Access Tokens
- Frode Nilsen (Unlicensed)
Access Tokens can be categorized in two classes:
- By-reference in terms of an arbitrary value that must be verified via Introspection to determine the Authorization Context for any particular token value.
- Self-contained in terms JSON WebTokens (JWT) that are signed (JWS) and optionally also encrypted (JWE). Tokens of this kind contain all required information to determine the Authorization Context. Such tokens may optionally also be verified via Introspection or for augmenting the token with additional claims .
In either case, the resulting token (value) is ment for use as a standard Bearer Tokens in the request to the value-added service for which the token regulates access.
The Authorization Context of an Access Token referes to attributes such as:
- The issuer (
iss)of the access token. See corresponding claim in ID Token. - The subject identifier (
sub)of the access token, ie. a reference to the end-user (resource owner) that authorized the access token. See corresponding claim in ID Token. - Intended audience (
aud)for the access token, ie. a reference to the Value-Added Service (VAS) that the access token regulates access to. Note that this is not related to the corresponding claim in the ID Token. The audience for the ID Token (being the OIDC Client) is different from the audience for an Access Token (being the VAS in question). - Active state / expiry (
exp)ofthe access token - The specific set of scopes and claims associated with the access token, ie. the set included in the Authorize request that subsequently resulted in the issuance of the Access Token in a reponse to a Token request
The Default Acess Token in this release of the OIDC Provider from BankID has its origin from Keycloak and has the following characteristics.
- Self-contained token with corresponding optional support for validation via Introspect
- Standard Bearer Tokens
- Works with the TINFO-service and its corresponding scopes and claims.
- Has a lifetime of 300 seconds
See the below table for a drill-down on what is actually contain in the default Access Token. As already suggested in the above list and as further elaborated in the table; the default token is used by the TINFO-service. Other VAS-services may use a similar token by using a different value for the aud attribute, or they may use Access Tokens with a completely different structure and/or content. See the list of supported Value-added Services (VAS) for further information of Access Tokens for each such service.
The Default Acess Token contains an ID-part and and an Access-part as suggested by the table. The ID-part contains about the end-user in question. The Access-part does on the other hand contain detailed information on access grants for the various parts of the TINFO-service.
Note that the default Access Token is signed. Signing related claims contained in the header part of the Access Token are not shown in the table
= According to standard. 
= Custom additions
| Claim | Support | Scope | Example | Description | Comment |
|---|---|---|---|---|---|
| ID part | |||||
typ | | openid | Bearer | Token type | Type of token |
acr | | openid | 4 | Authentication Context Class Reference | Level of Assurance (LoA) for IDP option being used |
amr | | openid | BID | Authentication Method Reference | Name of IDP option being used |
| | openid | tinfo | Audience | Always includes client_id |
auth_time | | openid | 1510497762 | Authentication time | Epoc time |
azp | | openid | oidc_testclient | Authorized party | Equals client_id |
bankid_altsub | | openid | 9578-5999-4-1765512 | Alternate Subject Identifier | Personal Identifier (PID) for BankID (Serial number from associated BankID certificate) Applicable for BankID and other IDPs derived from BankID.
|
exp | | openid | 1510498063 | Expiration time | Epoc time |
iat | | openid | 1510497763 | Issuing time | Epoc time |
iss | | openid | https://oidc-preprod.bankidapis.no/auth/realms/preprod | Issuer Identifier for the Issuer | |
jti | | openid | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Token identifier | |
nbf | | openid | 0 | Not before time | Epoc time |
nonce | | openid | <random value> | Nonce | |
session_state | | openid | abf823c2-9810-4133-9369-7bff1223d6c1 | GUID related to session-handling in Keycloak. | |
sub | | openid | e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 | Subject Identifier | Personal Identifier from BankID (Serial number from associated BankID certificate) |
birthdate | | openid | 1966-12-18 | Birthdate | BirthDate from associated BankID certificate |
family_name | | profile | Nilsen | Surname (last name) | |
given_name | | profile | Frode Beckmann | Given name (first name) | |
name | | profile | Nilsen, Frode Beckmann | Full name | CommonName from associated BankID certificate |
preferred_username | | profile | Nilsen, Frode Beckmann | Shorthand name | |
| Access part | |||||
realms_access | | profile nnin_altsub | {"roles:["profile","nnin_altsub"]}
| Resource designator used by Keycloak. | |
resource_access | | profile or tinfo/address tinfo/phone | {"tinfo:{"roles ["address","phone_number", "email", "nnin"]}} | Resource designator used by Keycloak. | |