ID Token

The OpenID Connect Provider from BankID provides ID Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by Keycloak or the result of customization made by the BankID OIDC Provider.

The ID token structure builds on Keycloak. Three different token configurations are supported as suggested by the scope column, corresponding to three different combinations of the standard scopes openid and profile and the custom scope nnin_altsub.

A Minimum ID Token (scope = openid) that contains a minimum set of claims, among which sub and bankid_altsub are the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub and bankid_altsub values do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely.
A Regular ID Token (scope = openid profile) that builds on a minimum ID Token by adding claims that identifies the end-user by his name and birthdate.
An Enchanced ID Token (scope = ....... nnin_altsub) that builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user.

The Eligibility column indicates if a claim is available for any OIDC client or if specific conditions apply. In the latter case eligible OIDC clients must be configured for access in the provisioning process.

Note finally that the OIDC Provider from BankID supports signed ID Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.

Claim	Origin	Scope	Example	Eligibility	Description	Comment

Claim	Origin	Scope	Example	Eligibility	Description	Comment
Minimum ID Token part
`typ`	Keycloak	`openid`	`ID`	Any	Token type	Always `ID` for ID Tokens
`acr`	Standard	`openid`	`urn:bankid:bid;LOA=4`	Any	Authentication Context Class Reference	Uniform Resource Name for IDP option being used, including Level of Assurance (LoA)
`amr`	Standard	`openid`	`Version 1: BID` `From Version 2: ["bid"]`	Any	Authentication Method Reference	Name of IDP options being used to authenticate the end-user. From API version 2, this value is changed from String to list of strings - as per the standard. If the end-user is subject to authentication step-up, note that this value may differ from any `amr` value specified in the `login_hint` parameter of the Authorize end-point.
`aud`	Standard	`openid`	`oidc_testclient`	Any	Audience	Always `client_id`
`auth_time`	Standard	`openid`	`1510497762`	Any	Authentication time	Epoc time
`azp`	Standard	`openid`	`oidc_testclient`	Any	Authorized party	Equals `client_id`
`bankid_altsub`	Custom	`openid`	`9578-5999-4-1765512`	Any	Alternate BankID Subject Identifier	Personal Identifier (PID) / Serial Number) from associated BankID certificate.
`originator`	`Custom`	`openid`	`CN=BankID Bankenes ID-tjeneste Bank CA 2,` `OU=988477052,` `O=Bankenes ID-tjeneste AS,*` `C=NO;OrginatorId=9775;OriginatorName=Gjensidige Bank RA 1`	Any	Issuer DName of the identity	In case of BID or BIM, the issuer of the end user certificate is returned.
`exp`	Standard	`openid`	`1510498063`	Any	Expiration time	Epoc time. Corresponds to a forward session window after `iat`
`iat`	Standard	`openid`	`1510497763`	Any	Issuing time	Epoc time Equal to `auth_time` for new sessions. Is otherwise set at each session refresh.
`iss`	Standard	`openid`	`<`oidc-baseurl`>`	Any	Issuer Identifier for the Issuer
`jti`	Standard	`openid`	`7f22fd6a-3d46-4d5a-ae56-6de3c53e1873`	Any	Token identifier
`nbf`	Standard	`openid`	`0`	Any	Not before time	Epoc time
`nonce`	Standard	`openid`	<random value>	Any	Nonce
`session_state`	Keycloak	`openid`	`abf823c2-9810-4133-9369-7bff1223d6c1`	Any	GUID related to session handling
`sub`	Standard	`openid`	`e8c523ff-52a2-42e2-a7a5-f1d0fbb76204`	Any	Subject Identifier	GUID that uniquely identifies the end user across the different IDPs
`updated_at`	Standard	`openid`	`1468582440`	Any	Update time	Epoc time of issuing / create / enrollment of ID in question.
`tid`	Custom	`openid`	`2e1eebb7-d5d7-4c55-9410-6ab178070a1c`	Any	Transaction ID (reference) for the completed authentication session	Currently used as an input parameter for the securityData endpoint of the Fraud Data service
`additionalCertInfo`	Custom	`openid`	`{` `"certValidFrom": 1554448774000,` `"serialNumber": "1055610",` `"keyAlgorithm": "RSA",` `"keySize": "2048",` `"policyOid": "2.16.578.1.16.1.12.1.1",` `"monetaryLimitAmount": "100000",` `"certQualified": true,` `"monetaryLimitCurrency": "NOK",` `"certValidTo": 1617607174000,` `"versionNumber": "3",` `"subjectName": "CN=Nilsen\\, Frode Beckmann,O=TestBank1 AS,` `C=NO,SERIALNUMBER=9578-6000-4-353032"` `}`	Any	Additional information about the end user certificate.	Only applicable for BIM and BID IDPs, not BIS
`api_ver`	Custom	`openid`	`2`	When providing api_version
Regular ID Token part
`birthdate`	Standard	`profile`	`1966-12-18`	Any	Birthdate	From associated BankID certificate
`family_name`	Standard	`profile`	`Nilsen`	Any	Surname (last name)	From associated BankID certificate
`given_name`	Standard	`profile`	`Frode Beckmann`	Any	Given name (first name)	From associated BankID certificate
`name`	Standard	`profile`	`Frode Beckmann Nilsen`	Any	Full name	From associated BankID certificate
Enhanced ID Token part
`nnin_altsub`	Custom	`nnin_altsub`	`181266*****`	Available for OIDC clients that uses national identiy number as userID for its already existing users.	Norwegian National Identity Number as alternate Subject Identifier	Only available with authorization code flow.