OIDC Clients must authenticate with the OIDC Provider for the Token and Introspect Endpoints.

Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID:

Default

client_secret_basic according to OAuth2 using the HTTP Basic authentication scheme
client_secret_post according to OAuth2 by including the Client Credentials (client_id and client_secret) in the request body

Per request

private_key_jwt in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.
client_secret_jwt in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.

In order to use private_key_jwt or client_secret_jwt the merchant must send a request to BankID support as the options are not available when ordering a new client.

For private_key_jwt, the request must include a public URL that returns the public keys that should be used to verify the signature as a JSON Web Key Set (JWKS).

OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to resource servers are specific for each of the supported kinds of services.

Browser not supported