Document toolboxDocument toolbox

ID Token

The OpenID Connect Provider from BankID provides ID Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by Keycloack or the result of customization made by the OIDC Provider from BankID.

The ID token structure builds on Keycloack. Three different token configurations are supported as suggested by the scope column, corresponding to three different combinations of the standard scopes openid and profile and the custom scope nnin_altsub.

  • A Minimum ID Token (scope = openid) that contains a minimum set of claims, among which sub and bankid_altsub are the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub and bankid_altsub values do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely.
  • Regular ID Token (scope = openid profile) that builds on a minimum ID Token by adding claims that identifies the end-user by his name and birthdate.
  • Enchanced ID Token (scope = ....... nnin_altsub) that builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user 

As suggested by the IDP column many claims are present for any IDP whereas other claims are dependent on the particular IDP being used. The Eligibility column indicates if a claim is available for any OIDC client or if specific conditions apply. In the latter case eligible OIDC clients must be configured for access in the provisioning process.

Note that the TINFO value-added service supports even more claims about the end-user beyond those contained in the ID Token. The major difference is that none of the claims contained in ID Tokens demand consent from the end user.  This is in contrast to claims supported by TINFO that is subject to consent handling.

Note finally that the OIDC Provider form BankID supports signed ID Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.

ClaimOriginScopeExampleIDPEligibilityDescriptionComment
Minimum ID Token part
typKeycloackopenidIDAnyAnyToken type

Always ID for ID Tokens

acrStandardopenid
4AnyAnyAuthentication Context Class ReferenceLevel of Assurance (LoA) for IDP option being used
amrStandardopenid
BIDAnyAnyAuthentication Method Reference

Name of IDP option being used to authenticate the end-user.

If the end-user is subject to authentication step-up, note that this value may differ from any amr value specified in the login_hint parameter of the Authorize end-point.

aud
Standardopenid
oidc_testclientAnyAnyAudienceAlways client_id
auth_timeStandardopenid
1510497762AnyAnyAuthentication timeEpoc time
azpStandardopenid
oidc_testclientAnyAnyAuthorized partyEquals client_id
bankid_altsubCustomopenid

9578-5999-4-1765512

BankID and xIDAnyAlternate BankID Subject Identifier 

Personal Identifier (PID) / Serial Number) from associated BankID certificate.

expStandardopenid
1510498063AnyAnyExpiration timeEpoc time. Corresponds to a forward session window after iat
iatStandardopenid
1510497763AnyAnyIssuing time

Epoc time

Equal to auth_time for new sessions. Is otherwise set at each session refresh.

issStandardopenid
<oidc-baseurl>AnyAnyIssuer Identifier for the Issuer 
jtiStandardopenid
7f22fd6a-3d46-4d5a-ae56-6de3c53e1873AnyAnyToken identifier 
nbfStandardopenid
0AnyAnyNot before timeEpoc time
nonceStandardopenid
<random value>AnyAnyNonce 
session_stateKeycloackopenid
abf823c2-9810-4133-9369-7bff1223d6c1AnyAnyGUID related to session handling 
subStandardopenid

e8c523ff-52a2-42e2-a7a5-f1d0fbb76204

AnyAnySubject IdentifierGUID from Keycloack
updated_atStandardopenid
1468582440AnyAnyUpdate timeEpoc time of issuing / create / enrollment of ID in question.
at_hash
Standardopenid
<hash value>AnyAnyAccess Token hash valueIncluded for hybrid- and implicit flows
c_hash
Standardopenid
<hash value>AnyAnyCode hash valueIncluded for hybrid flow
browserEnrolledAtCustomopenid1515437710549xID onlyAnyTime at which the current browser was enrolled for the xID Service

Epoc time

Regular ID Token part
birthdateStandardprofile1966-12-18BankID and xIDAnyBirthdateFrom associated BankID certificate
family_nameStandardprofile
NilsenBankID and xIDAnySurname (last name)From associated BankID certificate
given_nameStandardprofile
Frode BeckmannBankID and xIDAnyGiven name (first name)From associated BankID certificate
nameStandardprofile
Nilsen, Frode BeckmannBankID and xIDAnyFull nameFrom associated BankID certificate
preferred_usernameStandardprofile
Nilsen, Frode BeckmannBankID and xIDAnyShorthand nameSame content as name claim
Enhanced ID Token part
nnin_altsubCustomnnin_altsub181266*****BankID and xID

Available for OIDC clients that uses NNIN as userID for its already existing users.

For access to NNIN for enrollment of new users, see TINFO.

Norwegian National Identity Number (NNIN) as alternate Subject Identifier

Only availble with authorization code flow.