namespace WalkingTec.Mvvm.Core.Auth { public static class AuthConstants { public const string JwtTokenType = "Bearer"; public const string AuthenticationType = "WTMAuthentication"; public const string CookieAuthName = "WTM.CookieWithJwtAuth"; public static class JwtClaimTypes { // // Summary: // Unique Identifier for the End-User at the Issuer. public const string Subject = "sub"; // // Summary: // The iat (issued at) claim identifies the time at which the JWT was issued, , // specified as the number of seconds from 1970-01-01T0:0:0Z public const string IssuedAt = "iat"; // // Summary: // Authentication Methods References. JSON array of strings that are identifiers // for authentication methods used in the authentication. public const string AuthenticationMethod = "amr"; // // Summary: // Session identifier. This represents a Session of an OP at an RP to a User Agent // or device for a logged-in End-User. Its contents are unique to the OP and opaque // to the RP. public const string SessionId = "sid"; // // Summary: // Authentication Context Class Reference. String specifying an Authentication Context // Class Reference value that identifies the Authentication Context Class that the // authentication performed satisfied. The value "0" indicates the End-User authentication // did not meet the requirements of ISO/IEC 29115 level 1. Authentication using // a long-lived browser cookie, for instance, is one example where the use of "level // 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize // access to any resource of any monetary value. (This corresponds to the OpenID // 2.0 PAPE nist_auth_level 0.) An absolute URI or an RFC 6711 registered name SHOULD // be used as the acr value; registered names MUST NOT be used with a different // meaning than that which is registered. Parties using this claim will need to // agree upon the meanings of the values used, which may be context-specific. The // acr value is a case sensitive string. public const string AuthenticationContextClassReference = "acr"; // // Summary: // Time when the End-User authentication occurred. Its value is a JSON number representing // the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. // When a max_age request is made or when auth_time is requested as an Essential // Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. public const string AuthenticationTime = "auth_time"; // // Summary: // The party to which the ID Token was issued. If present, it MUST contain the OAuth // 2.0 Client ID of this party. This Claim is only needed when the ID Token has // a single audience value and that audience is different than the authorized party. // It MAY be included even when the authorized party is the same as the sole audience. // The azp value is a case sensitive string containing a StringOrURI value. public const string AuthorizedParty = "azp"; // // Summary: // Access Token hash value. Its value is the base64url encoding of the left-most // half of the hash of the octets of the ASCII representation of the access_token // value, where the hash algorithm used is the hash algorithm used in the alg Header // Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash // the access_token value with SHA-256, then take the left-most 128 bits and base64url // encode them. The at_hash value is a case sensitive string. public const string AccessTokenHash = "at_hash"; // // Summary: // Code hash value. Its value is the base64url encoding of the left-most half of // the hash of the octets of the ASCII representation of the code value, where the // hash algorithm used is the hash algorithm used in the alg Header Parameter of // the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code // value with SHA-512, then take the left-most 256 bits and base64url encode them. // The c_hash value is a case sensitive string. public const string AuthorizationCodeHash = "c_hash"; // // Summary: // Time the End-User's information was last updated. Its value is a JSON number // representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC // until the date/time. public const string UpdatedAt = "updated_at"; // // Summary: // String value used to associate a Client session with an ID Token, and to mitigate // replay attacks. The value is passed through unmodified from the Authentication // Request to the ID Token. If present in the ID Token, Clients MUST verify that // the nonce Claim Value is equal to the value of the nonce parameter sent in the // Authentication Request. If present in the Authentication Request, Authorization // Servers MUST include a nonce Claim in the ID Token with the Claim Value being // the nonce value sent in the Authentication Request. Authorization Servers SHOULD // perform no other processing on nonce values used. The nonce value is a case sensitive // string. public const string Nonce = "nonce"; // // Summary: // Defines a set of event statements that each may add additional claims to fully // describe a single logical event that has occurred. public const string Events = "events"; // // Summary: // OAuth 2.0 Client Identifier valid at the Authorization Server. public const string ClientId = "client_id"; // // Summary: // OpenID Connect requests MUST contain the "openid" scope value. If the openid // scope value is not present, the behavior is entirely unspecified. Other scope // values MAY be present. Scope values used that are not understood by an implementation // SHOULD be ignored. public const string Scope = "scope"; // // Summary: // The "act" (actor) claim provides a means within a JWT to express that delegation // has occurred and identify the acting party to whom authority has been delegated.The // "act" claim value is a JSON object and members in the JSON object are claims // that identify the actor. The claims that make up the "act" claim identify and // possibly provide additional information about the actor. public const string Actor = "act"; // // Summary: // The "may_act" claim makes a statement that one party is authorized to become // the actor and act on behalf of another party. The claim value is a JSON object // and members in the JSON object are claims that identify the party that is asserted // as being eligible to act for the party identified by the JWT containing the claim. public const string MayAct = "may_act"; // // Summary: // an identifier public const string Id = "id"; // // Summary: // The identity provider public const string IdentityProvider = "idp"; // // Summary: // The role public const string Role = "role"; public const string TenantCode = "tenant"; // // Summary: // JWT ID. A unique identifier for the token, which can be used to prevent reuse // of the token. These tokens MUST only be used once, unless conditions for reuse // were negotiated between the parties; any such negotiation is beyond the scope // of this specification. public const string JwtId = "jti"; // // Summary: // The exp (expiration time) claim identifies the expiration time on or after which // the token MUST NOT be accepted for processing, specified as the number of seconds // from 1970-01-01T0:0:0Z public const string Expiration = "exp"; // // Summary: // The time before which the JWT MUST NOT be accepted for processing, specified // as the number of seconds from 1970-01-01T0:0:0Z public const string NotBefore = "nbf"; // // Summary: // Issuer Identifier for the Issuer of the response. The iss value is a case sensitive // URL using the https scheme that contains scheme, host, and optionally, port number // and path components and no query or fragment components. public const string Issuer = "iss"; // // Summary: // End-User's full name in displayable form including all name parts, possibly including // titles and suffixes, ordered according to the End-User's locale and preferences. public const string Name = "name"; // // Summary: // Given name(s) or first name(s) of the End-User. Note that in some cultures, people // can have multiple given names; all can be present, with the names being separated // by space characters. public const string GivenName = "given_name"; // // Summary: // Surname(s) or last name(s) of the End-User. Note that in some cultures, people // can have multiple family names or no family name; all can be present, with the // names being separated by space characters. public const string FamilyName = "family_name"; // // Summary: // Middle name(s) of the End-User. Note that in some cultures, people can have multiple // middle names; all can be present, with the names being separated by space characters. // Also note that in some cultures, middle names are not used. public const string MiddleName = "middle_name"; // // Summary: // Casual name of the End-User that may or may not be the same as the given_name. // For instance, a nickname value of Mike might be returned alongside a given_name // value of Michael. public const string NickName = "nickname"; // // Summary: // Shorthand name by which the End-User wishes to be referred to at the RP, such // as janedoe or j.doe. This value MAY be any valid JSON string including special // characters such as @, /, or whitespace. The relying party MUST NOT rely upon // this value being unique // // Remarks: // The RP MUST NOT rely upon this value being unique, as discussed in http://openid.net/specs/openid-connect-basic-1_0-32.html#ClaimStability public const string PreferredUserName = "preferred_username"; // // Summary: // URL of the End-User's profile page. The contents of this Web page SHOULD be about // the End-User. public const string Profile = "profile"; // // Summary: // URL of the End-User's profile picture. This URL MUST refer to an image file (for // example, a PNG, JPEG, or GIF image file), rather than to a Web page containing // an image. // // Remarks: // Note that this URL SHOULD specifically reference a profile photo of the End-User // suitable for displaying when describing the End-User, rather than an arbitrary // photo taken by the End-User. public const string Picture = "picture"; // // Summary: // URL of the End-User's Web page or blog. This Web page SHOULD contain information // published by the End-User or an organization that the End-User is affiliated // with. public const string WebSite = "website"; // // Summary: // End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] // addr-spec syntax. The relying party MUST NOT rely upon this value being unique public const string Email = "email"; // // Summary: // "true" if the End-User's e-mail address has been verified; otherwise "false". // // Remarks: // When this Claim Value is "true", this means that the OP took affirmative steps // to ensure that this e-mail address was controlled by the End-User at the time // the verification was performed. The means by which an e-mail address is verified // is context-specific, and dependent upon the trust framework or contractual agreements // within which the parties are operating. public const string EmailVerified = "email_verified"; // // Summary: // End-User's gender. Values defined by this specification are "female" and "male". // Other values MAY be used when neither of the defined values are applicable. public const string Gender = "gender"; // // Summary: // End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD // format. The year MAY be 0000, indicating that it is omitted. To represent only // the year, YYYY format is allowed. Note that depending on the underlying platform's // date related function, providing just year can result in varying month and day, // so the implementers need to take this factor into account to correctly process // the dates. public const string BirthDate = "birthdate"; // // Summary: // String from the time zone database (http://www.twinsun.com/tz/tz-link.htm) representing // the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. public const string ZoneInfo = "zoneinfo"; // // Summary: // End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically // an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 // Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, // en-US or fr-CA. As a compatibility note, some implementations have used an underscore // as the separator rather than a dash, for example, en_US; Relying Parties MAY // choose to accept this locale syntax as well. public const string Locale = "locale"; // // Summary: // End-User's preferred telephone number. E.164 (https://www.itu.int/rec/T-REC-E.164/e) // is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or // +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED // that the extension be represented using the RFC 3966 [RFC3966] extension syntax, // for example, +1 (604) 555-1234;ext=5678. public const string PhoneNumber = "phone_number"; // // Summary: // True if the End-User's phone number has been verified; otherwise false. When // this Claim Value is true, this means that the OP took affirmative steps to ensure // that this phone number was controlled by the End-User at the time the verification // was performed. // // Remarks: // The means by which a phone number is verified is context-specific, and dependent // upon the trust framework or contractual agreements within which the parties are // operating. When true, the phone_number Claim MUST be in E.164 format and any // extensions MUST be represented in RFC 3966 format. public const string PhoneNumberVerified = "phone_number_verified"; // // Summary: // End-User's preferred postal address. The value of the address member is a JSON // structure containing some or all of the members defined in http://openid.net/specs/openid-connect-basic-1_0-32.html#AddressClaim public const string Address = "address"; // // Summary: // Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 // client_id of the Relying Party as an audience value. It MAY also contain identifiers // for other audiences. In the general case, the aud value is an array of case sensitive // strings. In the common special case when there is one audience, the aud value // MAY be a single case sensitive string. public const string Audience = "aud"; // // Summary: // The reference token identifier public const string ReferenceTokenId = "reference_token_id"; // // Summary: // The confirmation public const string Confirmation = "cnf"; } } }