Difference between client authentication and authorization grant in OAuth using JWT

Question

I have been reading this spec for using JWT (JSON web tokens) with OAuth.

In 2.1 and 2.2, it says that JWTs can be used as Authorization Grants or Client Authentication.

From my understanding, authentication is to identify something (this user is who he claims to be) and authorization is to check if a user is allowed to do what he requested.

JWT as authorization grant makes sense, because the request is implicit identified by being signed. Most APIs that support this method uses JWT as an authorization grant. See salesforce and google.

This is where it gets confusing for me. Why is it that there need for JWT Authentication as a separate thing? Under what situations/use cases will there be a need for JWT Authentication?

Answer 1

1. JWT as Authorization Grant

In this case the client obtained a JWT in some unspecified way that it can present to the Authorization Server on the token endpoint to obtain an access token (and optional refresh token) on behalf of the party who issued the JWT. This may be the end-user (or Resource Owner) himself but the JWT can also be signed by a trusted 3rd-party in general (other users or organizations). This can apply to public as well as confidential clients.

Note that this substitutes the more regular Authorization Code Grant where the code is tightly bound to the Authorization Server with a more flexible mechanism where grants (JWTs) can potentially be issued by 3rd parties so that enables a federated system that works across administrative boundaries.

The JWT would be short-lived and for one-time use only.

2. JWT as Client Authentication

In this case the client presents a JWT to the on the token endpoint as part of a flow for an arbitrary grant type (possibly even the JWT Authorization Grant!) that requires interaction with the token endpoint; a typical example is the Authorization Code grant where the client receives a code as consented by the Resource Owner that needs to be exchanged for an access token (and optional refresh token) at the token endpoint and the client authenticates itself with the JWT.

This implies/defines/requires a confidential client and the JWT substitutes the more regular (and difficult to manage) client secret.

The JWT would be long-lived and used many times.