アクセストークン形式

The issuer access token is required for the issuer application to start a D1 SDK login session.

It is in the form of a JSON Web Token (JWT) where the token contains a set of JSON header and payload claims that are signed using a private key. The JWT claims and their signatures are validated during the login session.

Access token header

JWT Header Parameters

Type

Required

Description

kid

string

Yes

Identifies the key used to sign the JWT.

typ

string

Identifies the media type. Use "JWT".

alg

string

Yes

Defines the algorithm used to sign the JWT.

Access token payload

JWT payload claim

Type

Required

Description

exp

integer

Yes

Expiration time as a Unix timestamp (seconds). After the expiration time, the JWT will not be accepted for processing.

scope

string

Yes

Space-separated scopes used to authorize access. Configure these during D1 onboarding. D1 maps them to internal operation scopes. Example: digibank:mobilebanking digibank:ecommerce.

aud

string or array[string]

Yes

Identifies the recipients that the JWT is intended for. This aud field will be validated during the authentication following this general convention: https://{D1-client-api-domain-name}/oidc/{issuerId}.

jti

string

Yes

Unique identifier for the JWT.

iss

string

Yes

Issuer of the JWT. If the access token public key is provisioned in the tenant configuration, set this to issuerId (single-issuer and multi-issuer token scenarios). If it is not provisioned, then for single-issuer tokens only, set this to the jwks_uri value specified in the /.well-known/openid-configuration. file, from which the access token public key can be downloaded.

sub

string

Yes

Identifies the subject that is authenticated. Set this to consumerId.

iat

integer

Yes

Timestamp at which the JWT was issued.

access-token-payload.single-consumerid.json

{
  "jti": "M9JHKtLdfXu782EH3hMf_",
  "sub": "testuser",
  "iat": 1626836247,
  "exp": 1627441047,
  "scope": "digibank:mobilebanking digibank:ecommerce",
  "iss": "tenant1",
  "aud": "https://client-api.d1.thalescloud.io/oidc/tenant1"
}

The sub field can contain space-separated consumer IDs.

access-token-payload.multiple-consumerids.json

{
  "jti": "M9JHKtLdfXu782EH3hMf_",
  "sub": "testuser1 testuser2",
  "iat": 1626836247,
  "exp": 1627441047,
  "scope": "digibank:mobilebanking digibank:ecommerce",
  "iss": "tenant1",
  "aud": "https://client-api.d1.thalescloud.io/oidc/tenant1"
}

Algorithms

Supported and recommended

ES256: ECDSA using P-256 & SHA-256
ES384: ECDSA using P-384 & SHA-384
ES512: ECDSA using P-512 & SHA-512

Supported

RS256: RSASSA-PKCS1-v1_5 using SHA-256
RS512: RSASSA-PKCS1-v1_5 using SHA-512
PS256: RSASSA-PSS
PS384: RSASSA-PSS
PS512: RSASSA-PSS
EdDSA (Ed25519)

前へSDKログイン次へSDKログアウト

最終更新 4 か月前

役に立ちましたか？