorization Request (CLIENT_SECRET_JWT) description: For applications in which the application's tokenEndpointAuthMethod is set to CLIENT_SECRET_JWT, the token endpoint uses a JWT signed by the application's client secret to authenticate the request. For information about creating the JWT and the claims in the JWT, refer to Create a client secret JWT. Token requests that use this auth method require the client_assertion and client_assertion_type OAuth properties to specify the JWT. component: pingone-api page_id: pingone-api:auth:openid-connect-oauth-2/par-client-secret-jwt canonical_url: https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/par-client-secret-jwt.html section_ids: prerequisites: Prerequisites headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Pushed Authorization Request (CLIENT\_SECRET\_JWT) ## ```none POST {{authPath}}/{{envID}}/as/par ``` For applications in which the application's `tokenEndpointAuthMethod` is set to `CLIENT_SECRET_JWT`, the token endpoint uses a JWT signed by the application's client secret to authenticate the request. For information about creating the JWT and the claims in the JWT, refer to [Create a client secret JWT](../auth-config-options/create-a-client-secret-jwt.html). Token requests that use this auth method require the `client_assertion` and `client_assertion_type` OAuth properties to specify the JWT. ### Prerequisites * Refer to [OpenID Connect/OAuth 2](../openid-connect-oauth-2.html) for important overview information. * Create an application to get an `appID`. Refer to [Application Operations](../../platform/applications/applications-1.html). Run [Read All Applications](../../platform/applications/applications-1/read-all-applications.html) to find an existing application. * Run [Read All Templates](../../platform/notifications/notifications-templates/read-all-templates.html) to find a `templateName`. * Run [Read All Contents](../../platform/notifications/notifications-templates/read-all-contents.html) to find a `variantName`. > **Collapse: Request Model** > > | Property | Type | Required? | > | ----------------------- | ------ | --------- | > | `acr_values` | String | Optional | > | `client_assertion` | String | Required | > | `client_assertion_type` | String | Required | > | `code_challenge_method` | String | Optional | > | `login_hint` | String | Optional | > | `mobilePayload` | String | Optional | > | `max_age` | String | Optional | > | `nonce` | String | Optional | > | `prompt` | String | Optional | > | `redirect_uri` | String | Required | > | `request` | String | Optional | > | `response_mode` | String | Optional | > | `response_type` | String | Required | > | `scope` | String | Optional | > | `state` | String | Optional | > > Refer to the [OpenID Connect/OAuth2 data model](../openid-connect-oauth-2.html) for full property descriptions. > **Collapse: Related topics** > > * [Authorization flow by grant type](../../foundations/authentication-concepts/authorization-flow-by-grant-type.html) ### Headers Content-Type      application/x-www-form-urlencoded ### Body urlencoded ( application/x-www-form-urlencoded ) | Key | Value | | ----------------------- | ------------------------------------------------------ | | response\_type | token | | redirect\_uri | {{redirect\_uri}} | | scope | openid | | client\_assertion | {{clientSecretJWT}} | | client\_assertion\_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer | ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{authPath}}/{{envID}}/as/par' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'response_type=token' \ --data-urlencode 'redirect_uri={{redirect_uri}}' \ --data-urlencode 'scope=openid' \ --data-urlencode 'client_assertion={{clientSecretJWT}}' \ --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' ``` ```csharp var options = new RestClientOptions("{{authPath}}/{{envID}}/as/par") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddParameter("response_type", "token"); request.AddParameter("redirect_uri", "{{redirect_uri}}"); request.AddParameter("scope", "openid"); request.AddParameter("client_assertion", "{{clientSecretJWT}}"); request.AddParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{authPath}}/{{envID}}/as/par" method := "POST" payload := strings.NewReader("response_type=token&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid&client_assertion=%7B%7BclientSecretJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer") client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/x-www-form-urlencoded") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /{{envID}}/as/par HTTP/1.1 Host: {{authPath}} Content-Type: application/x-www-form-urlencoded response_type=token&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid&client_assertion=%7B%7BclientSecretJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded"); RequestBody body = RequestBody.create(mediaType, "response_type=token&redirect_uri={{redirect_uri}}&scope=openid&client_assertion={{clientSecretJWT}}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"); Request request = new Request.Builder() .url("{{authPath}}/{{envID}}/as/par") .method("POST", body) .addHeader("Content-Type", "application/x-www-form-urlencoded") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{authPath}}/{{envID}}/as/par", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "data": { "response_type": "token", "redirect_uri": "{{redirect_uri}}", "scope": "openid", "client_assertion": "{{clientSecretJWT}}", "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{authPath}}/{{envID}}/as/par', 'headers': { 'Content-Type': 'application/x-www-form-urlencoded' }, form: { 'response_type': 'token', 'redirect_uri': '{{redirect_uri}}', 'scope': 'openid', 'client_assertion': '{{clientSecretJWT}}', 'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests url = "{{authPath}}/{{envID}}/as/par" payload = 'response_type=token&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid&client_assertion=%7B%7BclientSecretJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer' headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{authPath}}/{{envID}}/as/par'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/x-www-form-urlencoded' )); $request->addPostParameter(array( 'response_type' => 'token', 'redirect_uri' => '{{redirect_uri}}', 'scope' => 'openid', 'client_assertion' => '{{clientSecretJWT}}', 'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' )); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "net/http" url = URI("{{authPath}}/{{envID}}/as/par") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/x-www-form-urlencoded" request.body = "response_type=token&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid&client_assertion=%7B%7BclientSecretJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer" response = http.request(request) puts response.read_body ``` ```swift let parameters = "response_type=token&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid&client_assertion=%7B%7BclientSecretJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{authPath}}/{{envID}}/as/par")!,timeoutInterval: Double.infinity) request.addValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 201 Created ```json { "request_uri": "urn:ietf:params:oauth:request_uri:03669195-99bc-410d-af5d-a0f125eea9b6", "expires_in": 60 } ```