2.2.18.2.1 RDP Assertion

The RDP Assertion is embedded in the Authentication Request PDU (section 2.2.18.2) and effectively functions as a user credential.

assertion (variable): The RDP Assertion is a JSON Web Token (JWT) ([RFC7519]) encoded in a JSON Web Signature (JWS) ([RFC7515]) structure using JWS Compact Serialization ([RFC7515] section 3.1). It has the following format: "<Base64URL encoded JOSE Header>.<Base64URL encoded JWS Payload>.<Base64URL encoded JWS Signature>".

The JOSE (JSON Object Signing and Encryption) Header ([RFC7515] section 4) MUST contain the "alg" and "kid" parameters. The "alg" parameter SHOULD be set to "RS256" ([RFC7518] section 3.3). The "kid" parameter can be any string.

The JWS Payload has the following format:

 {
     "ts":"<timestamp>", 
     "at":"<access_token>", 
     "u":"<resource_uri>", 
     "nonce":"<server nonce>", 
     "cnf":{"jwk":{<bk_pub_jwk>}},
     "client_claims":"{"aad_nonce":"<aad_nonce>"}"
 } 

Where:

timestamp: The number of whole integer seconds from midnight, January 1, 1970 GMT.

access_token: An RDP Access Token (section 5.4.5.4.1)

resource_uri: The resource URI string used to acquire the RDP Access Token (section 5.4.5.4.1).

server_nonce: The nonce value obtained from the target device (section 5.4.5.4.1).

bk_pub_jwk: A JSON Web Key (JWK) [RFC7517] representation of the public part of the PoP key used to acquire the RDP Access Token (section 5.4.5.4.1).

aad_nonce: AAD Nonce value (section 5.4.5.4.1).

The JWS Signature SHOULD use the RSASSA-PKCS1-v1_5 algorithm ([RFC3447] section 8.2), with input being a SHA-256 hash of a string containing the combined Base64URL encoded JOSE Header and Base64URL encoded JWS Payload: "<Base64URL encoded JOSE Header>.<Base64URL encoded JWS Payload>". An example of creating such a signature is provided in [RFC7515] Appendix A.2.