This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Identity Token Claims
Identity Token Claims

Version management

Difference between version and

At line 1 added 36 lines
!!! Overview
[{$pagename}] are used within the [{$pagename}] for all [OAuth 2.0] flows used by [OpenID Connect].
%%information
The [OpenID Connect] [{$pagename}] are the same as the __default__ [JSON Web Token Claims]. Several [OpenID Connect] [JSON Web Token Claims] are __REQUIRED__
%%
%%zebra-table
%%sortable
%%table-filter
||CLAIM||REQUIRED||Description
|[iss]|__REQUIRED__|Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
|[sub]|__REQUIRED__|Subject Identifier. A locally unique and never re-assigned identifier within the Issuer for the End-User, which is intended to be consumed by the [OAuth Client], e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It [MUST NOT] exceed 255 [ASCII] characters in length. The sub value is a [case-sensitive] string.
|[aud]|__REQUIRED__|Audience(s) that this ID Token is intended for. It MUST contain the [OAuth 2.0] [client_id] of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
|[exp]|__REQUIRED__|[Expiration time|Expiration Date] on or after which the [{$pagename}] [MUST NOT] be accepted for processing. The processing of this parameter requires that the current date/time [MUST] be before the [Expiration Date]/time listed in the value. Implementers [MAY] provide for some small leeway, usually no more than a few minutes, to account for [clock skew]. Its value is a JSON number representing the number of seconds from [1970-01-01T0:0:0Z|Unix Time] as measured in UTC until the date/time. See [RFC 3339] for details regarding date/times in general and UTC in particular.
|[iat]|__REQUIRED__|Time at which the JWT was issued. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
|[auth_time]| |Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.)
|[nonce]| |String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
|[acr]| |[Authentication Context Class Reference].
|[amr]| |[Authentication Method Reference].
|[azp]| |Authorized party - the party to which the ID Token was issued. If present, it MUST contain the [OAuth 2.0] [Client_id] of this party. This Claim is only needed when the [ID Token|Identity Token] has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a __case sensitive string__ containing a String Or URI value.
|[jti]| |(JWT ID) is an optional claim and is the unique identifier of a [JWT] [Token]. When present, the same JWT ID cannot be reused by an issuer. For example, if client01 issues a [JWT] whose jti is id6098364921, then no other [JWT] issued by client01 can have a jti value of id6098364921. A JWT with a jti claim identical to another JWT is considered to be a replay attack.
/%
/%
/%
[{$pagename}] [MAY] contain other [Claims]. Any Claims used that are not understood [MUST] __be ignored__. See Sections 3.1.3.6, 3.3.2.11, 5.1, and 7.4 for additional Claims defined by this specification.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [OpenID Connect explained|http://connect2id.com/learn/openid-connect|target='_blank'] - based on information obtained 2015-12-03
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop