OIDC Clients must authenticate with the OIDC Provider for the Token and Introspect Endpoints. Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID:
- OIDC
client_secret_basicaccording to OAuth2 using the HTTP Basic authentication scheme - OIDC
client_secret_postaccording to OAuth2 by including the Client Credentials (client_idandclient_secret) in the request body - OIDC
private_key_jwtby registering a public key and signing a JWT using the associated private key.
Support for the final OIDC authentication scheme client_secret_jwt may be added as future option.
OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to VAS-servers are specific for each of the supported kinds of Value Added Services.