OpenID Connect Core 1.0 (ii) ID Token

2. ID token (ID token)

OpenID Connect is primarily for OAuth 2.0 to enable end users to authenticate with the data structure of the ID token. When the client and potential other requests are declared, the ID token contains the declared security token and can authenticate an end user in the authorization server. The ID token is represented as a JSON Web token (JWT) token.

The following is a declaration of the ID token used by OpenID Connect for all OAuth 2.0 processes:

Iss

Required. The issuer's release identifier for the response. The value of ISS is a case-sensitive URL using HTTPS scheme, which contains scheme, host, and optional port numbers and paths, components, and any query or fragment components.

Sub

Required. Subject identifier. The identifier that is used locally by the client is never reassigned during the release to the end user, for example, 24400320 or AITOAWMWTWWCT0K51BAYEWNVUTRJUQSVL6QS7A4. It cannot exceed 255 ASCII characters in length. The value of the sub is a case-sensitive string.

Aud

Required. ID token of the consumer. As a consumption value it must be included in the client_id of the relying party of OAuth 2.0. It may also contain identifiers for other consumers. In general, the AUD value is an array of case-sensitive strings. In the common only one consumer special case, the AUD may be a single case sensitive string value.

Exp

Required. ID token cannot be processed after the expiry date. This parameter requires values that must be listed in the current date/time to the expiration date/time. Given that the clock is imprecise, the implementing person may provide an approximate value that usually does not exceed a few minutes. The EXP value is a JSON number, which is the number of seconds measured from 1970-01-01 t0:0:0z UTC to a date/time. See the RFC 3339 [RFC3339] For details about date/time and the provisions of UTC.

Iat

Required. The time that JWT was published. Its value is a number of seconds represented by a JSON value, representing the calculation from 1970-01-01 t0:0:0z UTC to a UTC date/time.

Auth_time

The end-user authentication time. Its value is a number of seconds represented by a JSON value, calculated from 1970-01-01 t0:0:0z UTC to a UTC date/time. This statement is required when a max_age request is set or when the Auth_time request is a basic requirement; otherwise, it is optional. (The Auth_time declaration semantics correspond to the OpenID 2.0 PAPE (openid.pape) auth_time response parameters.) ）

Nonce

Used to correlate client session ID token string values to mitigate replay attacks. The nonce value is not modified during validation of the request ID token. If there is an ID Token, the client must verify that the Nonce value sent and whether the nonce value is equal when the validation request parameter is sent. If the nonce appears in the authentication request, the authorization server must include a nonce value in the ID token authentication request. The authorization server should perform the appropriate processing using the nonce. The nonce value is a case-sensitive string.

Acr

Optional. Validates the context class reference. The string specifies the reference value of the validation context class, which is used when validating the context class to satisfy validation recognition. A value of "0" indicates that end-user authentication does not conform to ISO/IEC 29115 ISO29115 requirements. For example, verifying that a browser cookie is used is one of them, and the example using "Level 0" is appropriate. Authentication and level 0 should not be used for any of the valued resources authorized for access. (This is equivalent to OpenID 2.0 PAPE (openid.pape) nist_auth_level 0). ACR is a name registered with an absolute URI or an RfC 6711 (RFC6711); A registered name must not be used with a different meaning than the one that has been registered. It is possible for the relevant party to use this declaration to achieve a consistent meaning value, which may be context-sensitive. ACR value is a case-sensitive string.

Amr

Optional. Validates the method reference. The JSON array identifier string used for validation when validating the method. For example, these values may contain passwords and OTP authentication methods. The use of specific values in the AMR declaration definition is beyond the scope of this specification. It is possible for the relevant party to use this declaration to achieve a consistent meaning value, which may be context-sensitive. The AMR value is a group of case-sensitive strings.

Azp

Optional. Licensor-the party that issued the ID token. If present, it must contain the OAuth 2.0 customer ID of the party. Claim is only required when the ID token has only one consumption value, and the consumer source differs from the licensor. This may be included in even if the licensor is the same as the only consumer. The AZP value is a case-sensitive string that contains a Stringoruri value.

ID token may contain additional claims. Any non-understanding declarations must be ignored when used. Refer to 3.1.3.6, 3.3.2.11, 5.1, 7.4 for additional declarations defined by the Section specification.

The use of ID tokens must be signed with Jes or separately using JWS and Jwe encryption (optional) to provide authentication, integrity, non-repudiation and optional, confidential, in section 16.14. If the ID token is encrypted, it must be signed and then encrypted, and the result is a nested JWT (defined in JWT). ID token must not use a none as the ALG value unless the response type does not return the ID token from the authorization endpoint (as in the use of the authorization Code process) and the customer explicitly uses a no-registration time request.

The ID token should not use the JWS or JWE x5u,x5c,jku,or jwk Header parameter field. Instead, you should use the references in advance through discovery and Registration parameters keys (section tenth).

The following is a non-canonical example of an ID token claim set (JWT claim set):

{

"ISS": "Https://server.example.com",

"Sub": "24400320",

"AUD": "S6bhdrkqt3",

"Nonce": "N-0S6_WZA2MJ",

"Exp": 1311281970,

"IAT": 1311280970,

"Auth_time": 1311280969,

"ACR": "Urn:mace:incommon:iap:silver"

}

OpenID Connect Core 1.0 (ii) ID Token