Share via


2.2.3.1 ID Token

The ID Token is a JSON Web Token (JWT) that contains claims about the authentication of an end user as described in [OIDCCore] section 2.

The OpenID Connect 1.0 Protocol Extensions extend ID Token by adding a number of claims. See [OIDCCore] section 2 for definitions of the standard claims. The extended claims are defined as follows.

upn: OPTIONAL. The user principal name (UPN) of the end user represented in this ID Token. Note that for clients constructed according to [MS-OAPXBC], claims must have either the upn or the email. It is not necessary to have both.

unique_name: REQUIRED. A locally unique identifier within the Issuer for the end user. This is like the sub claim ([OIDCCore] section 2), but the value provided is always consistent across all clients, like a public subject identifier ([OIDCCore] section 8).

pwd_exp: OPTIONAL. An integer that expresses the number of seconds until the expiration of the end user's password or a similar authentication secret, such as a PIN.

pwd_url: OPTIONAL. The URL at which the end user can change their password or similar authentication secret.

email: OPTIONAL. The email address of the user represented in this ID token. Note that for clients constructed according to [MS-OAPXBC], claims must have either the upn or the email. It is not necessary to have both.