Auth0 Home Blog Docs

Setting up an OpenId Connect enterprise connection to an endpoint that requires the jwt-bearer grant type

I’m trying to set up an OpenId Connect enterprise connection to an IdP that does not support the authorization_code grant type, only the jwt-bearer grant type (urn:ietf:params:oauth:grant-type:jwt-bearer) to validate connection to it’s /token end point. Does Auth0 support this, and if not is there a work around where I can manually obtain a token from this IdP and then authorise with Auth0?

1 Like

Hi @jamie1,

Welcome to Auth0 Community and thank you for posting!

I apologize for the delay in the response.

First of all, http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer is a “Legacy Grant Type”. Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

Third-party Access Tokens are issued by Identity Providers after a user authenticates with that provider. Use the Access Tokens to call the API of the third-party provider that issued them. For example, an Access Token issued after authentication to Facebook could be used to call the Facebook Graph API.

The user authenticates with the IdP by making an HTTP GET call to the /api/v2/user/{user-id} endpoint. To call this endpoint you need a Access Tokens for the Management API that includes the read:user_idp_tokens scope. The Access Token for the IdP will be available in the identities array, under the element for the particular connection. For information on how to call an IdP API, see Call an Identity Provider API.

If you have received an Access Token from an Identity Provider (IdP), in general, you don’t need to validate it. You can pass it to the issuing IdP, and the IdP takes care of the rest.

For more information please read: https://auth0.com/docs/tokens/overview-idp-access-tokens

Please let me know if this helps!