Token is a standard endpoint used for requesting various combinations of ID Token, Access Token and Refresh Token. In addition, BankID OIDC extends the token response with the BankID Proof token if requested. The type of request (and corresponding response) is determined by the grant_type
request parameter as described further below.
...
URL | https://<oidc-baseurl>/protocol/openid-connect/token |
---|---|
Request | POST with parameters in body as application/x-www-form-urlencoded data |
Authentication | OIDC/OAuth2 client authentication according to supported methods |
Success response | 200 OK with JSON containing response elements |
Error response | 400 Bad request with JSON containing standard error reponse elements |
Example | See below |
Note |
---|
The recommended practise for merchants is to use the Token URL from Openid-configuration rather than hardcoding the below URL value. |
...
Name | Description | Comment |
---|---|---|
id_token | JWT encoded ID Token | Standard claim with Keycloack specific content |
access_token | JWT encoded Access Token | Standard claim with Keycloack specific content |
token_type | Always Bearer | Standard claim |
expires_in | Life-time of access_token. | Standard claim. Related to the exp claim inside the Access Token. See session handling |
refresh_token | JWT encoded Refresh Token | Standard claim with Keycloack specific content |
refresh_expires_in | Life-time of refresh_token | Keycloack specific claim. Related to the exp claim inside the Refresh Token. See session handling |
bankid_proof | JWT encoded BankID Proof Token | BankID OIDC custom claim that includes proof of BankID authentication. Included if requested using the bankid_proof scope. |
not-before-policy | TBD | Keycloack specific claim |
session_state | TBD | Keycloack specific claim |
...
The following example shows a request / response pair for an Authorization Code Grant. The example is generated from Postman (which is configured as a client at the OIDC Provider) corresponding to the example shown for the Authorize endpointauthorization code grant token exchange.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1 Host: auth.current.bankid.no User-Agent: curl/7.64.1 Accept: */* Authorization: Basic b2lkYy10ZXN0Y2xpZW50OjAxMjM0NTY3LTg5YWItY2RlZi0wMTIzLTQ1Njc4OWFiY2RlZg== Content-Length: 207 Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&redirect_uri=https%3A%2F%2Ftestclient.local%3A8487%2Fcallback&code=521e89e9-5b3e-49d2-9647-2aeed215c5d7.66801cef-7746-4391-a018-43bda5c7002b.0ab47fe7-0373-4b80-b517-065f5a5a3769 HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 11:27:37 GMT Server: web Cache-Control: no-store X-XSS-Protection: 1; mode=block Pragma: no-cache Referrer-Policy: no-referrer Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff Content-Type: application/json Content-Length: 4301 { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODYzNTcsImlhdCI6MTYyOTI4NjA1NywiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI2MzE5M2JlYS0zYzA3LTRhNGQtODY3YS02NWJjYzk3MDQ2NDgiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6InRpbmZvIiwic3ViIjoiMmNkN2NlY2QtZDQ0NC00Njg1LWJiMDQtOGJiZmRiNDVhMDY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbInByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiYW1yIjoiQklEIiwicmVzb3VyY2VfY2xhaW1zIjp7fSwiYmFua2lkX2FsdHN1YiI6Ijk1NzgtNjAwMC00LTYzNDU4MiIsIm9yaWdpbmF0b3IiOiJDTj1CYW5rSUQgLSBUZXN0QmFuazEgLSBCYW5rIENBIDMsT1U9MTIzNDU2Nzg5LE89VGVzdEJhbmsxIEFTLEM9Tk87T3JnaW5hdG9ySWQ9OTk4MDtPcmlnaW5hdG9yTmFtZT1CSU5BUztPcmlnaW5hdG9ySWQ9OTk4MCJ9.n1DGMVcHmEB5wL03QkE51cqAtl5uUr-slOd89lfy_ufF9U_X8JypI8WG_PXieX6eXMiFwR0vak3DtHKKmnx0Y1qRtfKAM12m1c6EvqrhbMa3NvLtdZoAQ8YfmQ2sB2bSg4bmtB4iEDbO9eLrMc1bb0yyFuT3bbQr0cqcLl5u3Ig0ZsNNoyRV-XJBfLEWjswEsPag6xwu6AG_4K1lDaqGiFM4XoQl0LrDAN0Wz9RGYyR7eBrohvfV22XZCZadt-T7Dyc6gr_UIY8tyoA3Lh7rXtnzxybL8a4rWDHAACp5VSFLRLS_61yumrB4g5AwJvdj0MF6ngJzHj2XyF0Eu3MdfA", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODc4NTcsImlhdCI6MTYyOTI4NjA1NywianRpIjoiNTM2NjI5ZTgtZWIzZS00MmY1LTgxYTAtMmUzZWJiZTI2ZGM3IiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.LwE6_mB1JSIF9EfjlP5cQeoQjvnGTzxtaVR2Qae4WIM", "token_type": "bearer", "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODYzNTcsImlhdCI6MTYyOTI4NjA1NywiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI1NDM5NjM5Mi0wZDdkLTQ0OTUtYjZlMy0xYTQ5NjZmOWM0ZmEiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6Im9pZGMtdGVzdGNsaWVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IklEIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwidXBkYXRlZF9hdCI6MTYyOTI4MDYyMDAwMCwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJhbXIiOiJCSUQiLCJiYW5raWRfYWx0c3ViIjoiOTU3OC02MDAwLTQtNjM0NTgyIiwib3JpZ2luYXRvciI6IkNOPUJhbmtJRCAtIFRlc3RCYW5rMSAtIEJhbmsgQ0EgMyxPVT0xMjM0NTY3ODksTz1UZXN0QmFuazEgQVMsQz1OTztPcmdpbmF0b3JJZD05OTgwO09yaWdpbmF0b3JOYW1lPUJJTkFTO09yaWdpbmF0b3JJZD05OTgwIiwiYWRkaXRpb25hbENlcnRJbmZvIjp7ImNlcnRWYWxpZEZyb20iOjE2MjkyODA2MjAwMDAsInNlcmlhbE51bWJlciI6IjE3MjI3NDQiLCJrZXlBbGdvcml0aG0iOiJSU0EiLCJrZXlTaXplIjoiMjA0OCIsInBvbGljeU9pZCI6IjIuMTYuNTc4LjEuMTYuMS4xMi4xLjEiLCJtb25ldGFyeUxpbWl0QW1vdW50IjoiMTAwMDAwIiwiY2VydFF1YWxpZmllZCI6dHJ1ZSwibW9uZXRhcnlMaW1pdEN1cnJlbmN5IjoiTk9LIiwiY2VydFZhbGlkVG8iOjE2OTIzNTI2MjAwMDAsInZlcnNpb25OdW1iZXIiOiIzIiwic3ViamVjdE5hbWUiOiJDTj1CYW5rSURcXCwgVGVzdCBVc2VyLE89VGVzdEJhbmsxIEFTLEM9Tk8sU0VSSUFMTlVNQkVSPTk1NzgtNjAwMC00LTYzNDU4MiJ9LCJ0aWQiOiIxMWRhYzNiMi04NGEzLTRjODQtOGQ5ZC1hODE5YzkwNmI3ODIifQ.olwtV8Hr7X-t-pcBx-4m8pj9BBQhkkxgD_dJo8NTV-MefnZljVGfXOSmXURo2H0OmLCFvMst_KXmuIw9XWVd_djl-EQACkD1Tu4ABT6T-kT8EvRU61JFrLGD5iypKAf3y91UJS3wUS6Mkxj273ITBPZa6tqLeugL712GaQoyDllEEluFfXrV7-MUTRt9f80b_rfY9mq8wpw84mycKUukJGZOqpBRgiME_i2WiFdAqEgqU3zNrCEW90NecBHF8xGgGQvD34dCn1djVImrYKeTxb7wNAxH-lUUVw4jB-51yIHV6fzfLixYz6eDpYjq0hlTRXo0sEoV-tpDuh7HmbV94A", "not-before-policy": 0, "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b", "scope": "openid profile" } |
...