ID Token
- Frode Nilsen (Unlicensed)
The OpenID Connect Provider from BankID provides ID Tokens with uniform characteristics regarless of the IDP being used in any particular case. The claims returned depends on the scopes requested by the OIDC Client. Three different configurations are supported as suggested by the below table, corresponding to various combinations of the standard scopes openid and profile and the proprietary scope nnin_altsub.
A Minimum ID Token (scope = openid) contains a minimum set of claims, among which sub and bankid_altsub are the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub and bankid_altsub values do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely.
A Regular ID Token (scope = openid profile) builds on a minimum ID Token by adding claims that identifies the end-user by his name and birthdate.
A Enchanced ID Token (scope = ....... nnin_altsub) builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user
The TINFO value-added service supports even more claims about the end-user beyond those contained in the ID Token.
All claims supported in ID Tokens, with the exception from nnin_altsub, are available to any OIDC Client and none of the claims demand consent from the end user. This is in contrast to claims supported by TINFO that must meet certain conditions before actually being returned to a requesting OIDC Client.
The OIDC Provider form BankID supports signed ID Tokens. Note that signing related claims contained in the header part of the ID Token are not shown in the below table.
= According to standard. 
= Custom additions
| Claim | Support | Scope | Example | Description | Comment |
|---|---|---|---|---|---|
typ | | openid | ID | Token type | Type of token |
acr | | openid | 4 | Authentication Context Class Reference | Level of Assurance (LoA) for IDP option being used |
amr | | openid | BID | Authentication Method Reference | Name of IDP option being used |
| | openid | oidc_testclient | Audience | Always includes client_id |
auth_time | | openid | 1510497762 | Authentication time | Epoc time |
azp | | openid | oidc_testclient | Authorized party | Equals client_id |
bankid_altsub | | openid | 9578-5999-4-1765512 | Alternate Subject Identifier | Personal Identifier (PID) for BankID (Serial number from associated BankID certificate) Applicable for BankID and other IDPs derived from BankID.
|
exp | | openid | 1510498063 | Expiration time | Epoc time |
iat | | openid | 1510497763 | Issuing time | Epoc time |
iss | | openid | https://oidc-preprod.bankidapis.no/auth/realms/preprod | Issuer Identifier for the Issuer | |
jti | | openid | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Token identifier | |
nbf | | openid | 0 | Not before time | Epoc time |
nonce | | openid | <random value> | Nonce | |
session_state | | openid | abf823c2-9810-4133-9369-7bff1223d6c1 | GUID related to session-handling in Keycloak. | |
sub | | openid | e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 | Subject Identifier | Personal Identifier from BankID (Serial number from associated BankID certificate) |
updated_at | | openid | 1468582440 | Update time | Epoc time of issuing time of associated BankID certificate |
at_hash | | openid | <hash value> | Access Token hash value | Included for hybrid- and implicit flows |
c_hash | | openid | <hash value> | Code hash value | Included for hybrid flow |
birthdate | | profile | 1966-12-18 | Birthdate | BirthDate from associated BankID certificate |
family_name | | profile | Nilsen | Surname (last name) | |
given_name | | profile | Frode Beckmann | Given name (first name) | |
name | | profile | Nilsen, Frode Beckmann | Full name | CommonName from associated BankID certificate |
preferred_username | | profile | Nilsen, Frode Beckmann | Shorthand name | |
nnin_altsub | | nnin_altsub | 181266***** | Norwegian National Identity Number (fødselsnummer) as alternate Subject Identifier | Providing eligible OIDC clients nnin as a reference to already existing users. Only availble with authorization code flow. Other flows would expose nnin via the IDToken flowing through the end-user browser. For acces to nnin for eligible OIDC clients for enrollment of new users, see TINFO. |