Authentication Result

An authentication result is returned on the callback of an authentication event in the form of the AuthResult object. This page describes the AuthResult object and its associated fields.

The AuthResult object

 {
   "accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIU…​",
   "expiresIn": 86400,
   "tokenType": "Bearer",
   "idToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1N…​",
   "idTokenPayload": {
            "authType": "password",
            "birthdate": "2024-10-12",
            "email": "nikkyd@example.com",
            "emailVerified": true,
            "auth_time": 1702283493,
            "exp": 1704067201,
            "familyName": "Dubois",
            "givenName": "Nicole",
            "gender": "female",
            "iat": 1311280970,
            "iss": "http://server.example.com",
            "locale": "en",
            "name": "Nicole Dubois",
            "newUser": false,
            "sub": "248289761001",
            "picture": "http://example.com/nikkyd/me.png",
            "profile": "http://example.com/nikkyd",
            "updatedAt": "2024-10-29T10:45:22"
        },
   "code": "XpcgV…​5sSY5",
   "state": "aBC1..PoP",
   "stepUpToken": "PyJ0eXAi…​JIUzI1N",
   "amr": "mfa",
   "providerName": "kakaotalk",
   "providerAccessToken": "ya29.a0AbV…​YGo9wg0174",
 }

AuthResult object fields

Field Type Description

accessToken

string

The user’s access token. This a security token that gives access to authorized resources without further identification. It is represented as a JSON Web Token (JWT).

expiresIn

number

The lifetime of the access token (in seconds).

If expiresIn is less than or equal to 0, the accessToken is expired.

tokenType

string

The type of token that is issued.

This is always Bearer.

refreshToken

string

The user’s refresh token.

A refresh token will not be present unless you are implementing the refresh token grant. This is only possible when the offline_access scope is requested.

idToken

string

The user’s ID token. This is a security token that contains authentication claims about the user. It is represented as a JSON Web Token (JWT).

Claims are pieces of information made about a particular subject.

For example, ID tokens might contain a claim called name that makes the claim that the name of the user authenticating is "Nicole Dubois".

{
    "sub": "987654321",
    "name": "Nicole Dubois",
    ...
}

idTokenPayload

JSON

The body of the ID token which outlines the claims. See ID token payload for more details.

For a full list of claims, check out the JWT Claims Registry.

code

string

The authorization code received from the initial authorization call.

state

string

An opaque value used to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.

stepUpToken

string

The step up token needed to complete the stepup flow.

amr

string

The Authentication Method Reference (amr). When using MFA, the mfa value must be present.

For more on amr values, see here.

providerName

string

The name of the social login provider used to log in.

Example

kakaotalk

This is only relevant for SLO and is not included in the auth response for other flows.

providerAccessToken

string

The access token from the social login provider.

Example

ya29.a0AbV…​YGo9wg0174

This is only relevant for SLO and is not included in the auth response for other flows.

ID token payload

The possible claims to assert about an authenticated user are outlined in the table below.

Field Type Description

authType

string

The type of authentication used.

allowed values:
  • password

  • phone_number_password

  • magic_link

  • sms

  • external

  • refresh

  • login_as

  • third_party

  • webauthn

birthdate

string

The birthdate of the profile, represented as an ISO 8601 YYYY-MM-DD format.

email

string

The primary email address of the profile.

emailVerified

boolean

True if the user’s e-mail address has been verified; otherwise false.

exp

number

The expiration time claim identifies the point in time (as a Unix timestamp) on or after which the JWT must not be accepted for processing.

Example
1704067201 # unix timestamp
Mon Jan 01 2024 00:00:01 GMT+0000 # corresponding actual date

familyName

string

The family name of the profile.

Also known as surname or last name.

givenName

string

The given name of the profile.

Also known as first name.

gender

string

The gender of the profile.

Currently allowed values are female, male and other.

iat

number

The time (as a Unix timestamp) at which the JWT was issued.

Example
1704067201 # unix timestamp
Mon Jan 01 2024 00:00:01 GMT+0000 # corresponding actual date

iss

string

The issuer claim identifies the principal that issued the JWT.

locale

string

The profile’s language code in lowercase and country code in uppercase, separated by a dash (eg en, fr-FR …​).

name

string

The full name of the profile.

newUser

boolean

Whether the profile is new.

sub

string

The subject claim that identifies the profile.

picture

string

The URL of one of the user’s profile pictures. This URL refers to an image file (PNG, JPEG, or GIF image file).

profile

string

The URL of one of the user’s profile pages (usually a social provider’s page).

updatedAt

string

The time the profile’s information was last updated.

auth_time

number

The time when end user authentication occurred. The time represents the first authentication of a given underlying session. This is represented as a Unix timestamp.

Example
1704067201 # unix timestamp
Mon Jan 01 2024 00:00:01 GMT+0000 # corresponding actual date