Learn Script Javascript JWT - aliconnect/aliconnect.sdk GitHub Wiki

JSON Web Token JWT

header names

typ: Token type: if present, it must be set to a registered IANA Media Type. JWT
cty: Content type: If nested signing or encryption is employed, it is recommended to set this to JWT; otherwise, omit this field.[1]
alg: Message authentication code algorithm: sha256 The issuer can freely set an algorithm to verify the signature on the token. However, some supported algorithms are insecure.
kid: Key ID: A hint indicating which key the client used to generate the token signature. The server will match this value to a key on file in order to verify that the signature is valid and the token is authentic.
x5c: x5c: x.509 Certificate Chain A certificate chain in RFC4945 format corresponding to the private key used to generate the token signature. The server will use this information to verify that the signature is valid and the token is authentic.
x5u: x5u: x.509 Certificate Chain URL A URL where the server can retrieve a certificate chain corresponding to the private key used to generate the token signature. The server will retrieve and use this information to verify that the signature is authentic.
x5t: MS key
nonce: MS key, example EqU3jznellWKK9TUg3coNPhV6C5uMtt9x5ZtA_Aa7IQ

id_token / access_token names

iss: REQUIRED. Issuer Identifies principal that issued the JWT / Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components. example: https://aliconnect.nl or https://login.microsoftonline.com/09786696-f227-...-45783f6c660b/v2.0
sub: REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.
aud: REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
azp: OPTIONAL. Authorized party the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
exp: REQUIRED. Expiration Time Expiration time on or after which the ID Token MUST NOT be accepted for processing. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. See RFC 3339 [RFC3339] for details regarding date/times in general and UTC in particular.
nbf: Not Before: Identifies the time on which the JWT will start to be accepted for processing. The value must be a NumericDate.
iat: REQUIRED. Issued at Time at which the JWT was issued. Identifies the time at which the JWT was issued. The value must be a NumericDate. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
auth_time: Authentication time Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.)
nonce: String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
jti: JWT ID: Case-sensitive unique identifier of the token even among different issuers.
acr: OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string.
amr: OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.

id_token / access_token, profile names, Microsoft token

email: Preferred e-mail address
name: Full name
preferred_username: Shorthand name by which the End-User wishes to be referred to

access_token, Microsoft specific

oid
tid: tenant_id Example: 09786696-f227-4199-91a0-45783f6c660b
uti: Example: qYeubJShE06f0kzxQrwIAA
aio: Example: ATQAy/8TAAAAAdkai07...vkDnFhrCrD2lgtoGByr2SFlyT4OEs0XLBfi1xO7oq8ZWjD7JKARWn+
rh: Example: 0.AV4AlmZ4CSfymUGR...4P2xmCxEmYiQRI5FHlHxcHRsIbWxeABI.
scp: Scope i.p.v. scope
ver: Example: 2.0

access_token, Aliconnect specific

'client_id'=> $client_user['client_id'],
'cid'=> $client_user['clientId'],

id_token

"acr"=> "1",
amr: Authentication Methods References, MS, voorbeeld ["pwd"]
sid: Session ID, MS, 25e116a0-da34-402f-8410-ffd24c86d61c
"sub"=> "3mFXau5VikjByNwgDcAaWfRkKS9brJ-CsBVsaK7x3kQ",

id_token, Microsoft specific

bekend onbekend

"acct"=> 0,
"aio"=> "ATQAy/8TAAAA2P761kYc3y9N/0ugLhZ7mNzHCv242RUNe5hAlJNHg+sVkOd5q94SJALSueXvnCoY",
"appidacr"=> "1",
"enfpolids"=> [],
"puid"=> "1003000088216491",
"rh"=> "0.AV4AlmZ4CSfymUGRoEV4P2xmCwIAAAAAAPEPzgAAAAAAAABeABI.",
"signin_state"=> ["kmsi"],
"tid"=> tenant_id "09786696-f227-4199-91a0-45783f6c660b",
"upn"=> "[email protected]",
"uti"=> "qYeubJShE06f0kzxQrwIAA",
"ver"=> "1.0",
"wids"=> ["62e90394-69f5-4237-9190-012177145e10","b79fbf4d-3ef9-4689-8143-76b194e85509"]

Optional properties based on scope

name: Full name
given_name: Given name(s) or first name(s)
family_name: Surname(s) or last name(s)
middle_name: Middle name(s)
nickname: Casual name
preferred_username: Shorthand name by which the End-User wishes to be referred to
email: Preferred e-mail address
email_verified: True if the e-mail address has been verified; otherwise false
gender: Gender
birthdate: Birthday
zoneinfo: Time zone
locale: Locale
phone_number: Preferred telephone number
phone_number_verified: True if the phone number has been verified; otherwise false
address: Preferred postal address
updated_at: Time the information was last updated
profile: Profile page URL
picture: Profile picture URL
website: Web page or blog URL

access_token OAuth2 authorization aliconnect.nl

azp: Authorized party, host or domain
aud: Audience, host or domain or system
client_id: Client Identifier; id of the client item. application
scope: Scope Values: f.e. website:read
scp: Array of strings, Scope Values
sid: Session ID
iat: Issued At; time()
exp: Expiration Time; time()+3600, 1 hour for access to the API

code OAuth2 authorization aliconnect.nl

To retrieve an access_token a code will be exchanged. This code consists of:

iss: Issuer, https://aliconnect.nl
sub: Subject, id of user or device item, user or device
azp: Authorized party, host or domain
aud: Audience, host or domain or system
client_id: Client Identifier; id of the client item. application
scope: Scope Values: f.e. website:read
sid: Session ID
iat: Issued At; time()
exp: Expiration Time; time()+60, only 60 seconds during authentication flow. This code is only send to a predifined redirect_uri. Does not contain any secret verifications. It is a base64 encoded json string.

Other JWT Claims

jti: JWT ID
nbf: Not Before
sub_jwk: Public key used to check the signature of an ID Token
at_hash: Access Token hash value
c_hash: Code hash value
acr: Authentication Context Class Reference
amr: Authentication Methods References
cnf: Confirmation
sip_from_tag: SIP From tag header field parameter value
sip_date: SIP Date header field value
sip_callid: SIP Call-Id header field value
sip_cseq_num: SIP CSeq numeric header field parameter value
sip_via_branch: SIP Via branch header field parameter value
orig: Originating Identity String
dest: Destination Identity String
mky: Media Key Fingerprint String
events: Security Events
toe: Time of Event
txn: Transaction Identifier
rph: Resource Priority Header Authorization
sid: Session ID
vot: Vector of Trust value
vtm: Vector of Trust trustmark URL
attest: Attestation level as defined in SHAKEN framework
origid: Originating Identifier as defined in SHAKEN framework
act: Actor
may_act: Authorized Actor - the party that is authorized to become the actor
jcard: jCard data

JWT Confirmation Methods

jwk: JSON Web Key Representing Public Key
jwe: Encrypted JSON Web Key
kid: Key Identifier
jku: JWK Set URL
x5t#S256 X.509: Certificate SHA-256 Thumbprint

access_token names

id_token names

at_hash: Access Token hash value
c_hash: Code hash value
acr: Authentication Context Class Reference
sub_jwk: Public key used to check the signature of an ID Token
cnf: Confirmation
orig: Originating Identity String
dest: Destination Identity String
mky: Media Key Fingerprint String
events: Security Events
toe: Time of Event
txn: Transaction Identifier
rph: Resource Priority Header Authorization
sid: Session ID
vot: Vector of Trust value
vtm: Vector of Trust trustmark URL
attest: Attestation level as defined in SHAKEN framework
origid: Originating Identifier as defined in SHAKEN framework
act: Actor
scope: Scope Values
client_id: Client Identifier
may_act: Authorized Actor - the party that is authorized to become the actor
jcard: jCard data
at_use_nbr: Number of API requests for which the access token can be used
div: Diverted Target of a Call
opt: Original PASSporT (in Full Form)
vc: Verifiable Credential as specified in the W3C Recommendation
vp: Verifiable Presentation as specified in the W3C Recommendation
sph: SIP Priority header field
ace_profile: The ACE profile a token is supposed to be used with.
cnonce: "client-nonce" A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS.
exi: "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to implement a weaker from of token expiration for devices that cannot synchronize their internal clocks.
roles: Roles
groups: Groups
entitlements: Entitlements
token_introspection: Token introspection response
sig_val_claims: Signature Validation Token

SIP

sip_from_tag: SIP From tag header field parameter value
sip_date: SIP Date header field value
sip_callid: SIP Call-Id header field value
sip_cseq_num: SIP CSeq numeric header field parameter value
sip_via_branch: SIP Via branch header field parameter value

CDI

cdniv: CDNI Claim Set Version
cdnicrit: CDNI Critical Claims Set
cdniip: CDNI IP Address
cdniuc: CDNI URI Container
cdniets: CDNI Expiration Time Setting for Signed Token Renewal
cdnistt: CDNI Signed Token Transport Method for Signed Token Renewal
cdnistd: CDNI Signed Token Depth

Expires

ueid: The Universal Entity ID (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
sueids: Semi-permanent UEIDs (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
oemid: Hardware OEM ID (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
hwmodel: Model identifier for hardware (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
hwversion: Hardware Version Identifier (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
secboot: Indicate whether the boot was secure (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
dbgstat: Indicate status of debug facilities (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
location: The geographic location (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
eat_profile: Indicates the EAT profile followed (TEMPORARY - registered 2022-03-23, expires 2023-03-23)
submods: The section containing submodules (TEMPORARY - registered 2022-03-23, expires 2023-03-23)

Example aliconnect.nl

{
  "iss": "https://aliconnect.nl",
  "sub": 123412341,
  "azp": 999999999,
  "client_id": 23452345234,
  "iat": 234523452345,
  "exp": 234523452345,
  "scope": "website:read",
}

Example

{
  "iss": "https://server.example.com",
  "aud": "https://client.example.org",
  "exp": 1361398824,
  "cnf": {
    "jwk": {
      "kid": 3452345234523,
      "kty": "EC",
      "use": "sig",
      "crv": "P-256",
      "x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM",
      "y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA"
    }
  }
}

More information

JWT specification