Skip to main content

Integration Steps

Prerequisites

Step 1 – Machine credential issuance

The LEAR of the organization issues a LEARCredentialMachine to the backend service (the confidential client).

  • The credential is a Verifiable Credential (VC) in JWT format.

  • It is bound to the machine’s DID, derived from its public key.

  • The private key must be securely stored and never shared.

Outcome:
The machine (confidential client) holds a valid LEARCredentialMachine and its associated DID key pair.

Step 2 – Client configuration

Client type: Confidential.

  • Register the client in the Verifier’s Authorization Server.

  • Provide the jwks_uri exposing the public keys used for signing JWTs.

  • Ensure the redirect_uri is pre-registered and uses HTTPS.

  • Implement JWT-based client authentication (client_secret_jwt).

Outcome:
The confidential client is fully configured to authenticate using signed JWTs and perform the Authorization Code Flow.

Step 3 – Authorization request

The confidential client starts the authorization process by redirecting the user to the Authorization Endpoint with a signed Authorization Request Object.
This object is a JWT containing all authorization parameters, hosted at a request_uri.

The Authorization Server retrieves this JWT, validates its signature against the client’s registered jwks_uri, and proceeds with the flow.

Non-normative example:

GET /authorize?

response_type=code

&client_id=did:key:wejkdew87fwhef9833f4

&request_uri=https%3A%2F%2Fapp.client.com%2Frequest.jwt%2F3Gr...AdM

&state=af0ifjsldkj

&nonce=n-0S6_WzA2Mj

&scope=openid%20learcredential

Host: authserver.example.org
The Authorization Server executes the request_uri to retrieve the data of the Authorization Request Object.
This object is a JWT signed with the client’s private key.
The Authorization Server validates the JWT using the public key registered under the client’s jwks_uri.

Outcome:
The Authorization Server successfully validates the signed request and displays the login and consent screen to the user.

Step 4 – Authorization response

After the user successfully authenticates and authorizes access, the Authorization Server redirects back to the client’s redirect_uri with an authorization code.

Non-normative example:


HTTP/1.1 302 FOUND

Location: https://app.client.com/cb?

code=SplxlOBeZQQYbYS6WxSbIA

&state=af0ifjsldkj
Outcome:
The confidential client receives the authorization code and verifies that the state matches its original request to prevent CSRF attacks.

Step 5 – Token request

The client exchanges the authorization code for tokens by calling the Token Endpoint.
In this step, the client authenticates using client_secret_jwt, sending a signed JWT in the client_assertion parameter.

Non-normative example:

Non-normative example of a Token Request:

POST /oauth/token HTTP/1.1

Host: authserver.example.com 

Content-Type: application/x-www-form-urlencoded


grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fapp.client.com%2Fcb

&state=af0ifjsldkj

Outcome:
The Authorization Server validates:

  • The client_secret_jwt signature.

  • The authorization code and redirect URI.
    If valid, it issues access, ID, and refresh tokens.


Step 6 – Token response

Non-normative example:

HTTP/1.1 200 OK

Content-Type: application/json

Cache-Control: no-store

Pragma: no-cache


{

  "access_token": "eyJhbGciOiJFQ0RILUVTIiwiZ...qtAlx1oFIUpQQ",

  "token_type": "Bearer",

  "expires_in": 3600,

  "refresh_token": "8xLOxBtZp8",

  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...p-QV30"

}

Outcome:

  • access_token grants access to protected APIs.

  • id_token identifies the authenticated subject.

  • refresh_token allows new tokens to be obtained without user interaction.

Step 7 – Use access token

The confidential client uses the access_token to call Verifier-protected APIs:

Authorization: Bearer eyJhbGciOiJFQ0RILUVTIiwiZ...
No Comments
Back to top