Authorization Code - JWT

Access token request - get a new access token

Client Authentication

The requests made to the token service must be authenticated using a signed JWT assertion (as per the private_key_jwt mechanism of OpenID Connect):

require 'jwt'
require 'securerandom'

key = '<client_private_key>'

pem_key = key.scan(/.{1,64}/).tap do |lines|
  lines.unshift "-----BEGIN PRIVATE KEY-----"
  lines.push "-----END PRIVATE KEY-----"
end.join("\n")

private_key = OpenSSL::PKey::EC.new pem_key

payload = 
  {
    "jti": SecureRandom.uuid,
    "iss": "<client_id>",
    "sub": "<client_id>",
    "aud": "https://<account_name>.talkdeskid.com/oauth/token",
    "iat": Time.now.to_i,
    "exp": Time.now.to_i + 5*60
  }

token = JWT.encode payload, private_key, '<client_key_algorithm>', {"kid": "<client_key_id>"}
package com.talkdesk.example;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

import java.io.IOException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.Instant;
import java.util.Base64;
import java.util.Date;
import java.util.UUID;

public class GenerateClientAssertion {

    public static void main(String... args) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
        String key = "<client_private_key>";

        // Replace EC with ECDSA if BouncyCastle is enabled
        PrivateKey privateKey = KeyFactory.getInstance("EC")
                .generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(key)));

        String token = Jwts.builder()
                .setHeaderParam("kid", "<client_key_id>")
                .setId(UUID.randomUUID().toString())
                .setIssuer("<client_id>")
                .setSubject("<client_id>")
                .setAudience("https://<account>.talkdeskid.com/oauth/token")
                .setIssuedAt(new Date())
                .setExpiration(Date.from(Instant.now().plusSeconds(300)))
                .signWith(SignatureAlgorithm.<client_key_algorithm>, privateKey)
                .compact();
    }

}
# Requires the 'PyJWT' and 'cryptography' packages to be installed

import uuid
import jwt
from datetime import datetime, timedelta

# Client Private Key
CLIENT_PRIVATE_KEY = "<client_private_key>"

CLIENT_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----\n" + CLIENT_PRIVATE_KEY + "\n-----END PRIVATE KEY-----"

# JWT Headers
headers = {"kid": "<client_key_id>"}

# JWT Payload
payload = {"iss": "<client_id>",\
    "sub": "<client_id>",\
    "aud": "https://<account_name>.talkdeskid.com/oauth/token",\
    "jti": str(uuid.uuid4()),\
    "exp": datetime.utcnow() + \
    timedelta(seconds=300),\
    "iat": datetime.utcnow()}

# Signed JWT 
jwt_token = jwt.encode(payload, CLIENT_PRIVATE_KEY, algorithm = "<client_key_algorithm>", headers = headers)
(require 
  '[clj-time.core :as time]
  '[buddy.sign.jwt :as jwt]
  '[buddy.core.keys :as keys])

(def token 
  (jwt/sign
    {:jti (str (java.util.UUID/randomUUID))
     :iss "<CLIENT_ID>" 
     :sub "<CLIENT_ID>" 
     :aud "https://taiga.talkdeskid.com/oauth/token" 
     :exp (time/plus (time/now) (time/minutes 5)) 
     :iat (time/now)}
    (keys/private-key "<CLIENT_PRIVATE_KEY_FILE>")
    {:alg :es256
     :kid "<CLIENT_KEY_ID>"}))
// Requires the 'jsonwebtoken' and 'uuid' packages to be installed
var jwt = require('jsonwebtoken');
var uuid = require('uuid/v4');

var private_key = '<client_private_key>'
private_key = "-----BEGIN PRIVATE KEY-----\n" + private_key + "\n-----END PRIVATE KEY-----"

var header = {
  kid: '<client_key_id>'
}

var payload = {
  iss: '<client_id>',
  sub: '<client_id>',
  aud: 'https://<account_name>.talkdeskid.com/oauth/token',
  jti: uuid(),
  exp: Math.floor(Date.now() / 1000) + 300,
  iat: Math.floor(Date.now() / 1000)
}

token = jwt.sign(payload, private_key, {header: header, algorithm: '<client_key_algorith>'})

❗️

Signed JWT - Expiration

You will get an invalid_client error message if your signed JWT has expired.

In the example above, the signed JWT expires after five minutes. If you wish to have a signed JWT with a longer expiration date, you can change it via the exp and/or setExpiration variables.

Access Token Request

Language
URL
Click Try It! to start a request and see the response here!