2.2 Message Syntax

A security principal is represented as a security principal identifier in the messages sent by applications. A security principal identifier is a GUID.

For more details about the messages typically exchanged between a client and an STS, see [MS-SPSTWS].

For clarity, this document uses different names to refer to the server-to-server security tokens that are exchanged in various scenarios. An actor token is a signed security token that is issued by an STS, or by the client itself if the server trusts it to do so. An outer token is an unsigned security token that is constructed by the client and contains user information in addition to an actor token. In this scenario, the actor token is referred to as the inner token. All of these security tokens are formatted in the same way, as specified in [IETFDRAFT-JWT-LATEST], and contain the claims and header fields specified in this section.

The following table describes claims that are exchanged in server-to-server security tokens. The claim values are all of data type STRING, as specified in [MS-DTYP].

Claim type

Claim value description

Example claim values


The targeted service for which the client issued the server-to-server security token.

<security principal identifier>/<hostname>@<realm>


The security principal identifier of the server-to-server security token issuer.

<security principal identifier>@<realm>


The logged on user's user principal name (UPN) value for the security principal that made the request.



The time at which the server-to-server security token was created.



The time at which the server-to-server security token expires.



"true" if the client is trusted to delegate a user identity; otherwise, "false".




The identity provider that authenticated the caller.





The security token issued and signed by the STS. An actor token has the same format as any other security token.

See section 4.3 and section 4.4.


The logged on user's email address.



The logged on user's sip address.



A unique identifier that the STS can give the user.

This is an additional claim that the STS adds and is not required by the OAuth 2.0 Authentication Protocol, as specified in [MS-OAUTH2EX].



The application context.

This claim contains a subset of claims that is specific to the service accessed by the client.

See section 4.5.

The following list describes the header fields in a server-to-server security token. The field values are all of data type STRING, as specified in [MS-DTYP].

  • typ. The token type. The value MUST be "JWT".

  • alg. The algorithm used to encrypt the contents of the token. The value of this field MUST be either "none" or "rs256". Actor tokens are signed and have alg fields that contain the value "rs256". Outer tokens that contain inner signed tokens, as described in section 4.3 and section 4.4, are not signed and have alg fields that contain the value "none".

  • x5t. The base64 encoded thumbprint of the certificate used to sign the security token. This field is optional.

The header fields are contained in a separate part of the security token, as specified in [IETFDRAFT-JWT-LATEST].