0
LogicNets Token Format
The LogicNets ID token is a JWT token that is compliant with the OpenID Connect specification. The LogicNets access token is also a JWT token. However, a client handles the access token as an opaque string, since the content and semantics of this token can vary across LogicNets releases. Clients can use the access token as a bearer token for authentication.
Both the access token and the ID token signature can be verified using the JWT signature verification methods.
ID Token Claims
The following table lists all the claims in a LogicNets ID token. It also indicates whether the claim is a standard OpenID Connect claim or a custom claim.
| Claim | Custom | Description |
| aud | No | This is the audience(s) for which this ID token is intended. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case, when there is one audience, the aud value MAY be a single, case-sensitive string. |
| auth_time | No | This is the time when the end-user authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z, as measured in UTC until the date/time. |
| client_id | No | This claim contains the client ID received during the authorize request. |
| company | Yes | This is the end user's company name. |
| No | This is the end user's preferred email address. | |
| exp | No | This is the expiration time on or after which the ID token MUST NOT be accepted for processing. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z, as measured in UTC, until the date/time. See RFC 3339 [RFC3339] for details regarding date/times in general and UTC in particular. |
| family_name | No | This is the surname(s) or last name(s) of the end user. In some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. |
| first_name | Yes | Deprecated. Use given_name instead. |
| given_name | No | This is the given name(s) or first name(s) of the end user. In some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. |
| group_str | Yes | This is a space-delimited list of groups of which the end user is a member. |
| groups | Yes | The groups claim is an array with one element per group of all groups of which the end user is a member. Each element contains at least a name and can contain an ID and pwd_policy (password policy) field, when available. |
| iat | No | This is the time at which the JWT was issued. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z, as measured in UTC until the date/time. |
| iss | No | This is the issuer identifier, which is the base URI of the LogicNets OpenID Provider. |
| last_name | Yes | Deprecated. Use family_name instead. |
| locale | No | This is the end user's locale. |
| middle_name | No | This is the middle name(s) of the end user. In some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that middle names are not used in some cultures. |
| name | No | This is the end user's full name a displayable form, including all name parts. It can include titles and suffixes, ordered according to the end user's locale and preferences. |
| nonce | No | This is a string value used to associate a client session with an ID token and to mitigate replay attacks. The value is passed through unmodified from the authentication request to the ID token. If present in the ID token, clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request. |
| phone_number | No | This is the end user's preferred telephone number. |
| preferred_username | No | This is the shorthand name by which the end user wishes to be referred at the RP. |
| purpose | Yes | This indicates the token type: 'access_token' or 'id_token'. |
| roles | Yes | This contains all end-user assigned roles, based on the categories listed in the scope. The roles claim is an array with one element per role. Each element contains at least a name and can contain an active flag and role GUID, when available. |
| sub | No | This is the subject identifier, which is a locally unique and never-reassigned identifier for the end user within the issuer. |
| tid | Yes | This is an internal claim used by LogicNets to map the authentication session with this token. It should be ignored. |
| upn | Yes | Deprecated. Use sub instead. |
Like
Follow
Reply