B.2 MCX tokens
33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS
B.2.1 ID token
B.2.1.1 General
The ID Token shall be a JSON Web Token (JWT) and contain the following standard and MCX token claims. Token claims provide information pertaining to the authentication of the MCX user by the IdM server as well as additional claims. This clause profiles the required standard and MC claims for the MCX Connect profile.
B.2.1.2 Standard claims
These standard claims are defined by the OpenID Connect 1.0 specification and are REQUIRED for MCX implementation. Other claims defined by OpenID Connect are optional. The standards-based claims for an MCX Connect ID token are shown in table B.2.1.2-1.
Table B.2.1.2-1: ID token standard claims
|
Parameter |
Description |
|
iss |
REQUIRED. The URL of the IdM server. |
|
Sub |
REQUIRED. A case-sensitive, never reassigned string (not to exceed 255 bytes), which uniquely identifies the MCX user within the MCX server provider’s domain. |
|
Aud |
REQUIRED. The Oauth 2.0 client_id of the MCX client |
|
exp |
REQUIRED. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew (not to exceed 30 seconds) |
|
iat |
REQUIRED. Time at which the ID Token was issued. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. |
B.2.1.3 MCX claims
The MCX Connect profile extends the OpenID Connect standard claims with the additional claims shown in table B.2.1.3-1.
Table B.2.1.3-1: ID token MCX claims
|
Parameter |
Description |
|
mcptt_id |
REQUIRED for MCPTT. The MCPTT ID of the current MCPTT user of the MCPTT client. |
|
mcvideo_id |
REQUIRED for MCVideo. The MCVideo ID of the current MCVideo user of the MCVideo client. |
|
mcdata_id |
REQUIRED for MCData. The MCData ID of the current MCData user of the MCData client. |
B.2.2 Access token
B.2.2.1 Introduction
The access token is opaque to MCX clients and is consumed by the MCX resource servers (i.e. KMS, MCPTT server, MCVideo server, MCData server, etc). The access token shall be encoded as a JSON Web Token as defined in IETF RFC 7519 [32]. The access token shall include the JSON web digital signature profile as defined in IETF RFC 7515 [35].
B.2.2.2 Standard claims
MC access tokens shall convey the following standards-based claims as defined in IETF RFC 7662 [33].
Table B.2.2.2-1: Access token standard claims
|
Parameter |
Description |
|
exp |
REQUIRED. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew (not to exceed 30 seconds). |
|
scope |
REQUIRED. A JSON string containing a space-separated list of the MCX authorization scopes associated with this token. The scope(s) contained here reflect the requested scope(s) from the Authentication Request (clause B.4.2.2). |
|
client_id |
REQUIRED. The identifier of the MCX client making the API request as previously registered with the IdM server. |
B.2.2.3 MCX claims
The MCX Connect profile extends the standard claims defined in IETF RFC 7662 [33] with the additional claims shown in table B.2.2.3-1.
Table B.2.2.3-1: Access token MCX claims
|
Parameter |
Description |
|
mcptt_id |
REQUIRED for MCPTT. The MCPTT ID of the current MCPTT user of the MCPTT client. |
|
mcvideo_id |
REQUIRED for MCVideo. The MCVideo ID of the current MCVideo user of the MCVideo client. |
|
mcdata_id |
REQUIRED for MCData. The MCData ID of the current MCData user of the MCData client. |