Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The response to the request is a JSON object with the following fields:
token_type (REQUIRED): The string "pop", indicating that the returned refresh token requires proof of possession.
refresh_token (REQUIRED): A primary refresh token. Like a refresh token described in [RFC6749] section 1.5, this can be used by clients to obtain fresh access tokens. Unlike the refresh tokens described in [RFC6749], the primary refresh token requires additional proof of possession to use as described in section 3.2.5.1.3, and can be used by any client known to the server.
refresh_token_expires_in (REQUIRED): The validity interval for the primary refresh token in seconds, as an integer.
session_key_jwe (REQUIRED): A base64 URL–encoded and encrypted key value. The key is encrypted using the JSON Web Encryption (JWE) standard [RFC7516]. The relevant part of the JWE is the encrypted key section, which the client will use for future signature and decryption operations as described in section 3.1.5.1.3.
id_token (REQUIRED): An ID token for the user that is authenticated in the request, as described in [OIDCCore]. The audience for the ID token, that is, the aud field, is the same value given in section 3.2.5.1.2.1 for the client_id field. The token does not need to be signed.
-
Note that id_token may include upn and email claims. Although these are marked as optional (see [MS-OIDCE] section 2.2.3.1), a client broker that follows this specification requires one or the other, but not both.