Client authentication

OIDC Clients must authenticate with the OIDC Provider for the Token and Introspect Endpoints. Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID:

OIDC client_secret_basic according to OAuth2 using the HTTP Basic authentication scheme
OIDC client_secret_post according to OAuth2 by including the Client Credentials (client_id and client_secret) in the request body

Support for other OIDC authentication schemes like client_secret_jwt and private_key_jwt may be added as future options.

OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to VAS-servers are specific for each of the supported kinds of Value Added Services.