Token is a standard endpoint used for requesting various combinations of ID Token, Access Token and Refresh Token. The type of request (and corresponding response) is determined by the grant_type
request parameter as described further below.
Table of Contents | ||
---|---|---|
|
Overview
URL | https://<oidc-baseurl>/protocol/openid-connect/token |
---|---|
Request method | POST with parameters in body as application/x-www-form-urlencoded data |
Client authentication | See supported methods |
Request parameters | See below |
Response elements | See below|
Authentication | OIDC/OAuth2 client authentication according to supported methods |
Success response | 200 OK with JSON containing response elements |
Error response | 400 Bad request with JSON containing standard error reponse elements |
Example | See below |
Token is a standard endpoint used for exchanging an Authorization Code with an Access Token or to Refresh a previously received Access Token.
The Authorization Code is contained in the foregoing response from the Authorize endpoint. The practise to exchange an Authorization Code for an Access Token applies for Autorization Code flow and Hybrid flow. The Access Token is used for subsequent access to Value Added Services, among them resources behind the Userinfo (TINFO Userinfo Endpoints) endpoint.
Refresh Tokens are currently not supported.
Note |
---|
The recommended practise for merchants is to use the Token URL from Openid-configuration rather than hardcoding the below URL value. |
Anchor | ||||
---|---|---|---|---|
|
Request parameters are different for Access Token requests and Refresh Token requests.
Access Token request
= According to standard. = Feature restriction.
...
The OIDC Provider supports three different grant types as described in the following, each with a corresponding set of request parameters. In addition comes request parameters related to Client authentication.
Authorization Code
This grant type is associated with the Authorization code flow and Hybrid flow. In both cases the other parameters shown below are related to a preceeding Authorize request that involves interaction with the end-user.
Name | Description | |
---|---|---|
grant_type | Grant type is always authorization_code | |
code | Value from response of the foregoing Authorize request | |
redirect_uri | Redirect URI
| |
client_id | Not supported since the OIDC clients must always authenticate |
Refresh Token request
...
Note: Repeating this uri in the token request a countermeasure against code leakage attacks |
Client Credentials
This grant type is associated with the Client credential flow. This grant type does not involve any end-user interaction and is not related to any preceeding Authorize request.
Name | Description |
---|---|
grant_type | client_credentials |
scope | List of scopes specifying what kind of resources (dataset) the OIDC Client requests access to. |
Example request:
POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1 |
Refresh Token
This grant type is used to refresh a previously issued Access Token via a corresponding Refresh Token issued along with the previous Access Token.
Name | Description |
---|---|
grant_type | refresh_token |
refresh_token | JWT value for the refresh token from any foregoing Token response |
scope | Requested scopes for the new set of tokens. Note: The scopes must be identical to or narrower that the original scopes of the associated Authorize request. Note that scope values are case-sensitive. |
Anchorresponse response
Response elements
response | |
response |
Reponses are different for Access Token requests similar for Authorization Code and Refresh Token requestsbut different for Client Credentials.
...
Authorization Code and Refresh Token
...
The response for Authorization Code and Refresh Token is a JSON structure according to standard that contains an Access Token along with associated attributes. An ID Token associated with the authenticated end-user is also contained in the response. The token_type
attribute is given by the type of token "negotiated" with the OIDC Provider in the foregoing Authorize request. The OIDC Provider uses the authorization code
contained in the Access Token request to lookup the type of token "negotiated" for corresponding session in progress.
The inclusion of Refresh Tokens in the Acces Token response is currently not supported.
Refresh Token response
Refresh Tokens are currently not supportedto Keycloack default with the following claims
Name | Description | Comment |
---|---|---|
id_token | JWT encoded ID Token | Standard claim with Keycloack specific content |
access_token | JWT encoded Access Token | Standard claim with Keycloack specific content |
token_type | Always Bearer | Standard claim |
expires_in | Life-time of access_token. | Standard claim. Related to the exp claim inside the Access Token. See session handling |
refresh_token | JWT encoded Refresh Token | Standard claim with Keycloack specific content |
refresh_expires_in | Life-time of refresh_token | Keycloack specific claim. Related to the exp claim inside the Refresh Token. See session handling |
not-before-policy | TBD | Keycloack specific claim |
session_state | TBD | Keycloack specific claim |
Client Credentials
The response for Client Credentials is a JSON structure similar to that for Authorization Code and Refresh Token with the exception that the id_token
claim is not present.
Anchor | ||||
---|---|---|---|---|
|
The following example shows a request / response pair for the Token endpointan Authorization Code Grant. The example is generated from Postman (which is configured as a client at the OIDC Provider) . The value for the authorization code in the request (code=
b860604adbf40f6c53a797290916771) is taken from the corresponding example corresponding to the example shown for the Authorize endpoint endpoint.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
POST /oidc/oauth/auth/realms/preprod/protocol/openid-connect/token HTTP/1.1 Host: cache-control: no-cache Postman-Token: 8eb00e4b-3e18-46c2-96f9-d27461d04a09oidc-preprod.bankidapis.no Connection: close Content-Length: 306 Accept: */* Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop Authorization: Basic UG9zdG1hbjo5YWE3NDBhZi03NGIxLTQ2ODMtOWFhNi02NWJiNDBmYmY1Zjk= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Content-Type: application/x-www-form-urlencoded Authorization; charset=UTF-8 Accept-Encoding: Basicgzip, UG9zdG1hbjoxMjM0deflate UserAccept-Agent: PostmanRuntime/3.0.11-hotfix.2 Accept: */* Host: preprod.bankidapis.no Content-Length: 132 Connection: close grant_type=authorization_code&code=b860604adbf40f6c53a797290916771&redirect_uri=https%3A%2F%2Fwww.getpostman.com%2Foauth2%2Fcallback HTTP/1.1 200 OKLanguage: en-US,en;q=0.8 redirect_uri=https%3A%2F%2Fwww.getpostman.com%2Foauth2%2Fcallback&grant_type=authorization_code&state=10455063&code=uss.iq5WXmK5dDQCprQn8kMz_EIiBrAYA0hxOc9jZM0pZfo.bf0a4c9f-2d00-43d8-8288-01b83ab1e580.1714e8ff-0adf-449f-8c50-bf0a77617a43 HTTP/1.1 200 OK Date: Thu, 16 Nov 2017 13:14:36 GMT Server: WildFly/10 X-Powered-By: Undertow/1 Content-Type: application/json Content-Length: 3770 Via: 1.1 oidc-preprod.bankidapis.no Connection: close { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiI1YmViYmEyZS1lMTBjLTQ3ZDgtYTYzYy05MmFiNTViNGJiNGYiLCJleHAiOjE1MTA4Mzg0NjksIm5iZiI6MCwiaWF0IjoxNTEwODM4MTY5LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6IlBvc3RtYW4iLCJhdXRoX3RpbWUiOjE1MTA4MzgwNTAsInNlc3Npb25fc3RhdGUiOiJiZjBhNGM5Zi0yZDAwLTQzZDgtODI4OC0wMWI4M2FiMWU1ODAiLCJuYW1lIjoiRnJvZGUgQmVja21hbm4gTmlsc2VuIiwiZ2l2ZW5fbmFtZSI6IkZyb2RlIEJlY2ttYW5uIiwiZmFtaWx5X25hbWUiOiJOaWxzZW4iLCJhY3IiOiI0IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fSwiYW1yIjoiQklEIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTmlsc2VuLCBGcm9kZSBCZWNrbWFubiIsImJhbmtpZF9hbHRzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSJ9.DD5TUdN-OYDp9EfHVaNuQurDGcElTx48RlUygUfkxFR7181qJtAO69Pz7u6-7aavo9D9QHRqrXSengUSoyXOl0BmtwPBIuLuEdjKBHtQgvoAOW-xf_7J8mKNcq2_pLp9WO5ajG5N9mvls-DlgE_1nt_MKNtp_bYso11bSn59QIKlUsQ4jY2VqaItsCW04aa1ZFOK5JbuW4quqkqwM0vVglT99oh3CBVLmP3G6JT-i0OVBETSx8sX5-GS7IKuZf-WNzKO3aE4LQc6pweSPbuEpfG9J4EOU5PockJnQNW9keVEdhH_5Nw5Bj_FL8DmFhx03KnkWex9VfT0QfcICwMILA", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiI1YzQxN2QzYi0yMDI1LTRhODctYjYxYS1jZDA2NDllZjgzOGYiLCJleHAiOjE1MTA4Mzk5NjksIm5iZiI6MCwiaWF0IjoxNTEwODM4MTY5LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJQb3N0bWFuIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiYmYwYTRjOWYtMmQwMC00M2Q4LTgyODgtMDFiODNhYjFlNTgwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fX0.HN8ZSjaNbiKVts238C41lR6AC4sJyqpjRn2vxoVdG7Dhg6jmwHvk-8vkapPmxQ_s-oCVlMZbDsJAGj1Ecxs-jVZIC4WbL2vlJ_pJpt8d0PaXFu3G1XhnZjSs4d3lWXHLnlrOBMFAUUCEwIGMAuCaS4ef-tSFL0fzG55mb3JlxVJLO6uvlYaIUx_K_5hrQ0e12GreMsXsgwFUnK1JQPThk11dGeHntNEm84nMtz7QfcrV2Ob0RyOcRB796Qbv_NK5BoH9GXZQswW09KpukUPNLru7mvkuPUtnLnAd9ng0QlnrolAv9UOgQJQ2NSw7q70kB7cJ5_J2KSpsOdg49lc-aQ", "token_type": "bearer", "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiJjMzdjN2FlZi00NDdkLTRmMWEtYTMyMi0wMjc4MmZmN2QwMGIiLCJleHAiOjE1MTA4Mzg0NjksIm5iZiI6MCwiaWF0IjoxNTEwODM4MTY5LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJQb3N0bWFuIiwic3ViIjoiYjNmNGQ5MTktOGNjNS00MTNjLTllMTEtM2MyYzY3NWIyZjhmIiwidHlwIjoiSUQiLCJhenAiOiJQb3N0bWFuIiwiYXV0aF90aW1lIjoxNTEwODM4MDUwLCJzZXNzaW9uX3N0YXRlIjoiYmYwYTRjOWYtMmQwMC00M2Q4LTgyODgtMDFiODNhYjFlNTgwIiwibmFtZSI6IkZyb2RlIEJlY2ttYW5uIE5pbHNlbiIsImdpdmVuX25hbWUiOiJGcm9kZSBCZWNrbWFubiIsImZhbWlseV9uYW1lIjoiTmlsc2VuIiwiYmlydGhkYXRlIjoiMTk2Ni0xMi0xOCIsInVwZGF0ZWRfYXQiOjE0NzQ4OTAzNTEwMDAsImFjciI6IjQiLCJubmluX2FsdHN1YiI6IjE4MTI2NjM1NTQ3IiwiYW1yIjoiQklEIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTmlsc2VuLCBGcm9kZSBCZWNrbWFubiIsImJhbmtpZF9hbHRzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSJ9.jPESXd1TFFpiaIiOPDgXbqT1INR6yHdql1ZNsjX77Zf4RnI0xaM_SNC0ZRUdARcSXkZYRNmOUXLAeXh-DAY0Rew31RMXEK_MHJKh-6C0Ooed67ei_cJxephvqe1o7_3HPvpHfOKWPVoJbg7_ytWRLaDRivkmOdkMZzUsFpCeY1GhwUD_g_-Otnsbv-FSQgJ-w-vrehQGHfiuIlP-QYMKxA7cH_-ViJh4NuQ6xzLSafNYCx0vk2NDS9wKwnjaj0Sl2AWL5zaZZ_EEfrFXEg-hWDcAc5YdECM0APFoPESqzi0Cu26bOpnQP7ZuO9DNhB2eoeSOIlC6hu89TIALyB2S8w", "not-before-policy": 0, "session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580" } |
The following are decoding of the tokens returned in the above response:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Access Token
{
"jti": "5bebba2e-e10c-47d8-a63c-92ab55b4bb4f",
"exp": 1510838469,
"nbf": 0,
"iat": 1510838169,
"iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
"aud": "tinfo",
"sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
"typ": "Bearer",
"azp": "Postman",
"auth_time": 1510838050,
"session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
"name": "Frode Beckmann Nilsen",
"given_name": "Frode Beckmann",
"family_name": "Nilsen",
"acr": "4",
"allowed-origins": [],
"realm_access": {
"roles": [
"nnin_altsub",
"profile"
]
},
"resource_access": {
"tinfo": {
"roles": [
"address",
"phone",
"email"
]
}
},
"amr": "BID",
"bankid_altsub": "9578-6000-4-30799"
}
Refresh Token
{
"jti": "5c417d3b-2025-4a87-b61a-cd0649ef838f",
"exp": 1510839969,
"nbf": 0,
"iat": 1510838169,
"iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
"aud": "tinfo",
"sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
"typ": "Refresh",
"azp": "Postman",
"auth_time": 0,
"session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
"realm_access": {
"roles": [
"nnin_altsub",
"profile"
]
},
"resource_access": {
"tinfo": {
"roles": [
"address",
"phone",
"email"
]
}
}
}
ID Token
{
"jti": "c37c7aef-447d-4f1a-a322-02782ff7d00b",
"exp": 1510838469,
"nbf": 0,
"iat": 1510838169,
"iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
"aud": "Postman",
"sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
"typ": "ID",
"azp": "Postman",
"auth_time": 1510838050,
"session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
"name": "Frode Beckmann Nilsen",
"given_name": "Frode Beckmann",
"family_name": "Nilsen",
"birthdate": "1966-12-18",
"updated_at": 1474890351000,
"acr": "4",
"nnin_altsub": "181266*****",
"amr": "BID",
"bankid_altsub": "9578-6000-4-30799"
} |
The following example shows a request / response pair for an Refresh Token Exchange with the Token endpoint corresponding to the above example on a Authorization Code Exchange.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
POST /auth/realms/preprod/protocol/openid-connect/token HTTP/1.1 Host: oidc-preprod.bankidapis.no Connection: close Content-Length: 1167 Authorization: Basic UG9zdG1hbjo5YWE3NDBhZi03NGIxLTQ2ODMtOWFhNi02NWJiNDBmYmY1Zjk= Postman-Token: b88036f2-c45b-995c-9c63-b5c48b968304 Cache-Control: no-store Pragma: no-cachecache Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Content-Type: application/json;charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ARR/3.0 X-Powered-By: ASP.NETx-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 grant_type=refresh_token&scope=openid+profile+nnin_altsub&refresh_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiJmZjRkYWM3Ni1mMzVjLTQ1M2YtYTQ2MS0wOTY5MjI3YjU1YTIiLCJleHAiOjE1MTA4Mzk4NzYsIm5iZiI6MCwiaWF0IjoxNTEwODM4MDc2LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJQb3N0bWFuIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiYmYwYTRjOWYtMmQwMC00M2Q4LTgyODgtMDFiODNhYjFlNTgwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fX0.d1INYQxzn0ofCg2zIVS8zd0K7GUbuLHRH6TwDsiDiiHkNZCg9wA6ef4S6HT0Wjg4CHqCv7mmZamChwsX_GlbsujtkTysUvRx_57LeGXQYDsCNVU0UrnhZ2dbfL9-YUwa5-An6Fdm0swkBn_5ivpqWK3cLBnl00Rirv8TTqT07mYpvIdFdVpc0QbOayhdVuVNYjKnEhBrliUVoaOfdrq1wtxecPsEx5uFOgxwR1VvMuDMBm25Fc4LPUwkSyYdCQEQi2BjfbjyJkwUdu8ASYN5GrDs_vW1FvIHTijIJvhawtmXCOusMxxkNXkF9V1PFGtXlzBA4YRQZCUyIvy2zhTgbQ HTTP/1.1 200 OK Date: Thu, 2516 MayNov 2017 1113:1216:1609 GMT Connection: close Server: WildFly/10 X-Powered-By: Undertow/1 Content-Type: application/json Content-Length: 3770 Via: 1027 1.1 oidc-preprod.bankidapis.no Connection: close { "access_token": "4497db915b5b479191c81a7854a2fa8" "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiI1YmViYmEyZS1lMTBjLTQ3ZDgtYTYzYy05MmFiNTViNGJiNGYiLCJleHAiOjE1MTA4Mzg0NjksIm5iZiI6MCwiaWF0IjoxNTEwODM4MTY5LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6IlBvc3RtYW4iLCJhdXRoX3RpbWUiOjE1MTA4MzgwNTAsInNlc3Npb25fc3RhdGUiOiJiZjBhNGM5Zi0yZDAwLTQzZDgtODI4OC0wMWI4M2FiMWU1ODAiLCJuYW1lIjoiRnJvZGUgQmVja21hbm4gTmlsc2VuIiwiZ2l2ZW5fbmFtZSI6IkZyb2RlIEJlY2ttYW5uIiwiZmFtaWx5X25hbWUiOiJOaWxzZW4iLCJhY3IiOiI0IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fSwiYW1yIjoiQklEIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTmlsc2VuLCBGcm9kZSBCZWNrbWFubiIsImJhbmtpZF9hbHRzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSJ9.DD5TUdN-OYDp9EfHVaNuQurDGcElTx48RlUygUfkxFR7181qJtAO69Pz7u6-7aavo9D9QHRqrXSengUSoyXOl0BmtwPBIuLuEdjKBHtQgvoAOW-xf_7J8mKNcq2_pLp9WO5ajG5N9mvls-DlgE_1nt_MKNtp_bYso11bSn59QIKlUsQ4jY2VqaItsCW04aa1ZFOK5JbuW4quqkqwM0vVglT99oh3CBVLmP3G6JT-i0OVBETSx8sX5-GS7IKuZf-WNzKO3aE4LQc6pweSPbuEpfG9J4EOU5PockJnQNW9keVEdhH_5Nw5Bj_FL8DmFhx03KnkWex9VfT0QfcICwMILA", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiI1YzQxN2QzYi0yMDI1LTRhODctYjYxYS1jZDA2NDllZjgzOGYiLCJleHAiOjE1MTA4Mzk5NjksIm5iZiI6MCwiaWF0IjoxNTEwODM4MTY5LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJQb3N0bWFuIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiYmYwYTRjOWYtMmQwMC00M2Q4LTgyODgtMDFiODNhYjFlNTgwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fX0.HN8ZSjaNbiKVts238C41lR6AC4sJyqpjRn2vxoVdG7Dhg6jmwHvk-8vkapPmxQ_s-oCVlMZbDsJAGj1Ecxs-jVZIC4WbL2vlJ_pJpt8d0PaXFu3G1XhnZjSs4d3lWXHLnlrOBMFAUUCEwIGMAuCaS4ef-tSFL0fzG55mb3JlxVJLO6uvlYaIUx_K_5hrQ0e12GreMsXsgwFUnK1JQPThk11dGeHntNEm84nMtz7QfcrV2Ob0RyOcRB796Qbv_NK5BoH9GXZQswW09KpukUPNLru7mvkuPUtnLnAd9ng0QlnrolAv9UOgQJQ2NSw7q70kB7cJ5_J2KSpsOdg49lc-aQ", "token_type": 3600"bearer", "id_token": "eyJraWQiOiJiYW5raWQtb2F1dGgiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJwcmVmZXJyZWRfdXNlcm5hbWUiOiJGcm9kZSBCZWNrbWFubiBOaWxzZW4iLCJuYW1lIjoiRnJvZGUgQmVja21hbm4gTmlsc2VuIiwiZ2l2ZW5fbmFtZSI6IkZyb2RlIEJlY2ttYW5uIiwiZmFtaWx5X25hbWUiOiJOaWxzZW4iLCJzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSIsImlhdCI6MTQ5NTcxMDU3NiwiaXNzIjoiaHR0cHM6Ly9wcmVwcm9kLmJhbmtpZGFwaXMubm8iLCJhdXRoX3RpbWUiOjE0OTU3MTA1NjMsImV4cCI6MTQ5NTcxNDE2MywiYmlydGhkYXRlIjoiMTk2Ni0xMi0xOCIsIm5vbmNlIjpudWxsLCJhbXIiOlsiQmFua0lEIl0sImF6cCI6IlBvc3RtYW4iLCJhdWQiOiJQb3N0bWFuIiwiYXRfaGFzaCI6IlBrOUFEYTlZTU1IVE1kcTdwTGpWSEEifQ.kO95jBTHtjXnxJT_iloPNsWMqHylBq5hV7rw5jaS-1Adg4A9kwK8J_9ZKeQrd6OMG_SZeS4nwkypkkx8pdnqJ85cVJ5t2KXDGklutouYRBFUWJ0ZJiAabaQUT1UvKCjmQcK006k_hpCXrRsc76NbQP0sb8Wm14kGAD-eN49JuyxixxhuO4usYulIwV1xZDmOEnmeJjUe5OhS-YgnJgZptLZi_RP8Uhj_ko63x-vOXGZinITo3I9vkOpQPmzrM9VUue8hTiXiSOEJrJZyIAiGXPZGwrXbpdZM9DGDCQVhknQ21VcMtOoYhx5yXVLFmPQ56rp3T3AwyWY-uTSVyxvIJweyJqdGkiOiJjMzdjN2FlZi00NDdkLTRmMWEtYTMyMi0wMjc4MmZmN2QwMGIiLCJleHAiOjE1MTA4Mzg0NjksIm5iZiI6MCwiaWF0IjoxNTEwODM4MTY5LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJQb3N0bWFuIiwic3ViIjoiYjNmNGQ5MTktOGNjNS00MTNjLTllMTEtM2MyYzY3NWIyZjhmIiwidHlwIjoiSUQiLCJhenAiOiJQb3N0bWFuIiwiYXV0aF90aW1lIjoxNTEwODM4MDUwLCJzZXNzaW9uX3N0YXRlIjoiYmYwYTRjOWYtMmQwMC00M2Q4LTgyODgtMDFiODNhYjFlNTgwIiwibmFtZSI6IkZyb2RlIEJlY2ttYW5uIE5pbHNlbiIsImdpdmVuX25hbWUiOiJGcm9kZSBCZWNrbWFubiIsImZhbWlseV9uYW1lIjoiTmlsc2VuIiwiYmlydGhkYXRlIjoiMTk2Ni0xMi0xOCIsInVwZGF0ZWRfYXQiOjE0NzQ4OTAzNTEwMDAsImFjciI6IjQiLCJubmluX2FsdHN1YiI6IjE4MTI2NjM1NTQ3IiwiYW1yIjoiQklEIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTmlsc2VuLCBGcm9kZSBCZWNrbWFubiIsImJhbmtpZF9hbHRzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSJ9.jPESXd1TFFpiaIiOPDgXbqT1INR6yHdql1ZNsjX77Zf4RnI0xaM_SNC0ZRUdARcSXkZYRNmOUXLAeXh-DAY0Rew31RMXEK_MHJKh-6C0Ooed67ei_cJxephvqe1o7_3HPvpHfOKWPVoJbg7_ytWRLaDRivkmOdkMZzUsFpCeY1GhwUD_g_-Otnsbv-FSQgJ-w-vrehQGHfiuIlP-QYMKxA7cH_-ViJh4NuQ6xzLSafNYCx0vk2NDS9wKwnjaj0Sl2AWL5zaZZ_EEfrFXEg-hWDcAc5YdECM0APFoPESqzi0Cu26bOpnQP7ZuO9DNhB2eoeSOIlC6hu89TIALyB2S8w", "scopenot-before-policy": "openid"0, "tokensession_typestate": "Bearerbf0a4c9f-2d00-43d8-8288-01b83ab1e580" } |
The following is a base64 are decoding of the signed part of the ID Token (id_token)
returned tokens returned in the above response. :
Code Block | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
| ||||||||
Access Token { "jti": "5bebba2e-e10c-47d8-a63c-92ab55b4bb4f", "exp": 1510838469, "nbf": 0, "iat": 1510838169, "iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod", "aud": "tinfo", "sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f", "typ": "Bearer", "azp": "Postman", "auth_time": 1510838050, "session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580", "name": "Frode Beckmann Nilsen", "given_name": "Frode Beckmann", "family_name": "Nilsen", "acr": "4", "allowed-origins": [], "realm_access": { "roles": [ "nnin_altsub", "profile" ] }, "resource_access": { "tinfo": { "amrroles": [ "address", "BankID""phone", "email" ] } }, "amr": "BID", "at_hash": "Pk9ADa9YMMHTMdq7pLjVHA", "aud": "Postmanbankid_altsub": "9578-6000-4-30799" } Refresh Token { "jti": "5c417d3b-2025-4a87-b61a-cd0649ef838f", "exp": 1510839969, "nbf": 0, "iat": 1510838169, "iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod", "aud": "tinfo", "auth_timesub": 1495710563, "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f", "typ": "Refresh", "azp": "Postman", "auth_time": 0, "birthdatesession_state": "1966-12-18bf0a4c9f-2d00-43d8-8288-01b83ab1e580", "realm_access": { "exproles": 1495714163, [ "nnin_altsub", "family_name": "Nilsen", "given_name": "Frode Beckmann", "profile" ] }, "resource_access": { "tinfo": { "roles": [ "address", "phone", "email" ] } } } ID Token { "jti": "c37c7aef-447d-4f1a-a322-02782ff7d00b", "exp": 1510838469, "nbf": 0, "iat": 14957105761510838169, "iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod", "aud": "Postman", "sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f", "typ": "ID", "azp": "Postman", "auth_time": 1510838050, "session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580", "name": "Frode Beckmann Nilsen", "given_name": "Frode Beckmann", "noncefamily_name": null"Nilsen", "birthdate": "1966-12-18", "preferred_usernameupdated_at": 1474890351000, "acr": "4"Frode Beckmann Nilsen", "sub, "nnin_altsub": "181266*****", "amr": "BID", "bankid_altsub": "9578-6000-4-30799" } |
...