...
| Claim | Origin | Scope | Example | IDP | Eligibility | Description | Comment |
|---|---|---|---|---|---|---|---|
| Minimum ID Token part | |||||||
typ | Keycloack | openid | ID | Any | Any | Token type | Always |
acr | Standard | openid | 4 | Any | Any | Authentication Context Class Reference | Level of Assurance (LoA) for IDP option being used |
amr | Standard | openid | BID | Any | Any | Authentication Method Reference | Name of IDP option being used to authenticate the end-user. If the end-user is subject to authentication step-up, note that this value may differ from any |
| Standard | openid | oidc_testclient | Any | Any | Audience | Always client_id |
auth_time | Standard | openid | 1510497762 | Any | Any | Authentication time | Epoc time |
azp | Standard | openid | oidc_testclient | Any | Any | Authorized party | Equals client_id |
bankid_altsub | Custom | openid |
| BankID and xID | Any | Alternate BankID Subject Identifier | Personal Identifier (PID) / Serial Number) from associated BankID certificate. |
exp | Standard | openid | 1510498063 | Any | Any | Expiration time | Epoc time. Corresponds to a forward session window after iat |
iat | Standard | openid | 1510497763 | Any | Any | Issuing time | Epoc time Equal to |
iss | Standard | openid | <oidc-baseurl> | Any | Any | Issuer Identifier for the Issuer | |
jti | Standard | openid | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Any | Any | Token identifier | |
nbf | Standard | openid | 0 | Any | Any | Not before time | Epoc time |
nonce | Standard | openid | <random value> | Any | Any | Nonce | |
session_state | Keycloack | openid | abf823c2-9810-4133-9369-7bff1223d6c1 | Any | Any | GUID related to session handling | |
sub | Standard | openid |
| Any | Any | Subject Identifier | GUID from Keycloackthat uniquely identifies the end user across the different IDPs |
updated_at | Standard | openid | 1468582440 | Any | Any | Update time | Epoc time of issuing / create / enrollment of ID in question. |
at_hash | Standard | openid | <hash value> | Any | Any | Access Token hash value | Included for hybrid- and implicit flows |
c_hash | Standard | openid | <hash value> | Any | Any | Code hash value | Included for hybrid flow |
browserEnrolledAt | Custom | openid | 1515437710549 | xID only | Any | Time at which the current browser was enrolled for the xID Service | Epoc time |
tid | Custom | openid | 2e1eebb7-d5d7-4c55-9410-6ab178070a1c | Currently only BankID (IDP) | Any | Transaction ID (reference) for the completed authentication session | Currently used as an input parameter for the securityData endpoint of the Fraud Data (VAS) service |
| Regular ID Token part | |||||||
birthdate | Standard | profile | 1966-12-18 | BankID and xID | Any | Birthdate | From associated BankID certificate |
family_name | Standard | profile | Nilsen | BankID and xID | Any | Surname (last name) | From associated BankID certificate |
given_name | Standard | profile | Frode Beckmann | BankID and xID | Any | Given name (first name) | From associated BankID certificate |
name | Standard | profile | Nilsen, Frode Beckmann | BankID and xID | Any | Full name | From associated BankID certificate |
| Enhanced ID Token part | |||||||
nnin_altsub | Custom | nnin_altsub | 181266***** | BankID and xID | Available for OIDC clients that uses NNIN as userID for its already existing users. For access to NNIN for enrollment of new users, see TINFO or AML (VAS). | Norwegian National Identity Number (NNIN) as alternate Subject Identifier | Only availble with authorization code flow. |