3.2.5.1.4.2 Response Body

The response format is an encrypted JWT. The encrypted JWT (or JSON Web Encryption (JWE)) format is described in [RFC7516].

The JWT header fields MUST be given the following values:

alg (REQUIRED): "dir"

enc (REQUIRED): "A256GCM"

ctx (REQUIRED): The base64-encoded binary value used for encryption-key derivation.

kid (REQUIRED): "session"

After decryption, the JWT response MUST contain the following elements:

x5c (REQUIRED): A base64-encoded Cryptographic Message Syntax (CMS) certificate chain or a Certificate Management Messages over CMS (CMC) full PKI response (see [MS-WCCE] section 2.2.2.8) containing a certificate that can be used to authenticate the user.

token_type (REQUIRED): "bearer"

expires_in (REQUIRED): An integer value. See the expires_in parameter in [RFC6749] section 5.1. Clients MUST ignore this value.

refresh_token (OPTIONAL): The new primary refresh token.

refresh_token_expires_in (OPTIONAL): The lifetime, in seconds, of the primary refresh token returned in the refresh_token field of the response.

scope (REQUIRED): The scopes that were granted for this request.

id_token (REQUIRED): An ID token for the user that was authenticated in the request, as defined in [OIDCCore]. The audience for the ID token, that is, the aud field, is the same value given in section 3.2.5.1.4.1 for the client_id field. The token does not need to be signed.