The OpenID Connect Provider from BankID provides Refresh Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by Keycloack or the result of customization made by the OIDC Provider from BankID.
| Note | ||
|---|---|---|
| ||
Readers/implementors should not pay particular attention to the content of Refresh Tokens and should consider them as transparent values that are (first) issued and (then) consumed by the OIDC platform with the sole purpose to renew corresponding ID Tokens and Access Tokens. |
See session handling for the life-time of a refresh token. The purpose of Refresh Tokens is to enhance security by keeping the life-time of Access Tokens shorter. An expired Access Token can easily be replaced with a new Access Token (without any user interaction) via a Refresh Token that was issued along with the most recent Access Token, but that was issued with a longer life-time than the Access Token itself.
Note finally that the OIDC Provider form BankID supports signed Refresh Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.
...
Either Refresh or Offline for Refresh Tokens.
See scope offline_access for Offline tokens. See session handling for further details.
...
e8c523ff-52a2-42e2-a7a5-f1d0fbb76204
...
{"roles:["profile","address","phone","email","nnin_altsub","nnin"]}...
{"tinfo:{"roles ["address","phone_number", "email", "nnin"]}}...
| Warning |
|---|
Refresh Tokens are not supported by this release of the OIDC Provider from BankID. |