...
| Claim | Description | Example |
|---|---|---|
| jti | JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. See jti claim. | "jti": "44fc62b6-890a-4a0e-8754-6455d8968294" |
| exp | Expiration time on or after which the Access Token MUST NOT be accepted for processing. Epoc time format. | "exp": 1525438143 |
| nbf | Identifies the time before which the JWT must not be accepted for processing. | "nbf": 0 |
| iat | Time at which the JWT was issued. Epoc time format. | "iat": 1525437843 |
| iss | The Buypass ID Provider instance. The issuer of the token. | "iss": "https://auth.buypass.no/auth/realms/SECURITYDOMAIN" |
| sub | The subject identifier. A locally unique and never reassigned identifier within the Issuer for the end-user. Intended to be consumed by the client as a possible end-user reference. NOTE: Even if the identifier is "never reassigned" it may still change for the same user! A user may be reassigned a new sub, but a used sub will never be assigned to a new user. Hence, do not use this as a user reference over time! | "sub": "7a9cb1cf-c495-4db1-a25e-d24d84accc6d" |
| typ | Implementation specific claim denoting the token type. Not to be used by clients! | "typ": "Bearer" |
| azp | Authorized party - the party to which the Access Token was issued. If present, will contain the client_id of the party. | "azp": "oidc-client" |
| nonce | Case sensitive string value used to associate a client session with an Access Token, and to mitigate replay attacks. The value is passed through unmodified from the authentication request to the Access Token. | "nonce": "681913a288be" |
| auth_time | Time when the client authentication occurred. | "auth_time": 0 |
| session_state | Implementation specific claim for use with session handling. Not to be used by clients! | "session_state": "904cbda8-1e2f-4e90-a7e6-1606aa7c622b" |
| acr | String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. This can for example be values based on some definition of Level of Assurance (LoA). | "acr": "4" |
| scope | List of scopes approved by the OpenID Provider for this Access Token. Note that the list of scopes might be different from what the client initially requested. Some scopes may not be approved by the OpenID Provider, and some additional scopes may have been added as being configured as default scopes for the client. | "scope": "openid profile bpid email" |
...
| Claim | Description | Example |
|---|---|---|
| jti | JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. See jti claim. | "jti": "44fc62b6-890a-4a0e-8754-6455d8968294" |
| exp | Expiration time on or after which the Access Token MUST NOT be accepted for processing. Epoc time format. | "exp": 1525438143 |
| nbf | Identifies the time before which the JWT must not be accepted for processing. | "nbf": 0 |
| iat | Time at which the JWT was issued. Epoc time format. | "iat": 1525437843 |
| iss | The Buypass ID Provider instance. The issuer of the token. | "iss": "https://auth.buypass.no/auth/realms/SECURITYDOMAIN" |
| sub | The subject identifier. A locally unique and never reassigned identifier within the Issuer for the client. Intended to be consumed by a service as a possible client reference. NOTE: Even if the identifier is "never reassigned" it may still change for the same client! A client may be reassigned a new sub, but a used sub will never be assigned to a new client. Hence, do not use this as a client reference over time! | "sub": "3bdc7a83-eb38-4610-8263-216526fde553" |
| typ | Implementation specific claim denoting the token type. Not to be used by clients! | "typ": "Bearer" |
| azp | Authorized party - the party to which the Access Token was issued. If present, will contain the client_id of the party. | "azp": "oidc-client" |
| auth_time | Time when the client authentication occurred. | "auth_time": 0 |
| session_state | Implementation specific claim for use with session handling. Not to be used by clients! | "session_state": "42197ec8-af93-426e-a858-511c5a01c9d7" |
| acr | String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. This can for example be values based on some definition of Level of Assurance (LoA). | "acr": "1" |
| scope | List of scopes approved by the OpenID Provider for this Access Token. Note that the list of scopes might be different from what the client initially requested. Some scopes may not be approved by the OpenID Provider and some additional scopes may have been added as being configured as default scopes for the client. | "scope": "profile email service-api" |
...