Tokens
azuma doa issues three types of tokens depending on the authentication flow:
Access Token: Used to authenticate API requests.Identity Token: Contains user identity information (specific to OpenID Connect flows).Refresh Token: Used to obtain new access tokens without re-authenticating the user.
For more details, refer to the OAuth 2.0 Specification.
Device Binding
In the Device Binding flow azuma doa issues only Access Token and Refresh Token.
Access Token format
{
"aud": [
"803ad030-10a2-417a-bd19-7ad7ccc2dc9d"
],
"client_id": "803ad030-10a2-417a-bd19-7ad7ccc2dc9d",
"exp": 1751195134,
"ext": {
"authorized_scopes": [],
"kind": "initial",
"licenses": [],
"linked_authentications": [],
"permissions_app": [],
"security_mode": "device-binding",
"tenant_id": "d23e6db7-683b-4411-9ede-8ec040816de7"
},
"iat": 1751191533,
"iss": "https://oidc.pie.azuma-health.tech",
"jti": "d220c0e7-9b85-456f-b503-1d04505a6f6f",
"nbf": 1751191533,
"scp": [
"offline_access",
"permissions_app",
"licenses"
],
"sub": "f09af826-8b73-46d6-80c5-57646e4d1384"
}
| Claim | Description |
|---|---|
| aud | Contains your application-ID |
| client_id | Your application-ID, that the device binding tokens were requested for. |
| ext: authorized_scopes | The scopes the client was authorized for. This is always empty in the device binding flow. |
| ext: kind | initial for the initially returned token after user authentication. refresh for a token that was retrieved via Refresh Token. |
| ext: licenses | Contains user licenses if defined and assigned. |
| ext: linked_authentications | Contains the linked authentications (see below for format). |
| ext: permissions_app | Contains user permissions if defined and assigned. |
| ext: security_mode | Always set to device-binding for the device binding flow. |
| ext: tenant_id | The tenant ID. |
| scp | Scopes. |
| exp, iat, iss, jti, nbf | Default claims |
Linked Authentications
{
"provider": "mimoto",
"sub": "https://gsi.dev.gematik.solutions-*id*-https://mimoto-test.pie.azuma-health.tech/oidcf/azuma-demo-tu"
}
Currently, only mimoto is supported.
Authorization Code
Access Token Format
The format for access tokens in the Authorization Code flow will be documented in a future update. Stay tuned for more details.
Client Credentials
Access Token format
{
"client_id": "159c733f-f1e9-4e9c-96c7-248486408b40",
"exp": 1754066469,
"ext": {
"authorized_scopes": [
"tenant_admin"
],
"tenant_id": "71c470c6-f6a1-4e59-b105-d8587c364f47"
},
"iat": 1754062869,
"iss": "https://oidc.pie.azuma-health.tech",
"jti": "388fbeaf-5691-44d1-b2b7-00e7cf3a3cad",
"nbf": 1754062869,
"scp": [
"71c470c6-f6a1-4e59-b105-d8587c364f47_admin"
],
"sub": "159c733f-f1e9-4e9c-96c7-248486408b40"
}
| Claim | Description |
|---|---|
| sub | Your client-ID |
| ext: authorized_scopes | The scopes the client was authorized for (this is an extension added for the admin-scope that was requested |
| ext: tenant_id | The tenant ID the client was authorized for |
| scp | Client scopes |
| exp, iat, iss, jti, nbf | Default claims |