The OpenID Connect Provider from BankID provides Refresh Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by KeycloackKeycloak or the result of customization made by the OIDC Provider from BankID.
...
Note finally that the OIDC Provider form BankID supports signed Refresh Refresh Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.
| Claim | Origin | Example | Description | Comment |
|---|---|---|---|---|
typ | KeycloackKeycloak | Refresh | Token type | Either See scope |
| Standard | tinfo | See Access Token | |
auth_time | Standard | 1510497762 | See ID Token | |
azp | Standard | oidc_testclient | See ID Token | |
exp | Standard | 1510498063 | See session handling | |
iat | Standard | 1510497763 | See session handling | |
iss | Standard | <oidc-baseurl> | See ID Token | |
jti | Standard | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | See ID Token | |
nbf | Standard | 0 | See ID Token | |
nonce | Standard | <random value> | See ID Token | |
session_state | KeycloackKeycloak | abf823c2-9810-4133-9369-7bff1223d6c1 | See ID Token | |
sub | Standard |
| See ID Token | |
realm_access | KeycloackKeycloak | {"roles:["profile","address","phone","email","nnin_altsub","nnin"]} | See Access Token | |
resource_access | KeycloackKeycloak | {"tinfo:{"roles ["address","phone_number", "email", "nnin"]}} | See Access Token | |
...