3.2.5.1.2.2 Response Body

The response to the request is a JSON object with the following fields:

token_type (REQUIRED): The string "pop", indicating that the returned refresh token requires proof of possession.

refresh_token (REQUIRED): A primary refresh token. Like a refresh token described in [RFC6749] section 1.5, this can be used by clients to obtain fresh access tokens. Unlike the refresh tokens described in [RFC6749], the primary refresh token requires additional proof of possession to use as described in section 3.2.5.1.3, and can be used by any client known to the server.

refresh_token_expires_in (REQUIRED): The validity interval for the primary refresh token in seconds, as an integer.

session_key_jwe (REQUIRED): A base64 URL–encoded and encrypted key value. The key is encrypted using the JSON Web Encryption (JWE) standard [RFC7516]. The relevant part of the JWE is the encrypted key section, which the client will use for future signature and decryption operations as described in section 3.1.5.1.3.

id_token (REQUIRED): An ID token for the user that is authenticated in the request, as described in [OIDCCore]. The audience for the ID token, that is, the aud field, is the same value given in section 3.2.5.1.2.1 for the client_id field. The token does not need to be signed.