Page Comparison

...

1. The Authorization Server MUST provide a JWT id_token which provides the following claims to the Client about the individual granting authorization (Resource Owner).
   1. Issuer Name:  “iss” The domain of the Authorization Server such that when paired with the user identifier creates a globally unique identifier. 
      1.  The The issuer name SHOULD be an https: scheme URI and MUST be under the control of the Authorization Server.
   2. User Identifier:  “sub” A persistent identifier for the Resource Owner granting authorization to the Client to access the authentication information endpoint. 

   ...

   1. 1. 1. The User Identifier MUST be a unique, opaque and not re-assignable identifier for the user. 

   ...

   1. 1. Audience Restriction:  “aud” specifies the Client for whom the identity information is intended. 

      ...

      1. 1. 1. The Audience Restriction MUST be the client_id of the Client requesting the authentication.

                                                  

      ...

      1. 1. Issuance Time Stamp : “iat” The time that the Authorization Server issued the identity assertion.

      ...

      1. 1. Nonce:  “nonce” A unique value tying the identity assertion to a browser session.

      ...

      1. The Authorization Server SHOULD include the following claims in the Identity Assertion:

         ...

         1. 1. Expiration Time Stamp: The time after which the identity assertion is no longer valid.

         ...

         1. 1. Authentication Context: The Authentication Context Class reference for the authentication event.

            ...

            1. 1. 1. If the Client request Authn Context during the registration process the Authz server MUST include it in the response.

            ...

            1. 1. Authentication Time: A timestamp indicating when the user logged into the

             

            ...

            1. Obtaining and Identity Assertion

            The Authorization Server MUST utilize one of the method Sec 3.1 of OpenID Connect return an assertion to the Client.

             

             

            5  4  Tokens

            1.     The Authorization Server MUST return an Identity Token.  There are two ways to do this….

            ...

            4.     refresh_token MUST NOT be used in an authentication transaction.

             

            6        5        Directed Identity

            1.     End users MUST select an ICAM-approved Authorization Server from a list provided by the Client (e.g., set of clickable icons, dropdown menu selection). This use case is commonly referred to as "directed identity".

             

            7  6  Error Response

            The Authorization Server must respond with an HTTP 400 (Bad Request) response on authentication or authorization error and include a status as defined in the original OAuth spec section 5.2. Error Response

            8  7  Security

            1.     The Authentication Information Endpoint may be part of an existing API.

            ...