Support Identity Assertion JWT Authorization Grant (ID-JAG) #411

Akankshabhasin · 2026-03-09T13:15:36Z

Akankshabhasin
Mar 9, 2026

Description

The Identity Assertion JWT Authorization Grant (ID-JAG) is an emerging OAuth draft that enables an application to obtain an access token for a third-party API through a common enterprise identity provider.

It builds on RFC 8693 (OAuth 2.0 Token Exchange) and RFC 7523 (JWT Bearer Grant)

The flow works in two steps:

A client exchanges an ID Token for an ID-JAG at the identity provider.
The client presents the ID-JAG to a resource authorization server using the JWT Bearer grant to obtain an access token.

Why this matters

This enables enterprise cross-application API access, allowing identity providers to mediate authorization between services while preserving the original user identity.

References

IETF Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/
Related discussion: Identity Assertion JWT Authorization Grant keycloak/keycloak#43971

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support Identity Assertion JWT Authorization Grant (ID-JAG) #411

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Uh oh!

Support Identity Assertion JWT Authorization Grant (ID-JAG) #411

Uh oh!

Akankshabhasin Mar 9, 2026

Description

Why this matters

References

Replies: 0 comments

Akankshabhasin
Mar 9, 2026