...
- The Authorization Server MUST utilize the method in Sec 3.1 of OpenID Connect Core to return an assertion to the Client.
- The Authorization Server MUST provide a JWT id_token which provides the following claims to the Client about the individual granting authorization (Resource Owner).
- Issuer Name: “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier.
- The issuer name SHOULD be an https: scheme URI and MUST be under the control of the Authorization Server.
- User Identifier: “sub” A persistent identifier for the Resource Owner granting authorization to the Client to access the authentication information endpoint.
- The User Identifier MUST be a unique, opaque and not re-assignable identifier for the user.
- Audience Restriction: “aud” specifies the Client for whom the identity information is intended.
- The Audience Restriction MUST be the client_id of the Client requesting the authentication.
- Issuance Time Stamp : “iat” The time that the Authorization Server issued the identity assertion.
- Expiration Time Stamp: "exp" The time after which the JWT must not be accepted for processing.
- Nonce: “nonce” A value tying the identity assertion to a browser session. This MUST be present if the client provided a nonce value in the request.
- Issuer Name: “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier.
- The Authorization Server SHOULD include the following claims in the Identity Assertion:
- Expiration Time Stamp: The time after which the identity assertion is no longer valid.
- Authentication Context: The Authentication Context Class reference for the authentication event.
- If the Client request Authn Context during the registration process, or requested it via the Authorization request, the Authz server MUST include it in the response.
- Authentication Time: A timestamp indicating when End-User authentication last occurred.
- JWT ID: "jti" A unique identifier for the id_token.
- The Identity Token MUST be digitally signed.
- The Identity Token MAY be digitally signed using a FIPS-140 approved algorithm (e.g. RSA or ECDSA) using a trusted key.The Identity Token MAY be digitally signed using an HMAC with the Client Secret. (I don't think that any large IdP are going to be dong symmetric signing, so this is probably not worth including)
- The Identity Token MAY be digitally signed using a FIPS-140 approved algorithm (e.g. RSA or ECDSA) using a trusted key.The Identity Token MAY be digitally signed using an HMAC with the Client Secret. (I don't think that any large IdP are going to be dong symmetric signing, so this is probably not worth including)
- The Identity Token MAY be encrypted for the Client.
- Clients MUST verify the integrity and authenticity of the Identity Token per Section 3.1.3.7 of OpenID Connect Core.
...