Overview#

JSON Web Token Claims represents a JSON object whose members are the claims conveyed by the JSON Web Token.

The Claim Names within this object MUST be unique.

Note however, that the set of claims that a JWT must contain to be considered valid is context-dependent and is outside the scope of this specification. When used in a security-related context, implementations MUST understand and support all of the claims present; otherwise, the JSON Web Token MUST be rejected for processing.

There are three classes of JWT Claim Names:

Registered Claim Names are an IANA Registry defined in JSON Web Token (RFC 7519) available in the IANA Registry JSON Web Token Claims Registry or be defined as a URI that contains a collision resistant namespace.

JSON Web Token Claims#

Claim NameClaim DescriptionTypeChange ControllerReference
expExpiration TimeReserved Claim NameIESGRFC7519 Section 4.1.4
nbfNot BeforeReserved Claim NameIESGRFC7519 Section 4.1.5
iatIssued AtReserved Claim NameIESGRFC7519 Section 4.1.6
issIssuerReserved Claim NameIESGRFC7519 Section 4.1.1
audAudienceReserved Claim NameIESGRFC7519 Section 4.1.3
prnAudienceReserved Claim NameIESGWas in draft but Dropped in RFC (Same as sub)
jtiJWT IDReserved Claim NameIESGRFC7519 Section 4.1.7
subSubjectReserved Claim NameIESGRFC7519 Section 4.1.2
nameFull nameOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
given_nameGiven Name(s) or First Name(s)OpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
family_nameSurname(s) or Last Name(s)OpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
middle_nameMiddle Name(s)OpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
nicknameCasual NameOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
preferred_usernameShorthand Name by which the End-User wishes to be referred toOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
profileProfile page URLOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
pictureProfile picture URLOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
websiteWeb page or blog URLOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
emailPreferred e-mail addressOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
email_verifiedTrue if the e-mail address has been verified; otherwise falseOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
genderGenderOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
BirthdateBirthdayOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
zoneinfoTimezoneOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
localeLocaleOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
phone_numberPreferred telephone numberOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
phone_number_verifiedTrue if the Phone Number has been verified; otherwise falseOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
addressPreferred postal addressOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
updated_atTime the information was last updatedOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 5.1
azpAuthorized party - the party to which the id_token was issuedOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 2
nonceValue used to associate a Client session with an id_tokenOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 2
auth_timeTime when the authentication occurredOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 2
at_hashAccess Token hash valueOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 2
c_hashCode hash valueOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 3.3.2.11
acrAuthentication Context Class ReferenceOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 2
amrAuthentication Method ReferenceOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 2
sub_jwkPublic Key used to check the signature of an id_tokenOpenID Connect Standard ClaimsOpenID Artifact Binding Working GroupOpenID Connect Core 1.0 Section 7.4
cnfJWT Confirmation MethodsOpenID Connect Standard ClaimsIESGProof-of-Possession Key Semantics for JSON Web Tokens (JWTs) Section 3.1

OAuth 2.0 Token Exchange (Still an Internet Draft)#

  • "act" (Actor) Claim
  • "scp" (Scopes) Claim
  • "may_act" (May Act For) Claim

More Information#

There might be more information for this subject on one of the following:
This page (revision-3) was last changed on 29-Nov-2024 16:16 by -jimTop