2.2.2.18 Proxy Token

  • Article

This is a JSON object representing the token issued to the client. The format of the object is defined in [IETFDRAFT-JWS] and is as follows:

 {
   "ver" : "<version>",
   "aud" : "<audience>",
   "iat" : <issued-at>,
   "exp" : <expire>,
   "iss" : "<issuer>",
   "relyingpartytrustid" : "<rp-trust-id>",
   "deviceregid" : "<device-registration-id>",
   "authinstant" : <auth-instant>,
   "authmethod" : "<auth-method>",
   "upn" : "<upn>"
 }

version: Token version with a value of 1.0.

audience: Audience for this token. The proxy SHOULD verify that this value matches the value for [Client State].ProxyRelyingPartyTrustIdentifier.

issued-at: Issued at date and time. The proxy SHOULD verify that this value corresponds to a time in the past (before the current time). This is a JSON numeric value representing the number of seconds from 1970-01-01T0:0:0Z Coordinated Universal Time (UTC) until the specified UTC date/time. See [RFC3339] for details regarding date/times in general and UTC in particular.

expire: Expiration time of token. The proxy SHOULD verify that this value corresponds to a time in the future (after the current time). This is a JSON numeric value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See [RFC3339] for details regarding date/times in general and UTC in particular.

issuer: Trusted issuer for this token. The proxy SHOULD verify that this value corresponds to the issuer URI that is published by the server issuing this token through its Federation Metadata [WSFederation1.2].

rp-trust-id: GUID representing application being accessed. The proxy MAY use this value to correlate requests and tokens when listening to multiple requests.

device-registration-id: Identity of the device attempting the access in the form of its certificate thumbprint. The proxy MAY use this value to correlate the client of the request with the client of the token.

auth-instant: Time of authentication. The proxy SHOULD verify that this value corresponds to an earlier time than the issued-at value.

auth-method: Authentication method. The proxy MAY use this value to perform richer authorization of access.

upn: User Principal Name (UPN) of user attempting the access.