--- title: Creating an embedded assertion framework: authenticationservices role: article role_heading: Article path: authenticationservices/creating-an-embedded-assertion --- # Creating an embedded assertion Request an embedded assertion for login types that require a digital signature for authentication. ## Overview Overview During authentication, the system uses the embedded assertion when the login type requires a digital signature for authentication. The system uses this assertion for authentication with a secure enclave key, SmartCard, and encrypted password. The embedded assertion is a Javascript Object Signing and Encryption (JOSE) object that’s formatted per RFC 7523 and signed with the authenticator per RFC 7515. However, the assertion differs from RFC 7523 when using secure enclave key authentication, which is signed using the ES256 algorithm instead of the RS256 algorithm in the RFC. This algorithm difference is because secure enclave key supports ellyptic curve keys, not RSA keys. The following table specifies the header parameters that the system uses to create an embedded assertion: | | | | | | | | | | | | | | | | The following table specifies the body parameters that the system uses to create an embedded assertion: | | | | | | | | | | | | | | | | | | | | | | The following code provides an example of an embedded assertion request: { "typ" : "JWT", "alg" : "ES256", "kid" : "pmQkkBPmTgijIX00/SpKUjzvm3k2MZAZRiVR3iEv8l0=" }.{ "nonce" : "7DE40CF9-C885-4397-B48E-E95EDD22038A", "request_nonce" : "AwABAAAAAAADAOz_BADv_xtgu_SM1Mvoq02PYz_YfXxx5FAgcLHLNikH6gjrBWwcqnRW_haxqO9JCiPat5KfkTily04S8EH3AQwVsWCxHYQgAA", "iat" : "1655416300", "sub" : "foo", "scope" : "openid offline_access urn:apple:platformsso", "exp" : "1655416600", "aud" : "060798FF-814E-4C38-97F8-28C954B7E058", "iss" : "foo" }.[Signature] For more information, see Authentication process. ## See Also ### Login request - [Performing a WS-Trust login request](authenticationservices/performing-a-ws-trust-login-request.md) - [Creating an encrypted embedded assertion](authenticationservices/creating-an-encrypted-embedded-assertion.md) - [Creating and validating a login request](authenticationservices/creating-and-validating-a-login-request.md) - [Creating a refresh request](authenticationservices/creating-a-refresh-request.md) - [Supporting key requests and key exchange requests](authenticationservices/supporting-key-requests-and-key-exchange-requests.md)