Bearer token (JWT: RFC 7516) issued by the identity partner (IdP) to attest a user's identity.
JSON representation | |
---|---|
{ "aud": string, "email": string, "exp": string, "iat": string, "iss": string, "google_email": string, ... } |
Fields | |
---|---|
aud |
The audience, as identified by the IdP. Should be checked against the local configuration. |
email |
The user's email address. |
exp |
Expiration time. |
iat |
Issuance time. |
iss |
The token issuer. Should be validated against the trusted set of authentication issuers. |
google_email |
An optional claim, to be used when the email claim in this JWT is different from the user's Google Workspace email ID. This claim carries the user's Google Workspace email identity. |
... |
Your Key Access Control List Service (KACLS) is free to use any other claims (location, custom claim, etc) to evaluate the perimeter. |
KACLS authentication token for PrivilegedUnwrap
Bearer token (JWT: RFC 7516) issued by the identity partner (IdP) to attest a user's identity.
This is only used on PrivilegedUnwrap
. During PrivilegedUnwrap
, if a KACLS
JWT is used in place of an IDP authentication token, the recipient KACLS must
first fetch the JWKS of the issuer, then verify the token signature, before
checking the claims.
JSON representation | |
---|---|
{ "aud": string, "exp": string, "iat": string, "iss": string, "kacls_url": string, "resource_name": string ... } |
Fields | |
---|---|
aud |
The audience, as identified by the IdP. For Drive client-side encryption (CSE) |
exp |
Expiration time. |
iat |
Issuance time. |
iss |
The token issuer. Should be validated against the trusted set of authentication issuers. Must match the |
kacls_url |
URL of current KACLS, that the data is being decrypted on. |
resource_name |
An identifier for the object encrypted by the DEK. Maximum size: 128 bytes. |
... |
Your Key Access Control List Service (KACLS) is free to use any other claims (location, custom claim, etc) to evaluate the perimeter. |