Provider-specific extension claims (e.g. Google hd, Microsoft tid).
Optional ReadonlyaccessOAuth 2 access token for subsequent IdP API calls.
Optional ReadonlyemailOptional ReadonlyemailReadonlyexpiresAbsolute expiry time of accessToken, derived from expires_in by the adapter.
null means the provider did not issue a finite expiry (e.g. GitHub OAuth Apps
classic tokens). Consumers MUST treat null as "do not attempt refresh; reuse
until the provider explicitly invalidates". Required (no undefined) so adapters
are forced to make an explicit decision per provider rather than the route layer
inventing a fallback expiry.
Optional ReadonlyidOIDC id_token JWT, if issued.
ReadonlyissuerIdP issuer URL (OIDC discovery issuer) or provider name for non-OIDC providers.
Optional ReadonlynameOptional ReadonlypictureOptional ReadonlyrefreshRefresh token; absent if the IdP did not issue one.
ReadonlysubOIDC sub claim — stable identifier for the federated user at this IdP.
Snapshot of a successful federation callback: identity + OIDC-standard claims + OAuth 2 tokens.
The
[key: string]: unknownindex signature is an extension slot for provider-specific claims (Googlehd, Microsofttid, etc). Promote a claim to first-class only when it becomes widely useful across providers (see Migration Guide in the spec).Fields are ordered to match the RFC 6749 §5.1 + OIDC Core §5.1 claim sources.