Document toolboxDocument toolbox

Token

Token is a standard endpoint used for requesting ID TokenAccess Token and Refresh Token.

In addition, BankID OIDC extends the token response with the BankID Proof token, if requested. The type of request (and corresponding response) is determined by the grant_type request parameter as described further below. 

Overview

URLhttps://<oidc-baseurl>/protocol/openid-connect/token
RequestPOST with parameters in body as application/x-www-form-urlencoded data
AuthenticationOIDC/OAuth2 client authentication according to supported methods
Success response200 OK with JSON containing response elements
Error response400 Bad request with JSON containing standard error reponse elements
ExampleSee below

The recommended practice for merchants is to use the Token URL from Openid-configuration rather than hardcoding the below URL value.

Type of requests

The OIDC Provider supports three different grant types as described in the following, each with a corresponding set of request parameters. In addition comes request parameters related to Client authentication.

Authorization Code

This grant type is associated with the Authorization code flow with PKCE. In both cases the other parameters shown below are related to a preceeding Authorize request that involves interaction with the end-user.

NameDescription
grant_typeauthorization_code
codeValue from response of the preceding Authorize request
redirect_uri

redirect_uri used in the preceding Authorize request.

code_verifier

A cryptographically random string generated by the merchant before making Authorize request. See full guide.

Example request:

POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OjAxMjM0NTY3LTg5YWItY2RlZi0wMTIzLTQ1Njc4OWFiY2RlZg==
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=your-client-id
&code=code=authorization-code-from-callback
&redirect_uri=https%3A%2F%2Fmywebapp.example.org%2Fcallback
&code_verifier=your-code-verifier

Client Credentials

This grant type is associated with the Client credential flow. This grant type does not involve any end-user interaction and is not related to any preceding Authorize request.

NameDescription
grant_typeclient_credentials
scopeList of scopes specifying what kind of resources (dataset) the OIDC Client requests access to.

Example request:

POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
User-Agent: curl/7.64.1
Accept: */*
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OjAxMjM0NTY3LTg5YWItY2RlZi0wMTIzLTQ1Njc4OWFiY2RlZg==
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&scope=signdoc/read_write

Refresh Token

This grant type is used to refresh a previously issued Access Token via a corresponding Refresh Token issued along with the previous Access Token.

NameDescription
grant_typerefresh_token
refresh_tokenJWT value for the refresh token from any foregoing Token response
scope

Requested scopes for the new set of tokens. Note: The scopes must be identical to or narrower that the original scopes of the associated Authorize request. Note that scope values are case-sensitive.

Response elements

Responses are similar for Authorization Code and Refresh Token but different for Client Credentials.

Authorization Code and Refresh Token

The response for Authorization Code and Refresh Token is a JSON structure according to Keycloak default with the following claims

NameDescriptionComment
id_tokenJWT encoded ID TokenStandard claim with Keycloak specific content
access_tokenJWT encoded Access TokenStandard claim with Keycloak specific content
token_typeAlways bearerStandard claim. Change notice: Will be changed to Bearer
expires_inLife-time of access_token.Standard claim. Related to the exp claim inside the Access Token. See session handling
refresh_token

JWT encoded Refresh Token  

Standard claim with Keycloak specific content
refresh_expires_inLife-time of refresh_tokenKeycloak specific claim. Related to the exp claim inside the Refresh Token. See session handling 
bankid_proofJWT encoded BankID Proof TokenBankID OIDC custom claim that includes proof of BankID authentication. Included if requested using the bankid_proof scope.
not-before-policyTBDKeycloak specific claim
session_stateTBD

Keycloak specific claim. Depreciation notice: Will be replaced by sid

sidSession IDKeycloak specific claim.

Client Credentials

The response for Client Credentials is a JSON structure similar to that for Authorization Code and Refresh Token with the exception that the id_token claim is not present.

Example

Authorization code grant token exchange

The following example shows a request / response pair for an authorization code grant token exchange.

Authorization Code Exchange
POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OjAxMjM0NTY3LTg5YWItY2RlZi0wMTIzLTQ1Njc4OWFiY2RlZg==
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&redirect_uri=https%3A%2F%2Ftestclient.local%3A8487%2Fcallback
&code=521e89e9-5b3e-49d2-9647-2aeed215c5d7.66801cef-7746-4391-a018-43bda5c7002b.0ab47fe7-0373-4b80-b517-065f5a5a3769
&code_verifier=your-code-verifier

HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 11:27:37 GMT
Server: web
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 4301

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODYzNTcsImlhdCI6MTYyOTI4NjA1NywiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI2MzE5M2JlYS0zYzA3LTRhNGQtODY3YS02NWJjYzk3MDQ2NDgiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6InRpbmZvIiwic3ViIjoiMmNkN2NlY2QtZDQ0NC00Njg1LWJiMDQtOGJiZmRiNDVhMDY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbInByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiYW1yIjoiQklEIiwicmVzb3VyY2VfY2xhaW1zIjp7fSwiYmFua2lkX2FsdHN1YiI6Ijk1NzgtNjAwMC00LTYzNDU4MiIsIm9yaWdpbmF0b3IiOiJDTj1CYW5rSUQgLSBUZXN0QmFuazEgLSBCYW5rIENBIDMsT1U9MTIzNDU2Nzg5LE89VGVzdEJhbmsxIEFTLEM9Tk87T3JnaW5hdG9ySWQ9OTk4MDtPcmlnaW5hdG9yTmFtZT1CSU5BUztPcmlnaW5hdG9ySWQ9OTk4MCJ9.n1DGMVcHmEB5wL03QkE51cqAtl5uUr-slOd89lfy_ufF9U_X8JypI8WG_PXieX6eXMiFwR0vak3DtHKKmnx0Y1qRtfKAM12m1c6EvqrhbMa3NvLtdZoAQ8YfmQ2sB2bSg4bmtB4iEDbO9eLrMc1bb0yyFuT3bbQr0cqcLl5u3Ig0ZsNNoyRV-XJBfLEWjswEsPag6xwu6AG_4K1lDaqGiFM4XoQl0LrDAN0Wz9RGYyR7eBrohvfV22XZCZadt-T7Dyc6gr_UIY8tyoA3Lh7rXtnzxybL8a4rWDHAACp5VSFLRLS_61yumrB4g5AwJvdj0MF6ngJzHj2XyF0Eu3MdfA",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODc4NTcsImlhdCI6MTYyOTI4NjA1NywianRpIjoiNTM2NjI5ZTgtZWIzZS00MmY1LTgxYTAtMmUzZWJiZTI2ZGM3IiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.LwE6_mB1JSIF9EfjlP5cQeoQjvnGTzxtaVR2Qae4WIM",
    "token_type": "bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODYzNTcsImlhdCI6MTYyOTI4NjA1NywiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI1NDM5NjM5Mi0wZDdkLTQ0OTUtYjZlMy0xYTQ5NjZmOWM0ZmEiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6Im9pZGMtdGVzdGNsaWVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IklEIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwidXBkYXRlZF9hdCI6MTYyOTI4MDYyMDAwMCwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJhbXIiOiJCSUQiLCJiYW5raWRfYWx0c3ViIjoiOTU3OC02MDAwLTQtNjM0NTgyIiwib3JpZ2luYXRvciI6IkNOPUJhbmtJRCAtIFRlc3RCYW5rMSAtIEJhbmsgQ0EgMyxPVT0xMjM0NTY3ODksTz1UZXN0QmFuazEgQVMsQz1OTztPcmdpbmF0b3JJZD05OTgwO09yaWdpbmF0b3JOYW1lPUJJTkFTO09yaWdpbmF0b3JJZD05OTgwIiwiYWRkaXRpb25hbENlcnRJbmZvIjp7ImNlcnRWYWxpZEZyb20iOjE2MjkyODA2MjAwMDAsInNlcmlhbE51bWJlciI6IjE3MjI3NDQiLCJrZXlBbGdvcml0aG0iOiJSU0EiLCJrZXlTaXplIjoiMjA0OCIsInBvbGljeU9pZCI6IjIuMTYuNTc4LjEuMTYuMS4xMi4xLjEiLCJtb25ldGFyeUxpbWl0QW1vdW50IjoiMTAwMDAwIiwiY2VydFF1YWxpZmllZCI6dHJ1ZSwibW9uZXRhcnlMaW1pdEN1cnJlbmN5IjoiTk9LIiwiY2VydFZhbGlkVG8iOjE2OTIzNTI2MjAwMDAsInZlcnNpb25OdW1iZXIiOiIzIiwic3ViamVjdE5hbWUiOiJDTj1CYW5rSURcXCwgVGVzdCBVc2VyLE89VGVzdEJhbmsxIEFTLEM9Tk8sU0VSSUFMTlVNQkVSPTk1NzgtNjAwMC00LTYzNDU4MiJ9LCJ0aWQiOiIxMWRhYzNiMi04NGEzLTRjODQtOGQ5ZC1hODE5YzkwNmI3ODIifQ.olwtV8Hr7X-t-pcBx-4m8pj9BBQhkkxgD_dJo8NTV-MefnZljVGfXOSmXURo2H0OmLCFvMst_KXmuIw9XWVd_djl-EQACkD1Tu4ABT6T-kT8EvRU61JFrLGD5iypKAf3y91UJS3wUS6Mkxj273ITBPZa6tqLeugL712GaQoyDllEEluFfXrV7-MUTRt9f80b_rfY9mq8wpw84mycKUukJGZOqpBRgiME_i2WiFdAqEgqU3zNrCEW90NecBHF8xGgGQvD34dCn1djVImrYKeTxb7wNAxH-lUUVw4jB-51yIHV6fzfLixYz6eDpYjq0hlTRXo0sEoV-tpDuh7HmbV94A",
    "not-before-policy": 0,
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}


The following are decoding of the tokens returned in the above response:

Decoded Tokens
Access Token
{
  "jti": "5bebba2e-e10c-47d8-a63c-92ab55b4bb4f",
  "exp": 1510838469,
  "nbf": 0,
  "iat": 1510838169,
  "iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
  "aud": "tinfo",
  "sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
  "typ": "Bearer",
  "azp": "Postman",
  "auth_time": 1510838050,
  "session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
  "name": "Frode Beckmann Nilsen",
  "given_name": "Frode Beckmann",
  "family_name": "Nilsen",
  "acr": "4",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "nnin_altsub",
      "profile"
    ]
  },
  "resource_access": {
    "tinfo": {
      "roles": [
        "address",
        "phone",
        "email"
      ]
    }
  },
  "amr": "BID",
  "bankid_altsub": "9578-6000-4-30799"
} 
 
Refresh Token
{
    "exp": 1629287857,
    "iat": 1629286057,
    "jti": "536629e8-eb3e-42f5-81a0-2e3ebbe26dc7",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "https://auth.current.bankid.no/auth/realms/current",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "Refresh",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}
 
ID Token
{
    "exp": 1629286357,
    "iat": 1629286057,
    "auth_time": 1629285998,
    "jti": "54396392-0d7d-4495-b6e3-1a4966f9c4fa",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "oidc-testclient",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "ID",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "name": "Test User BankID",
    "given_name": "Test User",
    "family_name": "BankID",
    "birthdate": "2018-05-09",
    "updated_at": 1629280620000,
    "acr": "urn:bankid:bid;LOA=4",
    "amr": "BID",
    "bankid_altsub": "9578-6000-4-634582",
    "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
    "additionalCertInfo": {
        "certValidFrom": 1629280620000,
        "serialNumber": "1722744",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "policyOid": "2.16.578.1.16.1.12.1.1",
        "monetaryLimitAmount": "100000",
        "certQualified": true,
        "monetaryLimitCurrency": "NOK",
        "certValidTo": 1692352620000,
        "versionNumber": "3",
        "subjectName": "CN=BankID\\, Test User,O=TestBank1 AS,C=NO,SERIALNUMBER=9578-6000-4-634582"
    },
    "tid": "11dac3b2-84a3-4c84-8d9d-a819c906b782"
}

Refresh token exchange

The following example shows a request / response pair for an Refresh Token Exchange with the Token endpoint corresponding to the above example on a Authorization Code Exchange. 

Refresh Token Exchange
POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OmYwOTg5NjgxLTkyM2YtNGUyYi1iMzRjLWU5NGQwOWIyYjIxYw==
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&scope=openid+profile&refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODc4NTcsImlhdCI6MTYyOTI4NjA1NywianRpIjoiNTM2NjI5ZTgtZWIzZS00MmY1LTgxYTAtMmUzZWJiZTI2ZGM3IiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.LwE6_mB1JSIF9EfjlP5cQeoQjvnGTzxtaVR2Qae4WIM

HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 11:53:21 GMT
Server: web
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 4301

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODc5MDEsImlhdCI6MTYyOTI4NzYwMSwiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiJmMWUwZDczZi1iNWYxLTRlZWYtOTZjOS1jN2NmNWI3N2U1NWIiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6InRpbmZvIiwic3ViIjoiMmNkN2NlY2QtZDQ0NC00Njg1LWJiMDQtOGJiZmRiNDVhMDY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbInByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiYW1yIjoiQklEIiwicmVzb3VyY2VfY2xhaW1zIjp7fSwiYmFua2lkX2FsdHN1YiI6Ijk1NzgtNjAwMC00LTYzNDU4MiIsIm9yaWdpbmF0b3IiOiJDTj1CYW5rSUQgLSBUZXN0QmFuazEgLSBCYW5rIENBIDMsT1U9MTIzNDU2Nzg5LE89VGVzdEJhbmsxIEFTLEM9Tk87T3JnaW5hdG9ySWQ9OTk4MDtPcmlnaW5hdG9yTmFtZT1CSU5BUztPcmlnaW5hdG9ySWQ9OTk4MCJ9.ovary8mYylT5vsEgJ1ZF2yu1FbIIlnymsmjPhGTSCdGWCD08y03qrk6Nf6af_-ohM6kv33HQvWKcGL1Cuq_a5TEhKTgPyldXnTBnn1Fu9T33UlqwXiQWpi4o_ONOpZH6wO03R2-KgmKbPli7yzB_Xh_cD4sJy3zRK3d6veGP6Bjre5EMSyiAH3wpRhH7kmrdBkyaqKqRK8xfnnh-tu-7VSqurEM1km18a5dUw1uTozO-y2bFKrBt2ZWAsjVdLsBxTw8k-2oDBPpcyJ6_NubDJwrwGjfEgN4zz8GawHvcivQ1jCE1dMW7k3P8_bTQ5FVOQkyAY0PJRRCcuoobCUp_cA",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODk0MDEsImlhdCI6MTYyOTI4NzYwMSwianRpIjoiYWQyNDIwMzItNjgyNy00MTcwLTg5ZDEtNmE1ZDRjN2EzZTEwIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.d5aLQRdmZny6H4BLbEJPVu5xpAh0jSSDIcD5pW-3yMU",
    "token_type": "bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODc5MDEsImlhdCI6MTYyOTI4NzYwMSwiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI3NDEwMzkxMC1iZTVjLTQ0MzAtYjhjNi1lNGI4MzVjY2UyNmUiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6Im9pZGMtdGVzdGNsaWVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IklEIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwidXBkYXRlZF9hdCI6MTYyOTI4MDYyMDAwMCwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJhbXIiOiJCSUQiLCJiYW5raWRfYWx0c3ViIjoiOTU3OC02MDAwLTQtNjM0NTgyIiwib3JpZ2luYXRvciI6IkNOPUJhbmtJRCAtIFRlc3RCYW5rMSAtIEJhbmsgQ0EgMyxPVT0xMjM0NTY3ODksTz1UZXN0QmFuazEgQVMsQz1OTztPcmdpbmF0b3JJZD05OTgwO09yaWdpbmF0b3JOYW1lPUJJTkFTO09yaWdpbmF0b3JJZD05OTgwIiwiYWRkaXRpb25hbENlcnRJbmZvIjp7ImNlcnRWYWxpZEZyb20iOjE2MjkyODA2MjAwMDAsInNlcmlhbE51bWJlciI6IjE3MjI3NDQiLCJrZXlBbGdvcml0aG0iOiJSU0EiLCJrZXlTaXplIjoiMjA0OCIsInBvbGljeU9pZCI6IjIuMTYuNTc4LjEuMTYuMS4xMi4xLjEiLCJtb25ldGFyeUxpbWl0QW1vdW50IjoiMTAwMDAwIiwiY2VydFF1YWxpZmllZCI6dHJ1ZSwibW9uZXRhcnlMaW1pdEN1cnJlbmN5IjoiTk9LIiwiY2VydFZhbGlkVG8iOjE2OTIzNTI2MjAwMDAsInZlcnNpb25OdW1iZXIiOiIzIiwic3ViamVjdE5hbWUiOiJDTj1CYW5rSURcXCwgVGVzdCBVc2VyLE89VGVzdEJhbmsxIEFTLEM9Tk8sU0VSSUFMTlVNQkVSPTk1NzgtNjAwMC00LTYzNDU4MiJ9LCJ0aWQiOiIxMWRhYzNiMi04NGEzLTRjODQtOGQ5ZC1hODE5YzkwNmI3ODIifQ.EBcqS2r8qc1AOyxM9NNm2cgi9Q3ZsSrxn3ydS8h8QxA9Vfx2cervUfWNzS3lSibuz8PslAJC9iz8lxfjPWQKQ44u1pWtB4S-aUZKXnXNOb4qmwQZv0ZpK48iGr6jOm_4wb4W2FcfQnavVlOuGRfCdq_BokGQETFwKtRlU4F9ojnoi2MtNMrjAZ9An1eWdYRkS1Ramzrftskkrq4hEnFyCpWIZOQXMRp-7HkRMRfw6xjLudHNzPzNl0tmxOzxTke8SMAlTnG-eL03Z1LhJKo7bMB-1KIEvdD6jgQTJ0sGdSgGYHcKiWut5fWQ_6pHMCtWl9b8YbtcfCLjyxZkk7J86g",
    "not-before-policy": 0,
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}


The following are decoding of the tokens returned in the above response:

Decoded tokens
Access Token
{
    "exp": 1629287901,
    "iat": 1629287601,
    "auth_time": 1629285998,
    "jti": "f1e0d73f-b5f1-4eef-96c9-c7cf5b77e55b",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "tinfo",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "Bearer",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "name": "Test User BankID",
    "given_name": "Test User",
    "family_name": "BankID",
    "birthdate": "2018-05-09",
    "acr": "urn:bankid:bid;LOA=4",
    "realm_access": {
        "roles": [
            "profile"
        ]
    },
    "resource_access": {
        "tinfo": {
            "roles": [
                "profile"
            ]
        }
    },
    "scope": "openid profile",
    "amr": "BID",
    "resource_claims": {},
    "bankid_altsub": "9578-6000-4-634582",
    "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980"
}
 
Refresh Token
{
    "exp": 1629289401,
    "iat": 1629287601,
    "jti": "ad242032-6827-4170-89d1-6a5d4c7a3e10",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "https://auth.current.bankid.no/auth/realms/current",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "Refresh",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}

ID Token
{
    "exp": 1629287901,
    "iat": 1629287601,
    "auth_time": 1629285998,
    "jti": "74103910-be5c-4430-b8c6-e4b835cce26e",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "oidc-testclient",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "ID",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "name": "Test User BankID",
    "given_name": "Test User",
    "family_name": "BankID",
    "birthdate": "2018-05-09",
    "updated_at": 1629280620000,
    "acr": "urn:bankid:bid;LOA=4",
    "amr": "BID",
    "bankid_altsub": "9578-6000-4-634582",
    "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
    "additionalCertInfo": {
        "certValidFrom": 1629280620000,
        "serialNumber": "1722744",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "policyOid": "2.16.578.1.16.1.12.1.1",
        "monetaryLimitAmount": "100000",
        "certQualified": true,
        "monetaryLimitCurrency": "NOK",
        "certValidTo": 1692352620000,
        "versionNumber": "3",
        "subjectName": "CN=BankID\\, Test User,O=TestBank1 AS,C=NO,SERIALNUMBER=9578-6000-4-634582"
    },
    "tid": "11dac3b2-84a3-4c84-8d9d-a819c906b782"
}