PE
Protocol Explorer
ID-JAG

ID-JAG — Cross-Domain Access (Xaa)

An ACME Corp employee uses their internal corporate identity to securely access the SaaS API. The Identity Assertion Authorization Grant (ID-JAG) lets ACME's IdP vouch for the user's identity without ever issuing external service tokens — each trust domain remains sovereign.

draft-ietf-oauth-identity-assertion-authz-grant
ACME EmployeeACME CRM App:3000ACME IdPSaaS IdPSaaS API1GET /authorize (OIDC)3022POST /login (MFA)3POST /token (code → ID Toke…4POST /token (→ ID-JAG)5POST /token (ID-JAG → AT)6GET /projects (Bearer AT)
GET https://idp.acme.example/authorize?response_type=code&client_id=acme-crm-app&scope=openid%20email%20profile&redirect_uri=https%3A%2F%2Fcrm.acme.example%2Fcallback&state=xvz1evFS4wEEptTbUs9SDg&nonce=n-0S6_WzA2Mj302

The ACME CRM App redirects the employee's browser to ACME's Identity Provider to begin an OpenID Connect authorization code flow. The IdP returns a 302 redirect to its login page, where the employee will authenticate with corporate credentials.

scope=openid ensures this is an OIDC flow, which will return an ID Token alongside the access token.

The nonce (n-0S6_WzA2Mj) is a one-time value included in the authorization request to prevent replay attacks — the IdP will embed it in the returned ID Token.

The state parameter ties the authorization response back to this specific browser session, preventing CSRF.

ID-JAG §3.1: The client must first obtain an ID Token from the user's internal IdP before it can request an ID-JAG.

1 / 6
speed

Step 1: GET /authorize (OIDC)

Request / response
GEThttps://idp.acme.example/authorize?response_type=code&client_id=acme-crm-app&scope=openid%20email%20profile&redirect_uri=https%3A%2F%2Fcrm.acme.example%2Fcallback&state=xvz1evFS4wEEptTbUs9SDg&nonce=n-0S6_WzA2Mj
Host

idp.acme.example

User-Agent

Mozilla/5.0 (ACME-CRM/1.0)