JWT definitions
JWT claim details
Below are JTW claims and their expected values and locations. See also examples of response user access, user ID, and application access examples below.
| Claim Name | Description | Expected Value | Location |
|---|---|---|---|
account_id | Account ID of the user in IAM | account uuid | access token ID token |
amr | Authentication Methods References | An array of strings giving information about how the user is authenticated Examples: passwordmfa - appears when MFA is usedsms_mfa - appears when MFA using SMS was usedsoftware_token_mfa- appears when MFA using TOTP was usedfederated - appears when the user was federatedtrimble_oktaclient_credentials | access token ID token |
application_name | Name of the application | string | access token (client credentials grant only) |
at_hash | Hash of the accompanying access token | string | ID token |
aud | Audience an array of relying parties (client ID tokens) | For access tokens: an array of unique IDs for applications/APIs intended to consume this token For ID token tokens: this is a single string ID in the application that made the authentication request | access token ID token |
auth_time | The time when the authentication occurred | integer, (Seconds since midnight Jan 1, 1970) | access token ID token |
azp | Authorizing Party. Relying party’s client ID token | string | access token ID token |
data_region | Geographic region that user data is stored in | us/eu | access token ID token |
email | Email address of the user | string | ID token |
email_verified | Whether the user’s email is verified or not | boolean, true or false | ID token |
exp | Time on or after which the JWT MUST NOT be accepted for processing | integer, (Seconds since midnight Jan 1, 1970) | access token ID token |
family_name | Family name or surname of the user | string | ID token |
federation_origin | The federated system the user is signed in to | string e.g., trimble_okta | ID token |
given_name | Firstname or full name of this user | string | ID token |
iat | Issued At Time. The time the token was issued | integer, (Seconds sing midnight Jan 1, 1970) | access token ID token |
Identity_type | Logged user type | user or application | access token ID token |
iss | The issuer of a token | Prod: https://id.trimble.com Stage: https://state.id.trimblecloud.com | access token ID token |
jti | A unique identifier for the token | string | access token ID token |
jwt_ver | The version of this Trimble Identity Token | {2} | access token ID token |
nbf | Not Before Time. Used to determine the age of a JWT | integer, (Seconds since midnight Jan 1, 1970) | access token ID token |
nonce | A value used to prevent replay attacks. Matches the value supplied during the authorization request | value supplied during auth request | ID token |
picture | URL of user’s profile picture | string, URL | ID token |
scope | OpenID, or Application Name | space separated string | access token |
sub | The subject of the JWT | user or application UUID | access token ID token |
Response Payloads
Below are examples of responses for sent payloads from Trimble Identity v4.
User access token response
{ "iss": "https://stage.id.trimblecloud.com", "exp": 1629479671, "nbf": 1629476071, "iat": 1629476071, "jti": "d12f4bab...", "jwt_ver": 2, "sub": "4d533...", "identity_type": "user", "amr": [ "federated", "okta_trimble", "mfa" ], "auth_time": 1629476071, "azp": "c3275...", "aud": [ "c32758..." ], "scope": "InvitationDemonstration", "account_id": "4d5335...",}User ID token response
{ "iss": "https://stage.id.trimblecloud.com", "exp": 1629480574, "nbf": 1629476974, "iat": 1629476974, "jti": "d27065...", "jwt_ver": 2, "sub": "4d5335...", "aud": "c32758...", "identity_type": "user", "auth_time": 1629476974, "amr": [ "federated", "okta_trimble", "mfa" ], "azp": "c32758...", "given_name": "John", "family_name": "Example", "email": "john_example@example-domain.com", "email_verified": true, "federation_origin": "okta_trimble", "account_id": "4d5335...", "picture": "https://profiles-image-stage.s3.us-west-2.amazonaws.com/profileimages/users/picture..."}Application access token response
{ "iss": "https://stage.id.trimblecloud.com", "exp": 1629481989, "nbf": 1629478389, "iat": 1629478389, "jti": "70e6529...", "jwt_ver": 2, "sub": "271ec...", "application_name": "JavascriptSDKTesting", "identity_type": "application", "auth_time": 1629478389, "account_id": "271ec...", "amr": [ "client_credentials" ]}Sample JWT for device access token
{ "iss": "https://id.trimble.com", "exp": 111111, "nbf": 1111111, "iat": 11111111, "jti": "xxxxxx", "jwt_ver": 2, "sub": "device_id", "aud": [ "app_id" ], "amr": [ "certificate" ], "identity_type": "device", "auth_time": 11111111, "cnf": { "x5t#S256": "53a397b25879404477eaa65c51e889cdb0f74b23c8c8b156889c241380c9e411" }, "azp": "xxxxxxxxx", "scope": "app_name", "account_id": "12345678-90ab-cdef-1234-567890abcdef",}- To decode and verify the TID JWT Token, refer to Decode JWT