...
Note | ||
---|---|---|
| ||
Note that access tokens for the Client Credential Grant have a different structure for the ID part since there is no ID Token involved in that case. | ||
Note |
Warning | |
---|---|
false | Note that the OIDC Provider from BankID currently supports multi-audience tokens. If an OIDC Client requests a set of scopes that affect several value-added services (VAS), each of the affected services will be listed in the This practise may be changed in a future release of the OIDC Provider from BankID by imposing a restriction to not allow requests for a set of scopes that affect more than one VAS in each request. Introducing such a single-audience restriction has the benefit of giving tighter control since a bearer token in wrong hands gives access to fewer resources. The downside of a single-audience restriction is that integration becomes more complex for OIDC clients since multiple requests must be made, one for each set of requested scopes, to get a series of access tokens, one for each affected VAS. To be prepared for a possible future change from multi-audience access tokens to single-audience access tokens, OIDC Clients are recommened to not include a set of scopesin the same request that affects more that one VAS. The recommended integration practise is to use a series of subsequent requests for access tokens to separate VAS. Using this recommended integration practise will not break backwards compatibility if a single-audience restriction is introduced. For authentication flows involving the end-user subsequent requests can be made via the id_token_hint option for the Authorize endpoint to avoid repeated interaction with the end-user. |
Note finally that the OIDC Provider form BankID supports signed Access Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.See session handling for the life-time of an access token. To cater for access tokens that are either revoked before their expiry, or that have expired prematurely for other reasons, validation of access tokens via Introspect is supported. Another use of introspection is for eligible resource servers to retrive confidential claims that are not carried in the access token itself. One such examle is the bankid_altsub
claim.Note finally that the OIDC Provider form BankID supports signed Access Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.
Claim | Origin | Scope | Example | Description | Comment |
---|---|---|---|---|---|
General part | |||||
typ | Keycloack | openid | Bearer | Token type | Always Bearer for Access Tokens |
allowed-origins | Keycloack | openid | [ ] | Not in use by the OIDC Provider from BankID | |
ID part | |||||
acr | Standard | openid | 4 | See ID Token | |
amr | Standard | openid | BID | See ID Token | |
auth_time | Standard | openid | 1510497762 | See ID Token | |
azp | Standard | openid | oidc_testclient | See ID Token | |
bankid_altsub | Custom | openid | 9578-5999-4-1765512 | See ID Token | |
exp | Standard | openid | 1510498063 | See session handling | |
iat | Standard | openid | 1510497763 | See session handling | |
iss | Standard | openid | <oidc-baseurl> | See ID Token | |
jti | Standard | openid | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | See ID Token | |
nbf | Standard | openid | 0 | See ID Token | |
nonce | Standard | openid | <random value> | See ID Token | |
session_state | Keycloack | openid | abf823c2-9810-4133-9369-7bff1223d6c1 | See ID Token | |
sub | Standard | openid |
| See ID Token | |
birthdate | Standard | openid | 1966-12-18 | See ID Token | |
family_name | Standard | profile | Nilsen | See ID Token | |
given_name | Standard | profile | Frode Beckmann | See ID Token | |
name | Standard | profile | Nilsen, Frode Beckmann | See ID Token | |
preferred_username | Standard | profile | Nilsen, Frode Beckmann | See ID Token | |
Access part | |||||
aud | Standard | openid | tinfo | Audience | List of VAS-names for which the access token in question is intended |
realm_access | Keycloack |
| {"roles:["profile","address","phone","email","nnin_altsub","nnin"]}
| Resource access designator at the OIDC platform level. |
|
resource_access | Keycloack |
| {"tinfo:{"roles ["address","phone_number", "email", "nnin"]}} | Resource access designator for the TINFO Service |