The claims returned in an ID Token from the OIDC Provider depends one the scopes requested by the OIDC Client. Two different configurations are supported as suggested by the below table, corresponding to the standard scopes openid and profile.
- A Minimum ID Token contains a minimum set of standard claims, among which
subis the only claim that is linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. Thesubvalue does not identify the user unless it is linked by the OIDC Client to other claims about the end user associated with thatsubvalue. - An Regular ID Token adds a small set of basic claims about the end-user.
Additional claims about the end-user are supported by the TINFO service and made available via Userinfo. Note that all claims supported in ID Tokens are available to any OIDC Client and none of the claims demand consent from the end user. This is in contrast to claims supported by TINFO that must meet certain conditions before actually being returned to a requesting OIDC Client.
The OIDC Provider form BankID supports signed ID Tokens.
= According to standard. 
= In progress / future support. 
= Custom additions
| Claim | Support | Example | Description | Comment | Editorial comment |
|---|---|---|---|---|---|
Minimum ID Token (scope = openid) | |||||
iss | | https://preview.bankidapis.no | Issuer Identifier for the Issuer | ||
sub | | 9578-5999-4-1765512 | Subject Identifier | Personal Identifier from BankID (Serial number from associated BankID certificate) | |
| nnin_altsub | | 181266***** | Norwegian National Identity Number (fødselsnummer) | Alternate sub, providing eligible OIDC clients nnin as a reference to already existing users. Only availble with authorization code flow. Other flows would expose nnin via the IDToken flowing through the end-user browser. For acces to nnin for eligible OIDC clients for enrollment of new users, see Userinfo. | |
aud | | DotNetClient | Audience | Always includes client_id | |
exp | | 1494144386 | Expiration time | Epoc time | |
iat | | 1494140787 | Issuing time | Epoc time | |
auth_time | | 1494140786 | Authentication time | Epoc time | |
nonce | | <random value> | Nonce | ||
| acr | | 4 | Authentication Context Class Reference | Level of Assurance (LoA) for IDP option being used | |
amr | | BankID | Authentication Method Reference | Name of IDP option being used | |
azp | | DotNetClient | Authorized party | Equals client_id | |
alg | | RS256 | Algorithm used to sign ID Token | ||
typ | | JWT | Type of key used to sign ID Token | ||
kid | | bankid-oauth | ID of key used to sign ID Token | ||
at_hash | | <hash value> | Access Token hash value | Required for hybrid flow and implicit flow | |
c_hash | | <hash value> | Code hash value | Hybrid flow | |
Regular ID Token (scope = openid profile) | |||||
name | | Nilsen, Frode Beckmann | Full name | CommonName from associated BankID certificate | |
given_name | | Frode Beckmann | Given name (first name) | ||
family_name | | Nilsen | Surname (last name) | ||
preferred_username | | Nilsen, Frode Beckmann | Shorthand name | Must be reviewed | |
birthdate | | 1966-12-18 | Birthdate | BirthDate from associated BankID certificate | |
updated_at | | 1468582440 | Update time | Epoc time of issuing time of associated BankID certificate | Must be added |