JWT-bearer grant with JWT assertion vs. client credentials grant with JWT client assertion?
Can anyone please shed some light on the difference between the following two OAuth grant type scenarios?
JWT grant with JWT assertion
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearerassertion=${JWT}
Defined in RFC 7523 § 2.1. An example of this is the Docusign JWT grant.
Client credentials grant with JWT client assertion
grant_type=client_credentialsclient_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertion=${JWT}
Defined in RFC 7523 § 2.2. An example of this is the Microsoft certificate-based client credentials grant.
As far as I can tell, both grant type scenarios use JWT-based client authentication to grant access to protected resources. This seems consistent with how the client credentials grant type is described in RFC 6749 § 1.3.4:
The client credentials (or other forms of client authentication) can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the client, or to protected resources previously arranged with the authorization server.
If the two are equivalent in terms of intent and security considerations, I wonder why there are two grant types / flows defined. One example where a JWT-based assertion and a JWT-based client_assertion is used is the Microsoft certificate-based on-behalf-of grant, which uses the following parameters:
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearerassertion=${ON_BEHALF_OF_JWT}client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertion=${CLIENT_JWT}
