> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Minimum IdP requirements

> Identity provider requirements to access Cognite Data Fusion (CDF).

The IdP must issue access tokens that the Cognite API can validate. The access tokens must be a valid [JWT](https://datatracker.ietf.org/doc/html/rfc7519), signed using RS256, with a public key at the location specified by the JWKS URL. Also, the IdP must have a JWKS URL that's reachable by the Cognite API, and respond to requests for the JWKS end or the token endpoint within 1 second, as measured from the Cognite API. Contact Cognite to have the JWKS URL added to the list of allowed JWKS URLs.

The IdP must support the following [OAuth 2.0](https://oauth.net/2) flows:

* [Client credentials](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow)
* [Auth code grant](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)

<a id="tokens-and-claims" />

## Tokens and claims

Within a token, there are multiple **claims** used to assert pieces of information about a subject. Tokens issued to authenticate and authorize a subject to access CDF should contain the following claims, some are reserved, and the others are custom configured. See [this article](https://auth0.com/docs/tokens/json-web-tokens/json-web-token-claims) for more information about tokens and claims.

The table below shows the minimum claims required in a token for CDF to authenticate and authorize the subject, if you are using **Microsoft Entra ID** as your IdP.

| Claim    | Required?                     | Description                                                                                 | Expected value                                           |
| -------- | ----------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
| `aud`    | Must                          | Audience of the JWT (intended recipient).                                                   | URI of the service requiring authentication.             |
| `exp`    | Must                          | Expiration time of the JWT.                                                                 | Datetime stamp.                                          |
| `iat`    | Must                          | Issued at Time of the JWT.                                                                  | Datetime stamp.                                          |
| `iss`    | Must                          | Issuer of the JWT.                                                                          | URI and path from the IdP from which the JWT was issued. |
| `sub`    | Must                          | Subject of the JWT (the user).                                                              | User name from IdP.                                      |
| `kid`    | Should                        | Key identifier.                                                                             | RS256                                                    |
| `nbf`    | Should                        | Not Before Time of the JWT (before which the token shouldn't be accepted).                  | Datetime stamp.                                          |
| `scp`    | Should (strongly recommended) | Scope of the JWT (attribute inherited from the scopes defined for the subject in the IdP).  | Text field.                                              |
| `groups` | Should (strongly recommended) | Groups of the JWT (attribute inherited from the groups defined for the subject in the IdP). | Object ID of a security group.                           |