OIDC Clients must authenticate with the OIDC Provider for the Token and Introspect Endpoints. Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID:
- OIDC
client_secret_basicaccording to OAuth2 using the HTTP Basic authentication scheme - OIDC
client_secret_postaccording to OAuth2 by including the Client Credentials (client_idandclient_secret) in the request body
Support for other OIDC authentication schemes like client_secret_jwt and private_key_jwt may be added as future options.
OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to VAS-servers are specific for each of the supported kinds of Value Added Services.