...
- The Authorization Server MUST utilize the method in Sec 3.1 of OpenID Connect Core to return an assertion to the Client.
- The Authorization Server MUST provide a JWT id_token which provides the following claims to the Client about the individual granting authorization (Resource Owner).
- Issuer Name: “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier.
- The issuer name SHOULD be an https: scheme URI and MUST be under the control of the Authorization Server.
- User Identifier: “sub” A persistent identifier for the Resource Owner granting authorization to the Client to access the authentication information endpoint.
- The User Identifier MUST be a unique, opaque and not re-assignable identifier for the user.
- Audience Restriction: “aud” specifies the Client for whom the identity information is intended.
- The Audience Restriction MUST be the client_id of the Client requesting the authentication.
- Issuance Time Stamp : “iat” The time that the Authorization Server issued the identity assertion.
- Nonce: “nonce” A unique value tying the identity assertion to a browser session.
- Issuer Name: “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier.
- The Authorization Server SHOULD include the following claims in the Identity Assertion:
- Expiration Time Stamp: The time after which the identity assertion is no longer valid.
- Authentication Context: The Authentication Context Class reference for the authentication event.
- If the Client request Authn Context during the registration process, or requested it via the Authorization request, the Authz server MUST include it in the response.
- Authentication Time: A timestamp indicating when End-User authentication last occurred.
...