Claim | Support | Example | Description | Comment | Editorial comment |
---|---|---|---|---|---|
sub | 9578-5999-4-1765512 | Subject Identifier | |||
name | Nilsen, Frode Beckmann | Full name | |||
given_name | Frode Beckmann | Given name (first name) | |||
family_name | Nilsen | Surname (last name) | |||
middle_name | Middle Name | Must be added | |||
nickname | Casual name | ||||
preferred_username | Nilsen, Frode Beckmann | Shorthand name | Must be reviewed | ||
profile | Profile page URL | ||||
picture | Picture URL | ||||
website | Homepage URL | ||||
email | Preferred email | Must be added | |||
email_verified | Email verification status | Must be added | |||
gender | Gender | Must be added | |||
birthdate | 1966-12-18 | Birthdate | |||
zoneinfo | Time zone | ||||
locale | Locale | ||||
phone_number | 95871775 | Preferred phone numer | |||
phone_number_verified | false | Phone number verification status | |||
address | { "formatted": "Lybekkveien 11C\n0772 Oslo\nNorway", "country": "Norway", "street_address": "Lybekkveien 11C", "postal_code": "0772", "locality": "Oslo", "house_number": "11", "house_letter": "C", "street_name": "Lybekkveien" } | Postal address | |||
all_phone_numbers | {"number":"95871775","number_verified":false},{"number":"46897469","number_verified":false},{"number":"94782958","number_verified":false} |
Claim | Support | Example | Description | Comment |
---|---|---|---|---|
country | ||||
street_address | ||||
postal_code | ||||
locality | ||||
house_numer | ||||
house_letter | ||||
street_name | ||||
all_phone_numbers |
---
BankID OIDC also integrates with a service to provide additional information like private address and phone number for the end-user being authenticated.
ontains a consent dialog allowing the user to accept or deny use of any additional information the BankID OIDC Service may provide.
Characteristics of BankID OIDC access_tokens
Resources managed/authorized by the BankID OIDC Service get a “public” access_token (“one access_token to rule them all”). When an OIDC Client uses scope (or default scope) to define what resources it needs authorization for, the issued access_token can be used for all those resources. The resources must call the introspect endpoint in order to verify that it is the correct audience/resource for this access_token as well as getting returned the access_token contents/claims. Resources are expected to cache/cookie this information so there’s no need to call introspect for every incoming request with the same access_token.
The introspect endpoint demands basic authentication with the resource’s client_id and client_secret so that it knows what resource it is dealing with.
Another policy is to have “private” access_tokens. That means each resource has their own access_token issued and encrypted with their client_secret/resource_secret. This would remove the need to call introspect in order to validate and get claims, but it will be difficult for the client to keep track of all the access_tokens issued to individual resource services. AAD is doing this and using the refresh_token to ask for more scope (new resources). This would work as long as the refresh_token is issued for the same resource owner (end-user).
"Private access_tokens" are currently not supported. Refresh_tokens are also not implemented. The rationale is that the supported “public” implementation is considered to more efficient (provided the caching we mentioned).