- typ - JWT
- kid - (Key ID) unique identifier of X.509 certificate containing public key for JWT signature verification.
- alg - RS256
- iss (issuer) - issuer URI
http(s)://server:port/baseurl/{organization-id}/{project-id}, string. - aud (audience) - ProjectId or project audience, string array.
- sub (subject) - UserId or ClientId, string.
- exp (Expiration Time) = iat + session duration, datetime+timezone, string
- nbf (Not Before) = iat, datetime+timezone, string
- iat (Issued At) = current datetime+timezone, string
- jti (JWT ID) - unique id, random UUID string.
- typ - toke type: Bearer | Refresh
- scope - granted subject permissions, string array of permissionsId(s) for subject.
- iss (issuer) - issuer URI
http(s)://server:port/baseurl/{organization-id}/{project-id}, string. - aud (audience) - ClientId, string.
- sub (subject) - Combination of 'OrganizationId/ProjectId/[UserId|ClientId]', string.
- exp (Expiration Time) = iat + session duration, datetime+timezone, string
- iat (Issued At) - current datetime+timezone, string
- auth_time - timestamp of client's authentication.
- nonce - (Nonce) - optional nonce value provided by client.
Issued tokens are always signed using private key of issuer. kid in JWT header must be used to get X.509 certificate via back channel for JWT signature verification.
- Override JWT generation - How to override JWT token generation in iam-service.
- Override JWT validation - How to override JWT token validation in iam-service.
- Standard Claims - Data model mapping of RFC7519 registered JWT claim names:
- Data model mapping of OpenID connect standard claims:
- Scope - oauth scopes.