alg

Signature algorithm of the ID token. Fixed as RS256 (RSA with SHA-256).

kid

Identifier of the key with which the ID token was signed. To verify the signature of the ID token, the recipient application must obtain the public signature key with the obtain the public keys operation.

iss

Issuer of the ID token. This fixed value is the base URL of the TRIDENT authorization server plus the /oauth suffix.

sub

User identifier.

aud

Audience of the ID token. Client identifier of the OAuth 2.0 application registered in TRIDENT for which the ID token was issued. As part of the validation of the ID token, the application must verify that the value of this claim matches its client identifier.

exp

When the ID token expires, expressed as the number of seconds from 1 January 1970 (UTC). As part of the validation of the ID token, the application must verify that it has not expired.

The lifetime of the ID token can be configured in the ID token options section of the Authorization server entities (by default, the lifetime is 3600 seconds).

iat

When the ID token was issued, expressed as the number of seconds from 1 January 1970 (UTC).

nonce

The same value that the nonce parameter of the authorization or authentication request message (see Obtain Authorization). As part of the validation of the ID token, the application must verify that the value of this claim matches the value included in the request so as to safeguard against replay attacks on the ID token.

Absent if the parameter is not included in the request.

acr

Authentication level or flow with which the user was identified.

If the acr_values parameter is included in the authorization or authentication request message (see Obtain Authorization), the application must usually verify the value of the acr claim to guarantee that the authentication meets the requested requirements.See [RSE_AUTH_INTEG].

sid

Session's identifier in the TRIDENT of the authenticated user.