Oihana PHP Enums

JwtClaim uses ConstantsTrait

Enumeration of standard JWT claim names.

Covers the IANA "JSON Web Token Claims" registry and the most common neighbouring specifications:

  • RFC 7519 registered claims (iss, sub, aud, exp, nbf, iat, jti)
  • Common OAuth 2.0 / OpenID Connect claims (azp, nonce, acr, amr, scope...)
  • OIDC standard profile claims (OIDC Core §5.1)
  • OIDC Session Management (sid — Front-Channel / Back-Channel Logout)
  • OIDC ID Token validation hashes (at_hash, c_hash)
  • RFC 8693 Token Exchange (act, may_act)
  • RFC 7800 Proof-of-Possession (cnf)
  • Widely used provider-specific claims (groups, roles, tid, oid...)

Each registered claim from RFC 7519 is exposed under both its short form (e.g. self::ISS) and a long, human-readable alias (e.g. self::ISSUER). Both constants resolve to the same string value and may be used interchangeably.

Example:

$assertion = JWT::encode
(
    [
        JwtClaim::ISS => $this->serviceAccount[ ZitadelKeyFile::USER_ID ] ,
        JwtClaim::SUB => $this->serviceAccount[ ZitadelKeyFile::USER_ID ] ,
        JwtClaim::AUD => $this->issuer ,
        JwtClaim::IAT => $now ,
        JwtClaim::EXP => $now + 3600 ,
    ] ,
    ...
) ;

References:

  • RFC 7519 — JSON Web Token (registered claims)
  • RFC 7515 — JSON Web Signature
  • RFC 7800 — Proof-of-Possession Key Semantics for JWTs
  • RFC 8693 — OAuth 2.0 Token Exchange
  • OIDC Core 1.0 (§2 ID Token, §3.1.3.6 / §3.3.2.11, §5.1 Standard Claims)
  • OIDC Front-Channel / Back-Channel Logout 1.0 (sid)
  • IANA JSON Web Token Claims Registry
Tags
author

Marc Alcaraz (ekameleon)

since
1.1.0

Table of Contents

Constants

ACR  : string = 'acr'
`acr` — Authentication Context Class Reference (OIDC Core §2).
ACT  : string = 'act'
`act` — Actor (RFC 8693 §4.1).
ADDRESS  : string = 'address'
`address` — End-User's preferred postal address, as a JSON object (see OIDC Core §5.1.1 for sub-fields).
AMR  : string = 'amr'
`amr` — Authentication Methods References (OIDC Core §2).
AT_HASH  : string = 'at_hash'
`at_hash` — Access Token hash value (OIDC Core §3.1.3.6).
AUD  : string = 'aud'
`aud` — Audience of the JWT (RFC 7519 §4.1.3).
AUDIENCE  : string = 'aud'
Long-form alias of {@see self::AUD}.
AUTH_TIME  : string = 'auth_time'
`auth_time` — Time when the End-User authentication occurred (OIDC Core §2).
AZP  : string = 'azp'
`azp` — Authorized Party (OIDC Core §2).
BIRTHDATE  : string = 'birthdate'
`birthdate` — End-User's birthday in ISO 8601:2004 `YYYY-MM-DD` format. The year may be `0000` to indicate that it is omitted.
C_HASH  : string = 'c_hash'
`c_hash` — Authorization Code hash value (OIDC Core §3.3.2.11).
CLIENT_ID  : string = 'client_id'
`client_id` — OAuth 2.0 Client Identifier valid at the authorization server (RFC 8693 §4.3).
CNF  : string = 'cnf'
`cnf` — Confirmation (RFC 7800).
EMAIL  : string = 'email'
`email` — End-User's preferred e-mail address.
EMAIL_VERIFIED  : string = 'email_verified'
`email_verified` — Boolean. `true` if the End-User's e-mail address has been verified, `false` otherwise.
ENTITLEMENTS  : string = 'entitlements'
`entitlements` — Entitlements / fine-grained permissions granted to the subject. Non-standard.
EXP  : string = 'exp'
`exp` — Expiration time (RFC 7519 §4.1.4).
EXPIRES_AT  : string = 'exp'
Long-form alias of {@see self::EXP}.
FAMILY_NAME  : string = 'family_name'
`family_name` — Surname(s) or last name(s) of the End-User.
GENDER  : string = 'gender'
`gender` — End-User's gender. Values defined by the specification are `female` and `male`; other values may be used when neither fits.
GIVEN_NAME  : string = 'given_name'
`given_name` — Given name(s) or first name(s) of the End-User.
GROUPS  : string = 'groups'
`groups` — Group memberships of the subject.
IAT  : string = 'iat'
`iat` — Issued At (RFC 7519 §4.1.6).
ISS  : string = 'iss'
`iss` — Issuer of the JWT (RFC 7519 §4.1.1).
ISSUED_AT  : string = 'iat'
Long-form alias of {@see self::IAT}.
ISSUER  : string = 'iss'
Long-form alias of {@see self::ISS}.
JTI  : string = 'jti'
`jti` — JWT ID (RFC 7519 §4.1.7).
JWT_ID  : string = 'jti'
Long-form alias of {@see self::JTI}.
LOCALE  : string = 'locale'
`locale` — End-User's locale, as a BCP47 language tag (e.g. `en-US`, `fr-FR`).
MAY_ACT  : string = 'may_act'
`may_act` — Authorized Actor (RFC 8693 §4.4).
MIDDLE_NAME  : string = 'middle_name'
`middle_name` — Middle name(s) of the End-User.
NAME  : string = 'name'
`name` — End-User's full name in displayable form, including all name parts.
NBF  : string = 'nbf'
`nbf` — Not Before (RFC 7519 §4.1.5).
NICKNAME  : string = 'nickname'
`nickname` — Casual name of the End-User. May or may not be the same as {@see self::GIVEN_NAME}.
NONCE  : string = 'nonce'
`nonce` — String value used to associate a Client session with an ID Token and to mitigate replay attacks (OIDC Core §2).
NOT_BEFORE  : string = 'nbf'
Long-form alias of {@see self::NBF}.
OID  : string = 'oid'
`oid` — Object ID.
PHONE_NUMBER  : string = 'phone_number'
`phone_number` — End-User's preferred telephone number, preferably in E.164 format (e.g. `+33123456789`).
PHONE_NUMBER_VERIFIED  : string = 'phone_number_verified'
`phone_number_verified` — Boolean. `true` if the End-User's phone number has been verified, `false` otherwise.
PICTURE  : string = 'picture'
`picture` — URL of the End-User's profile picture.
PREFERRED_USERNAME  : string = 'preferred_username'
`preferred_username` — Shorthand name by which the End-User wishes to be referred to. Not guaranteed to be unique.
PROFILE  : string = 'profile'
`profile` — URL of the End-User's profile page.
ROLES  : string = 'roles'
`roles` — Role assignments of the subject.
SCOPE  : string = 'scope'
`scope` — OAuth 2.0 scope values (RFC 8693 §4.2).
SCP  : string = 'scp'
`scp` — Alternative scope representation used by some identity providers (e.g. Microsoft Identity Platform).
SESSION_ID  : string = 'sid'
Long-form alias of {@see self::SID}.
SID  : string = 'sid'
`sid` — Session ID.
SUB  : string = 'sub'
`sub` — Subject of the JWT (RFC 7519 §4.1.2).
SUBJECT  : string = 'sub'
Long-form alias of {@see self::SUB}.
TID  : string = 'tid'
`tid` — Tenant ID.
UPDATED_AT  : string = 'updated_at'
`updated_at` — Time the End-User's information was last updated.
WEBSITE  : string = 'website'
`website` — URL of the End-User's web page or blog.
ZONEINFO  : string = 'zoneinfo'
`zoneinfo` — String from the zoneinfo time zone database representing the End-User's time zone (e.g. `Europe/Paris`).

Constants

ACR

`acr` — Authentication Context Class Reference (OIDC Core §2).

public string ACR = 'acr'

Identifies the authentication context class that the authentication performed satisfied. Value is a case-sensitive string, often a URI.

ACT

`act` — Actor (RFC 8693 §4.1).

public string ACT = 'act'

JSON object identifying the acting party in a delegation scenario. Contains claims (typically sub and iss) describing the actor. May be nested to represent a chain of delegation.

ADDRESS

`address` — End-User's preferred postal address, as a JSON object (see OIDC Core §5.1.1 for sub-fields).

public string ADDRESS = 'address'

AMR

`amr` — Authentication Methods References (OIDC Core §2).

public string AMR = 'amr'

JSON array of strings identifying the authentication methods used (e.g. ["pwd","mfa"]). See RFC 8176 for a registry of values.

AT_HASH

`at_hash` — Access Token hash value (OIDC Core §3.1.3.6).

public string AT_HASH = 'at_hash'

Base64url-encoded left-most half of the hash of the access_token. Used by the client to validate that the access token is bound to the ID Token.

AUD

`aud` — Audience of the JWT (RFC 7519 §4.1.3).

public string AUD = 'aud'

Identifies the recipients that the JWT is intended for. For a client_credentials exchange, this is typically the issuer URL of the IdP.

Value: a single StringOrURI or an array of StringOrURI.

AUDIENCE

Long-form alias of {@see self::AUD}.

public string AUDIENCE = 'aud'

AUTH_TIME

`auth_time` — Time when the End-User authentication occurred (OIDC Core §2).

public string AUTH_TIME = 'auth_time'

Value: NumericDate.

AZP

`azp` — Authorized Party (OIDC Core §2).

public string AZP = 'azp'

The party to which the ID Token was issued. Used when the authorized presenter differs from the sole audience. The value is the OAuth client_id of that party.

BIRTHDATE

`birthdate` — End-User's birthday in ISO 8601:2004 `YYYY-MM-DD` format. The year may be `0000` to indicate that it is omitted.

public string BIRTHDATE = 'birthdate'

C_HASH

`c_hash` — Authorization Code hash value (OIDC Core §3.3.2.11).

public string C_HASH = 'c_hash'

Base64url-encoded left-most half of the hash of the authorization code. Used in the hybrid flow to validate that the code is bound to the ID Token.

CLIENT_ID

`client_id` — OAuth 2.0 Client Identifier valid at the authorization server (RFC 8693 §4.3).

public string CLIENT_ID = 'client_id'

CNF

`cnf` — Confirmation (RFC 7800).

public string CNF = 'cnf'

JSON object containing members that identify the proof-of-possession key used to bind the token to a specific holder (e.g. jkt, jwk, x5t#S256).

EMAIL

`email` — End-User's preferred e-mail address.

public string EMAIL = 'email'

EMAIL_VERIFIED

`email_verified` — Boolean. `true` if the End-User's e-mail address has been verified, `false` otherwise.

public string EMAIL_VERIFIED = 'email_verified'

ENTITLEMENTS

`entitlements` — Entitlements / fine-grained permissions granted to the subject. Non-standard.

public string ENTITLEMENTS = 'entitlements'

EXP

`exp` — Expiration time (RFC 7519 §4.1.4).

public string EXP = 'exp'

Unix epoch time (seconds since 1970-01-01T00:00:00Z) at which the JWT must no longer be accepted for processing. For short-lived client assertions, now + 60s is usually sufficient.

Value: NumericDate.

EXPIRES_AT

Long-form alias of {@see self::EXP}.

public string EXPIRES_AT = 'exp'

FAMILY_NAME

`family_name` — Surname(s) or last name(s) of the End-User.

public string FAMILY_NAME = 'family_name'

GENDER

`gender` — End-User's gender. Values defined by the specification are `female` and `male`; other values may be used when neither fits.

public string GENDER = 'gender'

GIVEN_NAME

`given_name` — Given name(s) or first name(s) of the End-User.

public string GIVEN_NAME = 'given_name'

GROUPS

`groups` — Group memberships of the subject.

public string GROUPS = 'groups'

Non-standard but widely used (Keycloak, Okta, Azure AD...). Usually a JSON array of strings.

IAT

`iat` — Issued At (RFC 7519 §4.1.6).

public string IAT = 'iat'

Unix epoch time at which the JWT was minted. Can be used by recipients to determine the age of the token.

Value: NumericDate.

ISS

`iss` — Issuer of the JWT (RFC 7519 §4.1.1).

public string ISS = 'iss'

Identifies the principal that issued the JWT. For a jwt-bearer client assertion (RFC 7523), this is the OAuth client_id of the application.

Value: case-sensitive string, typically a StringOrURI.

ISSUED_AT

Long-form alias of {@see self::IAT}.

public string ISSUED_AT = 'iat'

ISSUER

Long-form alias of {@see self::ISS}.

public string ISSUER = 'iss'

JTI

`jti` — JWT ID (RFC 7519 §4.1.7).

public string JTI = 'jti'

Unique identifier for the JWT. Used to prevent replay attacks by ensuring each assertion is only used once; the authorization server may store and reject already seen identifiers.

Value: case-sensitive string.

JWT_ID

Long-form alias of {@see self::JTI}.

public string JWT_ID = 'jti'

LOCALE

`locale` — End-User's locale, as a BCP47 language tag (e.g. `en-US`, `fr-FR`).

public string LOCALE = 'locale'

MAY_ACT

`may_act` — Authorized Actor (RFC 8693 §4.4).

public string MAY_ACT = 'may_act'

JSON object expressing that the named actor is authorized to act on behalf of the subject of the token.

MIDDLE_NAME

`middle_name` — Middle name(s) of the End-User.

public string MIDDLE_NAME = 'middle_name'

NAME

`name` — End-User's full name in displayable form, including all name parts.

public string NAME = 'name'

NBF

`nbf` — Not Before (RFC 7519 §4.1.5).

public string NBF = 'nbf'

Unix epoch time before which the JWT must not be accepted. Helps mitigate clock skew between client and server.

Value: NumericDate.

NICKNAME

`nickname` — Casual name of the End-User. May or may not be the same as {@see self::GIVEN_NAME}.

public string NICKNAME = 'nickname'

NONCE

`nonce` — String value used to associate a Client session with an ID Token and to mitigate replay attacks (OIDC Core §2).

public string NONCE = 'nonce'

If sent in the Authentication Request, the same value must be returned unmodified in the ID Token.

NOT_BEFORE

Long-form alias of {@see self::NBF}.

public string NOT_BEFORE = 'nbf'

OID

`oid` — Object ID.

public string OID = 'oid'

Used by Microsoft Identity Platform / Azure AD as the immutable identifier for the user object across applications.

PHONE_NUMBER

`phone_number` — End-User's preferred telephone number, preferably in E.164 format (e.g. `+33123456789`).

public string PHONE_NUMBER = 'phone_number'

PHONE_NUMBER_VERIFIED

`phone_number_verified` — Boolean. `true` if the End-User's phone number has been verified, `false` otherwise.

public string PHONE_NUMBER_VERIFIED = 'phone_number_verified'

PICTURE

`picture` — URL of the End-User's profile picture.

public string PICTURE = 'picture'

PREFERRED_USERNAME

`preferred_username` — Shorthand name by which the End-User wishes to be referred to. Not guaranteed to be unique.

public string PREFERRED_USERNAME = 'preferred_username'

PROFILE

`profile` — URL of the End-User's profile page.

public string PROFILE = 'profile'

ROLES

`roles` — Role assignments of the subject.

public string ROLES = 'roles'

Non-standard but widely used. Usually a JSON array of strings.

SCOPE

`scope` — OAuth 2.0 scope values (RFC 8693 §4.2).

public string SCOPE = 'scope'

Space-separated string listing the OAuth 2.0 scope values granted to the token.

SCP

`scp` — Alternative scope representation used by some identity providers (e.g. Microsoft Identity Platform).

public string SCP = 'scp'

Usually a JSON array of strings, conveying the same information as self::SCOPE.

SESSION_ID

Long-form alias of {@see self::SID}.

public string SESSION_ID = 'sid'

SID

`sid` — Session ID.

public string SID = 'sid'

Identifier for a Session, used to enable per-session logout. Present in ID Tokens when session management is in use and required in Logout Tokens.

Specs:

  • OIDC Front-Channel Logout 1.0
  • OIDC Back-Channel Logout 1.0

SUB

`sub` — Subject of the JWT (RFC 7519 §4.1.2).

public string SUB = 'sub'

Identifies the principal that is the subject of the JWT. The claim value must be locally unique in the context of the issuer, or globally unique.

For a jwt-bearer client assertion, this is the OAuth client_id of the application (same value as self::ISS).

SUBJECT

Long-form alias of {@see self::SUB}.

public string SUBJECT = 'sub'

TID

`tid` — Tenant ID.

public string TID = 'tid'

Used by Microsoft Identity Platform / Azure AD to identify the Azure AD tenant the user belongs to.

UPDATED_AT

`updated_at` — Time the End-User's information was last updated.

public string UPDATED_AT = 'updated_at'

Value: NumericDate.

WEBSITE

`website` — URL of the End-User's web page or blog.

public string WEBSITE = 'website'

ZONEINFO

`zoneinfo` — String from the zoneinfo time zone database representing the End-User's time zone (e.g. `Europe/Paris`).

public string ZONEINFO = 'zoneinfo'
On this page

Search results