Client authentication
OIDC Clients must authenticate with the OIDC Provider for the Token and Introspect Endpoints.
Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID:Â
Default
client_secret_basicÂ
according to OAuth2Â using the HTTP Basic authentication schemeclient_secret_post
 according to OAuth2 by including the Client Credentials (client_id
andclient_secret
) in the request body
Per request
private_key_jwt
in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.client_secret_jwt
 in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.
In order to use private_key_jwt
or client_secret_jwt
 the merchant must send a request to BankID support as the options are not available when ordering a new client.
For private_key_jwt
, the request must include a public URL that returns the public keys that should be used to verify the signature as a JSON Web Key Set (JWKS).
OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to resource servers are specific for each of the supported kinds of services.