The JSON Web Token is the Access Token format which this specification requires when using OAuth2. The JWT supports signatures using asymmetric cryptography which implies that Servers which accept the Access Token must have access to the Certificate used by the Authorization Service (AS). The OpenID Connect Discovery specification is implemented by many AS products and provides a mechanism to fetch the AS Certificate via an HTTP request. If the AS does not support the discovery specification, then the signing Certificate will have to be provided to the Server when the location of the AS is added to the Server configuration.

Access Tokens expire and all Servers should revoke any privileges granted to the Session when the Access Token expires. If the Server allows for anonymous users, the Server should allow the Session to stay open but treat it as an anonymous user. If the Server does not allow anonymous users, it should close the Session immediately.

Clients know when the Access Token will expire and should request a new the Access Token and call ActivateSession before the old Access Token expires.

The JWT format allows the Authorization Service to insert any number of fields. The mandatory fields are defined in RFC 7159. Some additional fields are defined in Table 40 (see RFC 7523).

Table 40 – Access Token Claims




The subject for the token.

Usually the client_id which identifies the Client.

If returned from an Identity Provider it may be a unique identifier for the user.


The audience for the token.

Usually the resource_id which identifies for the Server or the Server ApplicationUri.


A human readable name for the Client application or user.


A list of Scopes granted to the subject.

Scopes apply to the Access Token and restrict how it may be used.

Usually permissions or other restriction which limit access rights.


A nonce used to mitigate replay attacks.

Shall be the value provided by the Client in the request.


A list of groups which assigned to the subject.

Usually a list of unique identifiers for platform specific security groups.

For example, Azure AD user account groups may be returned in this claim.


A list of roles which assigned to the subject.

Roles apply to the requestor and described what the requestor can do with the resource.

Usually a list of unique identifiers for roles known to the Authorization Service.

These values are typically mapped to the Roles defined in OPC 10000-3.