# Schema for SM(C)-B ID Token JWT Payload # The SM(C)-B ID Token JWT is used in the OAuth Token Exchange flow with the ZETA Guard AuthServer # It is signed by a SM(C)-B signing Key and contains the Telematik-ID of the SM(C)-B. # JWT Header: # { # "alg": "ES256", # "typ": "JWT", # "x5c": [ "Base64-encoded X.509 certificate" ] # } # Hint: The algorithm used by the SM(C)-B signing key is the # Brainpool P-256 R1 curve. # JWT Payload: $schema: "http://json-schema.org/draft-07/schema#" schemaVersion: "1.0.0" title: SM(C)-B ID Token JWT Payload description: Schema for the SM(C)-B ID Token JWT type: object properties: header: type: object properties: alg: type: string description: The algorithm used to sign the JWT. Hint --> The algorithm used by the SM(C)-B signing key is the Brainpool P-256 R1 curve. enum: - ES256 typ: type: string description: The type of the JWT. enum: - JWT x5c: type: array description: Contains the certificate. The certificate must be the leaf certificate containing the public key for verifying the signature. It must be base64-der-encoded. items: type: string format: byte # Represents base64 encoded data minItems: 1 required: - alg - typ - x5c payload: type: object properties: jti: type: string description: The JWT ID. nonce: type: string description: A **unique value** from the AS to prevent replay attacks. iss: type: string description: The issuer of the JWT (client_id). sub: type: string description: The Telematik-ID of the SM(C)-B. aud: type: array items: type: string description: The audience of the JWT (the Authorization Server). exp: type: integer description: The expiration time of the JWT (Short-lived). iat: type: integer description: The issued at time of the JWT. client_key: type: object description: The claim binding the token to the public client instance key. properties: jkt: type: string description: JWK Thumbprint of the public client instance key. Must be the same as the jwks key in the DCR request. required: - jkt dpop_key: type: object description: The DPoP binding claim. properties: jkt: type: string description: JWK Thumbprint of the public DPoP key. Must be the same as the jkt claim in the DPoP proof sent with the token request. required: - jkt required: - jti - nonce - iss - sub - aud - exp - iat - client_key - dpop_key