Page created: 30 Sep 2020
|
Page updated: 30 Sep 2020
The second component contains the payload which contains claims relating to the authentication and identification of the user. The payload of the above example is decoded as follows:
Component | Value | Value Decoded |
---|---|---|
JWT Payload | eyJzdWIiOiJqb2UiLCJhdWQiOiJpbV9vaWN fY2xpZW50IiwianRpIjoidWY5MFNLNHdzY0 ZoY3RVVDZEdHZiMiIsImlzcyI6Imh0dHBzO lwvXC9sb2NhbGhvc3Q6OTAzMSIsImlhdCI6 MTM5NDA2MDg1MywiZXhwIjoxMzk0MDYxMTU zLCJub25jZSI6ImU5NTdmZmJhLTlhNzgtNG VhOS04ZWNhLWFlOGM0ZWY5Yzg1NiIsImF0X 2hhc2giOiJ3Zmd2bUU5VnhqQXVkc2w5bGM2 VHFBIn0 | { "sub":"joe", "aud":"im_oic_client", "jti":"uf90SK4wscFhctUT6Dtvb2", "iss":"https:\/\/localhost:9031", "iat":1394060853, "exp":1394061153, "nonce":"e957ffba-9a78-4ea9-8eca-ae8c4ef9c856", "at_hash":"wfgvmE9VxjAudsl9lc6TqA" } |
The following claims you can expect in an id_token and can use to determine if the authentication by the user was sufficient to grant them access to the application. (Refer to the OpenID Connect specifications to additional details on these attributes):
Claim | Description |
---|---|
iss | Issuer of the id_token |
sub | Subject of the id_token (ie the end-user's username) |
aud | Audience for the id_token (must match the client_id of the application) |
exp | Time the id_token is set to expire (UTC, Unix Epoch time) |
iat | Timestamp when the id_token was issued (UTC, Unix Epoch time) |
auth_time | Time the end-user authenticated (UTC, Unix Epoch time) |
nonce | Nonce value supplied during the authentication request (REQUIRED for implicit flow) |
acr | Authentication context reference used to authenticate the user |
acr | Authentication context reference used to authenticate the user |
at_hash | Hash of the OAuth2 access token when used with Implicit profile |
c_hash | Hash of the OAuth2 authorization code when used with the hybrid profile |