2.2 Message Syntax

A security principal is represented as a security principal identifier in the messages sent by applications. A security principal identifier is a GUID.

For more details about the messages typically exchanged between a client and an STS, see [MS-SPSTWS].

For clarity, this document uses different names to refer to the server-to-server security tokens that are exchanged in various scenarios. An actor token is a signed security token that is issued by an STS, or by the client itself if the server trusts it to do so. An outer token is an unsigned security token that is constructed by the client and contains user information in addition to an actor token. In this scenario, the actor token is referred to as the inner token. All of these security tokens are formatted in the same way, as specified in [IETFDRAFT-JWT-LATEST], and contain the claims and header fields specified in this section.

The following table describes claims that are exchanged in server-to-server security tokens. The claim values are all of data type STRING, as specified in [MS-DTYP].

Claim type

Claim value description

Example claim values

aud

The targeted service for which the client issued the server-to-server security token.

<security principal identifier>/<hostname>@<realm>

iss

The security principal identifier of the server-to-server security token issuer.

<security principal identifier>@<realm>

nameid

The logged on user's user principal name (UPN) value for the security principal that made the request.

user@contoso.com

nbf

The time at which the server-to-server security token was created.

129592882368666656

exp

The time at which the server-to-server security token expires.

129592882368666656

trustedfordelegation

"true" if the client is trusted to delegate a user identity; otherwise, "false".

true

false

identityprovider

The identity provider that authenticated the caller.

windows

forms

trusted

actort

The security token issued and signed by the STS. An actor token has the same format as any other security token.

See section 4.3 and section 4.4.

smtp

The logged on user's email address.

user@contoso.com

sip

The logged on user's sip address.

user@contoso.com

msexchuid

A unique identifier that the STS can give the user.

This is an additional claim that the STS adds and is not required by the OAuth 2.0 Authentication Protocol, as specified in [MS-OAUTH2EX].

objectGUID@contoso.com

appctx

The application context.

This claim contains a subset of claims that is specific to the service accessed by the client.

See section 4.5.

The following list describes the header fields in a server-to-server security token. The field values are all of data type STRING, as specified in [MS-DTYP].

  • typ. The token type. The value MUST always be "JWT".

  • alg. The algorithm used to encrypt the contents of the token. The value of this field MUST be either "none" or "rs256". Actor tokens are always signed and have alg fields that contain the value "rs256". Outer tokens that contain inner signed tokens, as described in section 4.3 and section 4.4, are not signed and have alg fields that contain the value "none".

  • x5t. The base64 encoded thumbprint of the certificate used to sign the security token. This field is optional.

The header fields are contained in a separate part of the security token, as specified in [IETFDRAFT-JWT-LATEST].

Show: