18.104.22.168.4.2 Response Body
The JWT header fields MUST be given the following values:
alg (REQUIRED): "dir"
enc (REQUIRED): "A256GCM"
ctx (REQUIRED): The base64-encoded binary value used for encryption-key derivation.
kid (REQUIRED): "session"
After decryption, the JWT response MUST contain the following elements:
x5c (REQUIRED): A base64-encoded Cryptographic Message Syntax (CMS) certificate chain or a Certificate Management Messages over CMS (CMC) full PKI response (see [MS-WCCE] section 22.214.171.124) containing a certificate that can be used to authenticate the user.
token_type (REQUIRED): "bearer"
expires_in (REQUIRED): An integer value. See the expires_in parameter in [RFC6749] section 5.1. Clients MUST ignore this value.
refresh_token (OPTIONAL): The new primary refresh token.
refresh_token_expires_in (OPTIONAL): The lifetime, in seconds, of the primary refresh token returned in the refresh_token field of the response.
scope (REQUIRED): The scopes that were granted for this request.
id_token (REQUIRED): An ID token for the user that was authenticated in the request, as defined in [OIDCCore]. The audience for the ID token, that is, the aud field, is the same value given in section 126.96.36.199.4.1 for the client_id field. The token does not need to be signed.