The Alibaba Cloud remote attestation service is a unified solution for verifying the trustworthiness of a platform and the integrity of the code that runs on it. The service supports attestation for platforms based on the Trusted Platform Module (TPM) and for the state of a trusted execution environment (TEE). This topic describes how the remote attestation service works and how to use it.
How it works
The Alibaba Cloud remote attestation service is based on RFC 9334 - Remote ATtestation procedureS (RATS) Architecture and verifies the security status and trustworthiness of an Alibaba Cloud security-enhanced instance. The service involves the following roles:
attester: An Alibaba Cloud ECS instance that proves its identity and trustworthiness to a relying party.
relying party: An entity that verifies the identity and trustworthiness of the attester. The relying party generates an appraisal policy based on baseline measurements from technologies such as TPM and TEE.
verifier: The Alibaba Cloud remote attestation service, which compares the evidence against the appraisal policy and provides the attestation result.
The service typically uses the Passport model (Passport model) and the Background-Check model (Background-Check model). The models have the following differences:
The Passport model generally provides better scalability when the number of attesters is significantly smaller than the number of relying parties.
In the Background-Check model, the relying party can request remote attestation from the remote attestation service at any time. This model typically provides better security.
Billing
The remote attestation service is free of charge.
However, you are charged for the ECS instances that use this service.
API examples
The Alibaba Cloud remote attestation service supports trusted computing instances that use virtual TPM (vTPM) and confidential computing instances that use Intel SGX, TDX, or Enclave.
To use the remote attestation service for vTPM, activate Security Center with your Alibaba Cloud account.
For confidential computing instances that use features like Intel SGX or TDX, you can access the remote attestation service through anonymous HTTP requests.
OpenID Connect (OIDC) APIs
The Alibaba Cloud remote attestation service provides APIs that are compatible with OpenID Connect (OIDC). You can use the remote attestation service as a standard identity provider (IdP).
The Alibaba Cloud remote attestation service issues OIDC tokens to trusted computing instances and confidential computing instances to prove their identities to a relying party.
The relying party can verify the cryptographic validity of the OIDC tokens by using the standard OIDC process.
OpenID Connect Discovery
OpenID Connect (OIDC) Discovery simplifies and automates the interaction between a relying party and the remote attestation service. It enables the relying party to dynamically obtain authentication-related configuration information from a standard endpoint (.well-known/openid-configuration) without needing to manually configure or hard-code this information.
For example, you can configure the Alibaba Cloud remote attestation service as an external identity provider (IdP) for Alibaba Cloud Resource Access Management (RAM) or AWS Identity and Access Management (IAM) to provide trusted identity credentials for trusted computing instances and confidential computing instances.
curl https://attest.cn-beijing.aliyuncs.com/.well-known/openid-configurationSample response:
{
"authorization_endpoint": "https://attest.cn-beijing.aliyuncs.com/authorize",
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://attest.cn-beijing.aliyuncs.com",
"jwks_uri": "https://attest.cn-beijing.aliyuncs.com/jwks.json",
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "https://attest.cn-beijing.aliyuncs.com/token",
"userinfo_endpoint": "https://attest.cn-beijing.aliyuncs.com/userinfo"
}Attest a trusted computing instance with vTPM
For more information about trusted computing instances, see Overview of trusted computing capabilities.
Submit evidence
Sample request (This API operation requires authentication. For more information, see Request structure and signature):
# Note: The following code provides a simplified example of the request URL format. The actual API call requires authentication information such as a signature.
# For the complete request syntax, see https://www.alibabacloud.com/help/en/sdk/product-overview/request-structure-and-signature
curl "https://trusted-server.cn-hangzhou.aliyuncs.com?Action=PutMessage&PropertyUuid=&FileData="Sample response:
{
"PropertyName": "instance-name",
"SystemTrustDetail": {
"pcr3": "d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198exxxx",
"pcr4": "c35cef3b92c3850dc0bfa6139b25dc1c4c3d642b8587bde0fiemd847ufjxxxx",
"pcr5": "aabd7d8c76c931dabed7ea53d1c8f96036c42a29435680ddff3f3148ff70xxxx",
"pcr6": "d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198exxxx",
"pcr0": "d22aa1bba22e829456f0cfda0d87690e6c252032864643da353133f161xxxx",
"pcr1": "d9f056a703f04e4f408445752e97e92c890266d32e2ff1df3e80545aab4fxxxx",
"pcr2": "d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198exxxx",
"pcr7": "dd794f2d0c4cfa28dc9b5a3266e8516378ba551190d9844c38b890f7ad27xxxx",
"pcr8": "deb301d065009d62980110d8173e350bbd43a4997ad74bf358ce5399c0ecxxxx",
"pcr9": "ffe25e93ac7d245159184ac68c7dd5783e4cea978fafb1ad036bc861a8cdxxxx"
},
"RequestId": "D0E0C1D2-2937-54D4-9C52-XXXXXXXXXXXX",
"SystemExceptionNum": 0,
"ProgramWhiteListId": -1,
"SystemWhiteListId": 1234,
"ProgramTrustStatus": 4,
"SystemTrustStatus": 1,
"GmtModified": 1698975648000,
"ProgramWhiteListName": "",
"GmtRecentReport": 1698975648000,
"OnlineStatus": 1,
"Extensions": {
"pcr5": "d1dac9c104c63c7e24f27962f4ad1df639a3f3224b1a968a45916207cf3xxxx"
},
"PropertyPrivateIp": "1.1.X.X",
"PropertyPublicIp": "1.1.X.X",
"GmtCreate": 1698385542000,
"PropertyUuid": "c13fcabe-6683-4a9f-8cdd-xxxxxxxxxxxx",
"ProgramTrustDetail": "{}",
"ProgramExceptionNum": 0,
"PropertyAffiliation": 1
}Query attestation results
Sample request:
curl "https://trusted-server.cn-beijing.aliyuncs.com?Action=DescribeInstance&PropertyUuid=0f74b5cc-ff0e-4fa6-b457-1dc58072****"Sample response:
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
"data": {
"nextClientIMAIndex": 0,
"systemVerificationResult": {
"status": 1,
"code": "TrustedStatus"
},
"programVerificationResult": {
"status": 1,
"code": "TrustedStatus"
}
}
}Attest a confidential computing instance with SGX/TDX
For more information about confidential computing instances that use SGX or TDX, see Build an SGX confidential computing environment and Build a TDX confidential computing environment.
Obtain TCB information
Sample request:
curl https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/tcb?fmspc=00606A000000Sample response:
{
"tcbInfo": {
"version": 2,
"issueDate": "2023-10-11T08:09:33Z",
"nextUpdate": "2023-12-18T08:09:33Z",
"fmspc": "00606A000000",
"pceId": "0000",
"tcbType": 0,
"tcbEvaluationDataNumber": 12,
"tcbLevels": [{
"tcb": {
"sgxtcbcomp01svn": 4,
"sgxtcbcomp02svn": 4,
"sgxtcbcomp03svn": 3,
"sgxtcbcomp04svn": 3,
"sgxtcbcomp05svn": 255,
"sgxtcbcomp06svn": 255,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 11
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
}, {
"tcb": {
"sgxtcbcomp01svn": 4,
"sgxtcbcomp02svn": 4,
"sgxtcbcomp03svn": 3,
"sgxtcbcomp04svn": 3,
"sgxtcbcomp05svn": 255,
"sgxtcbcomp06svn": 255,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "OutOfDate"
}, {
"tcb": {
"sgxtcbcomp01svn": 4,
"sgxtcbcomp02svn": 4,
"sgxtcbcomp03svn": 3,
"sgxtcbcomp04svn": 3,
"sgxtcbcomp05svn": 255,
"sgxtcbcomp06svn": 255,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 5
},
"tcbDate": "2018-01-04T00:00:00Z",
"tcbStatus": "OutOfDate"
}]
},
"signature": "21750a9a4173140379971c9eeaeee8dd27364cae4fdc45e19825bcddb0e5942941cb7cad8067aaaa98c75a0a0cfa9de329eb7d875957bd633a248bc328a0xxxx"
}Obtain QE identity
Sample request:
curl https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/qe/identitySample response:
{
"enclaveIdentity": {
"id": "QE",
"version": 2,
"issueDate": "2023-11-01T14:57:38Z",
"nextUpdate": "2023-12-01T14:57:38Z",
"tcbEvaluationDataNumber": 16,
"miscselect": "00000000",
"miscselectMask": "FFFFFFFF",
"attributes": "11000000000000000000000000000000",
"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C5xxxx",
"isvprodid": 1,
"tcbLevels": [{
"tcb": {
"isvsvn": 8
},
"tcbDate": "2023-08-09T00:00:00Z",
"tcbStatus": "UpToDate"
},
{
"tcb": {
"isvsvn": 6
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "OutOfDate"
}, {
"tcb": {
"isvsvn": 5
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "OutOfDate"
}, {
"tcb": {
"isvsvn": 4
},
"tcbDate": "2019-11-13T00:00:00Z",
"tcbStatus": "OutOfDate"
}, {
"tcb": {
"isvsvn": 2
},
"tcbDate": "2019-05-15T00:00:00Z",
"tcbStatus": "OutOfDate"
}, {
"tcb": {
"isvsvn": 1
},
"tcbDate": "2018-08-15T00:00:00Z",
"tcbStatus": "OutOfDate"
}
]
},
"signature": "593f79398d6400e62d14f1066e69e4e5bb44ed7544b18713d8020354e7601481681dc812a124672bfedd0e54ab31179fac442400c011ebca6b00c44d805bxxxx"
}Obtain QVE identity
Sample request:
curl https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/qve/identitySample response:
{
"enclaveIdentity": {
"id": "QVE",
"version": 2,
"issueDate": "2023-11-01T15:45:01Z",
"nextUpdate": "2023-12-01T15:45:01Z",
"tcbEvaluationDataNumber": 16,
"miscselect": "00000000",
"miscselectMask": "FFFFFFFF",
"attributes": "01000000000000000000000000000000",
"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C5xxxx",
"isvprodid": 2,
"tcbLevels": [{
"tcb": {
"isvsvn": 3
},
"tcbDate": "2023-08-09T00:00:00Z",
"tcbStatus": "UpToDate"
}]
},
"signature": "251bb1301cb499cb8161a9b885fad8ceeb06b497f1e4a83c8de2d0f2e9e82c3ce0f22ce2ef6c6a789dcc287bb0a1da12a822a465395b54c9046aacfee7ceaff6"
}Attest a confidential computing instance with TDX
Obtain an OIDC token
Send the TEE evidence to the Alibaba Cloud remote attestation service. After evaluating the evidence based on the platform policy, the service returns an Alibaba Cloud-issued JSON Web Token (JWT) (RFC 7519).
curl -X POST https://attest.cn-beijing.aliyuncs.com/v1/attestation -d '{
"evidence": "evidencebase64",
"tee": "tdx",
// An empty policy_ids array indicates that the service only checks the cryptographic integrity of the evidence.
"policy_ids": []
}'The following table describes the fields in the request body.
Parameter | Type | Description |
tee | string | The TEE type. Valid values:
|
evidence | string | The evidence, encoded using URL-safe Base64 without padding. |
policy_ids (optional) | string[] | A list of policy IDs used to check the evidence. The |
runtime_data (optional) | json | The runtime data. This field is optional. If you specify this parameter, the raw field must contain the Base64-encoded runtime data fragments. The service treats these fragments as the expected runtime data and checks them against the data in the evidence. Example: |
The response is an OIDC-compliant JWT. Sample response:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ2NTM1NTBjLTU1NTEtNWU2Zi05MmI1LTIyZjUzMDIyOTc1MSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2F0dGVzdC5jbi1iZWlqaW5nLmFsaXl1bmNzLmNvbSIsImN1c3RvbWl6ZWRfY2xhaW1zIjp7ImluaXRfZGF0YSI6bnVsbCwicnVudGltZV9kYXRhIjpudWxsfSwiZWF0X3Byb2ZpbGUiOiJodHRwczovL3d3dy5hbGliYWJhY2xvdWQuY29tL2hlbHAvZW4vZWNzL3VzZXItZ3VpZGUvZWF0LXByb2ZpbGUiLCJldmFsdWF0aW9uLXJlcG9ydHMiOlt7InBvbGljeS1oYXNoIjpudWxsLCJwb2xpY3ktaWQiOiJkZWZhdWx0In1dLCJleHAiOjE3NDMwMDUzNjUsImlhdCI6MTc0Mjk4Mzc2NSwiaXNzIjoiaHR0cHM6Ly9hdHRlc3QuY24tYmVpamluZy5hbGl5dW5jcy5jb20iLCJqdGkiOiIwMzljZGZjOS02ZWMxLTQxZDQtOGRhOC02YTU5NTg0YzJmYTkiLCJuYmYiOjE3NDI5ODM3NjUsInRjYi1zdGF0dXMiOiJ7XCJpbml0X2RhdGFcIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwicmVwb3J0X2RhdGFcIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwXCIsXCJ0ZHgucXVvdGUuYm9keS5tcl9jb25maWdfaWRcIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkubXJfb3duZXJcIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkubXJfb3duZXJfY29uZmlnXCI6XCIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDBcIixcInRkeC5xdW90ZS5ib2R5Lm1yX3NlYW1cIjpcIjFjYzZhMTdhYjc5OWU5YTY5M2ZhYzc1MzZiZTYxYzEyZWUxZTBmYWJhZGE4MmQwYzk5OWUwOGNjZWUyYWE4NmRlNzdiMDg3MGY1NThjNTcwZTdmZmU1NWQ2ZDQ3ZmEwNFwiLFwidGR4LnF1b3RlLmJvZHkubXJfc2VydmljZXRkXCI6XCIzODNjODdkM2JiYjA0N2IyZDE3MWVhY2E5NTMxMmVkZTk5ZjI1ODA4OGRjNzg4ZjZhZTJjY2Y4YjZkZDg0OGZlOGQ0NzYyOWUwOGIzZjZjYmQ0YTAwZGQ0N2E1YTAzM2RcIixcInRkeC5xdW90ZS5ib2R5Lm1yX3RkXCI6XCJiMGU1MmM1OTU3NzUyM2IxN2FkNTUzYzZmZmZiMGY1ZjM0OTZkYmYzY2NjYTY5ZmJiMmVhODdjZjRmOTM4MTU3NTUwMDA1YzkyYTk4MTMwZDhkMzA1MDdjYTVjNjUyZGZcIixcInRkeC5xdW90ZS5ib2R5Lm1yc2lnbmVyX3NlYW1cIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkucmVwb3J0X2RhdGFcIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwXCIsXCJ0ZHgucXVvdGUuYm9keS5ydG1yXzBcIjpcIjIyM2JlNjdmMWRiYzBjMmM2N2JiYWU5MTliMjk1MGY2MGY2OGFhYTlkNjA5NzM5OGFmMmRhZGE2ZDk4Zjk2NGY2YWVjY2U5YjM3NjQzYTc2NzA4ZTA3ZTBkOTUxOWY4NFwiLFwidGR4LnF1b3RlLmJvZHkucnRtcl8xXCI6XCI1YzNjZDMzNjQ4YmQ0N2I4ZDI0MjZlYzQ3NjBlMGYwZGI1MTAzYjk1NmY4ZTAzN2VmMmIxNzkzOWVkMTI1YTI5N2U5NjZmMzExMTJjMDUwYjVhMDliNDQ0ZmI2NDMyZDdcIixcInRkeC5xdW90ZS5ib2R5LnJ0bXJfMlwiOlwiMTA4MzU3YzM5ZThkYzhmMTUwYTMzNzM4NTY3YWY0NTE5MDhmODBkZGZjOGMxNDgwMWZiZDUxM2YzMDdkYTk5MDgyZWEwYWJhOGNjN2UwNDI5NDBmMzEwZTU0YzhhYjEwXCIsXCJ0ZHgucXVvdGUuYm9keS5ydG1yXzNcIjpcIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkuc2VhbV9hdHRyaWJ1dGVzXCI6XCIwMDAwMDAwMDAwMDAwMDAwXCIsXCJ0ZHgucXVvdGUuYm9keS50Y2Jfc3ZuXCI6XCIwNTAxMDYwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkudGRfYXR0cmlidXRlc1wiOlwiMDAwMDAwMTAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkudGVlX3RjYl9zdm4yXCI6XCIwNTAxMDYwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmJvZHkueGZhbVwiOlwiZTc0MjA2MDAwMDAwMDAwMFwiLFwidGR4LnF1b3RlLmhlYWRlci5hdHRfa2V5X3R5cGVcIjpcIjAyMDBcIixcInRkeC5xdW90ZS5oZWFkZXIucmVzZXJ2ZWRcIjpcIjAwMDAwMDAwXCIsXCJ0ZHgucXVvdGUuaGVhZGVyLnRlZV90eXBlXCI6XCI4MTAwMDAwMFwiLFwidGR4LnF1b3RlLmhlYWRlci51c2VyX2RhdGFcIjpcIjJjMzBhZDEyYzAzNzFhMmMyNDlmNGE5MDMwNWMzZjU2MDAwMDAwMDBcIixcInRkeC5xdW90ZS5oZWFkZXIudmVuZG9yX2lkXCI6XCI5MzlhNzIzM2Y3OWM0Y2E5OTQwYTBkYjM5NTdmMDYwN1wiLFwidGR4LnF1b3RlLmhlYWRlci52ZXJzaW9uXCI6XCIwNTAwXCIsXCJ0ZHgucXVvdGUuc2l6ZVwiOlwiODgwMjAwMDBcIixcInRkeC5xdW90ZS50eXBlXCI6XCIwMzAwXCIsXCJ0ZHgudGRfYXR0cmlidXRlcy5kZWJ1Z1wiOmZhbHNlLFwidGR4LnRkX2F0dHJpYnV0ZXMua2V5X2xvY2tlclwiOmZhbHNlLFwidGR4LnRkX2F0dHJpYnV0ZXMucGVyZm1vblwiOmZhbHNlLFwidGR4LnRkX2F0dHJpYnV0ZXMucHJvdGVjdGlvbl9rZXlzXCI6ZmFsc2UsXCJ0ZHgudGRfYXR0cmlidXRlcy5zZXB0dmVfZGlzYWJsZVwiOnRydWV9IiwidGVlIjoidGR4In0.apt9yyHsJ4WoUwuqw-GivyjM_-W0m3p2p0xavtILExgAnaHMTv7hVvvuyjlnKHmLc8svTPZMAfYvbl0UJTpFkJ5TPQQ0wLijS69bsvG1mG8cltAwzI92BaAV8BdgMxUu9GWGQGaZRyEH-OJdM5HQBmo35YwCVYeNmwVGNdZ2h59D6fHIk1BUkVoPTmk0sE7aSnP_KblkfPL_Vh3ovs9MpAralCv2JO7cMCau0CqSoQTIORjh9i0BBXrt1y8y6gmpjEFDWMsIqW-k8cRhdANk_9CpBCN02jVwQXEHMnk0SAm4BCrCdyteXBNZfpN-3LCXQkkTyUEoaZXGHPm15cTbpgYou can use the JWT Debugger to verify the validity of the OIDC token in a test environment. For more information about the JWT claims and their descriptions, see Remote attestation service EAT Profile.