...
- The Authorization Server MUST provide a JWT id_token which provides the following claims to the Client about the individual granting authorization (Resource Owner).
- Issuer Name: “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier.
- The The issuer name SHOULD be an https: scheme URI and MUST be under the control of the Authorization Server.
- User Identifier: “sub” A persistent identifier for the Resource Owner granting authorization to the Client to access the authentication information endpoint.
- Issuer Name: “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier.
...
- The User Identifier MUST be a unique, opaque and not re-assignable identifier for the user.
...
- Audience Restriction: “aud” specifies the Client for whom the identity information is intended.
- Audience Restriction: “aud” specifies the Client for whom the identity information is intended.
...
- The Audience Restriction MUST be the client_id of the Client requesting the authentication.
...
- Issuance Time Stamp : “iat” The time that the Authorization Server issued the identity assertion.
...
- Nonce: “nonce” A unique value tying the identity assertion to a browser session.
...
- The Authorization Server SHOULD include the following claims in the Identity Assertion:
...
- Expiration Time Stamp: The time after which the identity assertion is no longer valid.
...
- Authentication Context: The Authentication Context Class reference for the authentication event.
- Authentication Context: The Authentication Context Class reference for the authentication event.
...
- If the Client request Authn Context during the registration process the Authz server MUST include it in the response.
...
- Authentication Time: A timestamp indicating when the user logged into the
...
- Obtaining and Identity Assertion
The Authorization Server MUST utilize one of the method Sec 3.1 of OpenID Connect return an assertion to the Client.
5 4 Tokens
1. The Authorization Server MUST return an Identity Token. There are two ways to do this….
...
4. refresh_token MUST NOT be used in an authentication transaction.
6 5 Directed Identity
1. End users MUST select an ICAM-approved Authorization Server from a list provided by the Client (e.g., set of clickable icons, dropdown menu selection). This use case is commonly referred to as "directed identity".
7 6 Error Response
The Authorization Server must respond with an HTTP 400 (Bad Request) response on authentication or authorization error and include a status as defined in the original OAuth spec section 5.2. Error Response
8 7 Security
1. The Authentication Information Endpoint may be part of an existing API.
...