# OAuth2.0 Request Token based flow
source: https://developer.mastercard.com/cross-border-services/documentation/ref-app/oauth2-request-token-based-authentication-details/index.md

OAuth2.0 Request Token Based Authentication mechanism uses OAUTH2_REQUEST_TOKEN grant type.

OAUTH2_REQUEST_TOKEN grant type is a special implementation by Mastercard. It is an authentication and authorization method implemented to allow consumer application to consume Cross-Border Service APIs and it is one-legged auth implementation. It means your API request must contain a signed JWT token (using token specification) as 'Authorization' header for authentication.

### OAUTH2_REQUEST_TOKEN Specification Details: {#oauth2_request_token-specification-details}

The consumer key and the private certificate used for token generation(as shown below) is obtained as part of the Project Creation described in step#1 [here](https://developer.mastercard.com/cross-border-services/documentation/api-basics/getting-started-oauth2/index.md) \|.

| Token Attributes |      Significance      |                      Possible Values                      |
|------------------|------------------------|-----------------------------------------------------------|
| x5t#S256         | Certificate thumbprint | Signature public key                                      |
| x5c              | Public cert            | X.509 certificate chain                                   |
| kid              | Consumer key of cert   | Consumer Key which we will get from Mastercard Developers |
| cty              | Content Type           | JWS                                                       |
| typ              | JOSE object type       | JWT                                                       |
| alg              | JWS Algorithm          | RS256 / ES256                                             |
| nbf              | Not before Date        | Auto populated                                            |
| exp              | Expiry date            | Auto populated                                            |
| iat              | Issued At date         | Auto populated                                            |
| jti              | Unique JWT id          | JWT generated id                                          |

* Sample_Token_Header

```xml
{
  "x5t#S256": "NfXXddJ4PdzdCNKypGyzXcgTG-NJIV7_SEwV3guBHuE",
  "x5c": [
"MIIDBTCCAe2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBGMRYwFAYDVQQDEw1NYXN0ZXJDYXJkS2V5MRcwFQYDVQQLEw5NYXN0ZXJDYXJkIEFQSTETMBEGA1UEChMKTWFzdGVyQ2FyZDAeFw0yMjAxMDQxMjI2NTlaFw0yMzAxMDQxMjI2NTlaMEYxFjAUBgNVBAMTDU1hc3RlckNhcmRLZXkxFzAVBgNVBAsTDk1hc3RlckNhcmQgQVBJMRMwEQYDVQQKEwpNYXN0ZXJDYXJkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiq+1o2IAu7RIfnaPQhhA00vQm1RnoR7Y7OzyqIAI6oK6TVcjJILx/66XnAcr25MbO5zWUfNvnaZq30j3TKVn4BvdcMQcgYCIFt0EsLXd5ibmwj6QwKxPRQgFaEtBdKvuFWY7Sa+3uwIVqJZDGHFMhqTjiVC+j773rO7GDZEfVq0tBHmRpqNSAMBToWUJTZZC2LCLwXDRolxue3gFNGA+QeA08Yrjrg3+gUK5M8bky70EP0fV24KSlRA/NpnqQYmguRl43HbJQAVGyQskWV/kGD9rEVcRh6GBi/zcYXrGD/IzOnCj8vOTgGlb5eV5NG7tIR7Nh3GUVB9n5X+vEUj92wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA9RT6FCoywbOxrUkWZAzjTjLX/KBW3p4IuVO4o4Th6/YAva5a1eI2swp2seJkL3akrmgTGoHhiIAuZqtXmoQSYU2XC6tBdIaoQS5iaRwE9f9H0LlO9f6iJ5i7IkaiUSoTlHUikj+RGg9YGzvzrlhNupFqf+S7yTXdvIlSp3sbQbITqMUsE/2vrlwakqeXjeAkwu3IfeXLS9a0ak87vsUsb040RR8O4YlJztpx8EdiSKFL/3QotPwjin6WHJLY2FZXduQRaY93TwxNZ7JEknUQubCNG6vnyFrkfRztwJIPEuFwd72Y8RNDDrTqDal8mzJ0hfgCTgtpUHVklTvP3akVp"
  ],
  "kid": "mPRYcc9UK8-8uYb4MtanKFGgugCizL7-clmJiKSE60d968e0!977b121bce1c4e14833e6939abdb766f0000000000000000",
  "cty": "JWS",
  "typ": "JWT",
  "alg": "RS256"
}
```

* Sample_Token_Payload

```xml
Payload:
{
  "nbf": 1645685,
  "exp": 1646585,
  "iat": 1645685,
  "jti": "849908ddec0e2bb254e560ff4c6cffb5"
}
 
```

* Sample_Generated_Token

```xml
eyJ4NXQjUzI1NiI6Ik5mWFhkZEo0UGR6ZENOS3lwR3l6WGNnVEctTkpJVjdfU0V3VjNndUJIdUUiLCJ4NWMiOlsiTUlJREJUQ0NBZTJnQXdJQkFnSUJBVEFOQmdrcWhraUc5dzBCQVFzRkFEQkdNUll3RkFZRFZRUURFdzFOWVhOMFpYSkRZWEprUzJWNU1SY3dGUVlEVlFRTEV3NU5ZWE4wWlhKRFlYSmtJRUZRU1RFVE1CRUdBMVVFQ2hNS1RXRnpkR1Z5UTJGeVpEQWVGdzB5TWpBeE1EUXhNakkyTlRsYUZ3MHlNekF4TURReE1qSTJOVGxhTUVZeEZqQVVCZ05WQkFNVERVMWhjM1JsY2tOaGNtUkxaWGt4RnpBVkJnTlZCQXNURGsxaGMzUmxja05oY21RZ1FWQkpNUk13RVFZRFZRUUtFd3BOWVhOMFpYSkRZWEprTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFpcSsxbzJJQXU3UklmbmFQUWhoQTAwdlFtMVJub1I3WTdPenlxSUFJNm9LNlRWY2pKSUx4XC82NlhuQWNyMjVNYk81eldVZk52bmFacTMwajNUS1ZuNEJ2ZGNNUWNnWUNJRnQwRXNMWGQ1aWJtd2o2UXdLeFBSUWdGYUV0QmRLdnVGV1k3U2ErM3V3SVZxSlpER0hGTWhxVGppVkMrajc3M3JPN0dEWkVmVnEwdEJIbVJwcU5TQU1CVG9XVUpUWlpDMkxDTHdYRFJvbHh1ZTNnRk5HQStRZUEwOFlyanJnMytnVUs1TThia3k3MEVQMGZWMjRLU2xSQVwvTnBucVFZbWd1Umw0M0hiSlFBVkd5UXNrV1ZcL2tHRDlyRVZjUmg2R0JpXC96Y1lYckdEXC9Jek9uQ2o4dk9UZ0dsYjVlVjVORzd0SVI3TmgzR1VWQjluNVgrdkVVajkyd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQTlSVDZGQ295d2JPeHJVa1daQXpqVGpMWFwvS0JXM3A0SXVWTzRvNFRoNlwvWUF2YTVhMWVJMnN3cDJzZUprTDNha3JtZ1RHb0hoaUlBdVpxdFhtb1FTWVUyWEM2dEJkSWFvUVM1aWFSd0U5ZjlIMExsTzlmNmlKNWk3SWthaVVTb1RsSFVpa2orUkdnOVlHenZ6cmxoTnVwRnFmK1M3eVRYZHZJbFNwM3NiUWJJVHFNVXNFXC8ydnJsd2FrcWVYamVBa3d1M0lmZVhMUzlhMGFrODd2c1VzYjA0MFJSOE80WWxKenRweDhFZGlTS0ZMXC8zUW90UHdqaW42V0hKTFkyRlpYZHVRUmFZOTNUd3hOWjdKRWtuVVF1YkNORzZ2bnlGcmtmUnp0d0pJUEV1RndkNzJZOFJORERyVHFEYWw4bXpKMGhmZ0NUZ3RwVUhWa2xUdlAzYWtWcCJdLCJraWQiOiJtUFJZY2M5VUs4LTh1WWI0TXRhbktGR2d1Z0Npekw3LWNsbUppS1NFNjBkOTY4ZTAhOTc3YjEyMWJjZTFjNGUxNDgzM2U2OTM5YWJkYjc2NmYwMDAwMDAwMDAwMDAwMDAwIiwiY3R5IjoiSldTIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJuYmYiOjE2NDU2ODUsImV4cCI6MTY0NjU4NSwiaWF0IjoxNjQ1Njg1LCJqdGkiOiI4NDk5MDhkZGVjMGUyYmIyNTRlNTYwZmY0YzZjZmZiNSJ9.LOFLvWr494tNChyK_ppcEZH_blkOUmWpcOIj7HqpOIpKJBTVoj8goGP0i68QyYEZ1-BD3X1PMAcmwxg_qRttjVt8kIBsINR7Z528IdqPqmJrMKPaupEHHMC89_Y2YdsQFS0YY9L5hamhuGtZt3pyX9DYscd1CwUvXEkFALrYtdaBCup7EB0hJSLHYb0q5WLr81RH-m6j-hsjegyJ2cWp-8y08G39QLKsbIg5JLz7v4UP2j4Ovmx-rGO88r0nLI_-3e1OklfFcMCTUyl_O-Dt-NLdi6Rt-LJ5vwVhGZn8Ua7f81z7Qalf2YUCuxKtvYTk8DdFN3S5Bs9atJmfIV0z4w
 
```

### Steps to Generate and Sign JWT Token: {#steps-to-generate-and-sign-jwt-token}

#### Step #1: Build a token header. {#step-1-build-a-token-header}

* Build_Token_Header_Snippet

```xml
//imports
import com.nimbusds.jose.*;
 
// construct a jwt header
JWSHeader jwsHeader = new JWSHeader(tokenInput.getTokenSigningAlgorithm(),
                JOSEObjectType.JWT,
                "JWS",
                null,
                null,
                null,
                null,
                null,
                <public key ID>,
                <public key cert chain>,
                "mPRYcc9UK8-8uYb4MtanKFGgugCizL7-clmJiKSE60d968e0!977b121bce1c4e14833e6939abdb766f0000000000000000",// consumer key
                true,
                null,
                null);
 
```

#### Step #2: Build a token payload. {#step-2-build-a-token-payload}

* Build_Token_Payload_Snippet

```xml
// imports
import com.nimbusds.jose.*
 
// build JWT claims
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
                        .expirationTime(dateNotAfter)
                        .notBeforeTime(createdDate)
                        .issueTime(createdDate)
                        .jwtID(new MD5Generator().generateValue()).build();

 // construct a JWT payload
Payload payload = new Payload(claimsSet.toJSONObject());

 
```

#### Step #3: Build JWSObject using token header and payload. {#step-3-build-jwsobject-using-token-header-and-payload}

* Build_JWSObject_Snippet

```xml
// imports
import com.nimbusds.jose.*
// construct a JWT object
JWSObject jwsObject = new JWSObject(jwsHeader, payload);
 
```

#### Step #4: Sign JWT object using the JKS that was obtained at time of project creation. See [here](https://developer.mastercard.com/cross-border-services/documentation/tutorials/guide-create-project/index.md) for Project Creation steps. {#step-4-sign-jwt-object-using-the-jks-that-was-obtained-at-time-of-project-creation-see-herehahahugoshortcodes7hbhb-for-project-creation-steps}

* Signing_JWT_Object_Snippet

```xml
// sign a JWT object to get a token
String clientAssertionToken = localTokenSignerService.sign(jwtObject);
 
```

Note: Once you have successfully created a signed JWT token, pass the token in the authorization header of the Mastercard Cross-Border Services API request.

You may look at the [Reference Tutorial for Request Token based OAuth2.0](https://developer.mastercard.com/cross-border-services/documentation/ref-app/oauth2-reference-app-tutorial-request-token/index.md) or [API Tutorial for the Request Token based OAuth2.0](https://developer.mastercard.com/cross-border-services/documentation/tutorials/oauth2-api-sdk-tutorial-request-token/index.md), if you need help with connecting to the Mastercard Cross-Border Services APIs using request token.

To make it easy to understand, only the snippets needed to generate and sign the JWT Token is shown above.  

A sample utility to create a signed authorization token can be found [here](https://github.com/Mastercard).

Additionally, for further details on processing JWT tokens, please refer [JWT Tokens](http://xacmlinfo.org/2015/03/19/validate-and-process-jwt-tokens-with-java/).
Tip: Mastercard supports encrypted payload for additional security. If you send encrypted payload, you will need to decrypt the response payload sent by Mastercard. For more detailed information on payload Encryption/Decryption, please see [here](https://developer.mastercard.com/cross-border-services/documentation/api-ref/encryption/index.md). Please note: API error responses are not encrypted.