Refresh Tokens
- Frode Nilsen (Unlicensed)
In parallel to supporting a Default Access Token used by TINFO-sevice, this release of the OIDC Provider from BankID also supports a corresponding Default Refresh Token. As suggested by the below table the Refresh Token contains just a minimum of information compared to both the ID Token and Access Token. The purpose of Refresh Tokens is to enhance security by keeping the life-time of Access Tokens shorter. An expired Access Token can easily be replaced with a new Access Token (without any user interaction) via a Refresh Token that was issued along with the most recent Access Token, but that was issued with a longer life-time than the Access Token itself.
The supported Default Refresh Token has its origin from Keycloak and has the following characteristics. The Refresh Token can be used by other VAS-services than TINFO (VAS) by replacing the aud attribute with a different value.
= According to standard. 
= Custom additions
| Claim | Support | Example | Description | Comment |
|---|---|---|---|---|
typ | | Refresh | Token type | Type of token |
| | tinfo | Audience | Always includes client_id |
auth_time | | 1510497762 | Authentication time | Epoc time |
azp | | oidc_testclient | Authorized party | Equals client_id |
exp | | 1510498063 | Expiration time | Epoc time |
iat | | 1510497763 | Issuing time | Epoc time |
iss | | https://oidc-preprod.bankidapis.no/auth/realms/preprod | Issuer Identifier for the Issuer | |
jti | | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Token identifier | |
nbf | | 0 | Not before time | Epoc time |
nonce | | <random value> | Nonce | |
session_state | | abf823c2-9810-4133-9369-7bff1223d6c1 | GUID related to session-handling in Keycloak. | |
sub | | e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 | Subject Identifier | Personal Identifier from BankID (Serial number from associated BankID certificate) |