A minimum ID Token returned by the OIDC Provider from BankID contains a set of standardized claims marked by and , among which
sub is the only claim that is linked to the actual user. Claims marked by are currently not supported but will be added.
|https://preview.bankidapis.no||Issuer Identifier for the Issuer|
|9578-5999-4-1765512||Subject Identifier||Personal Identifier from BankID|
(Serial number from associated BankID certificate)
|DotNetClient||Audience||Always includes |
|1494144386||Expiration time||Epoc time|
|1494140787||Issuing time||Epoc time|
|1494140786||Authentication time||Epoc time|
|acr||4||Authentication Context Class||Level of Assurance for IDP option being used||Must be added|
|BankID||Authentication Method Reference||Name of IDP option being used|
|DotNetClient||Authorized party||Equals |
|RS256||Algorithm used to sign ID Token|
|JWT||Type of key used to sign ID Token|
|bankid-oauth||ID of key used to sign ID Token|
|<hash value>||Access Token hash value||Must be added. Required for hybrid flow and implicit flow|
|<hash value>||Code hash value||Hybrid flow|
Note that a minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The
sub value does not identify the user unless it is linked by the OIDC Client to other claims about the end user associated with that
The following set of basic (and standardized) claims about the end user may in addition be added to the ID Token, depending on the scopes and claims actually requested by the OIDC Client.
|Nilsen, Frode Beckmann||Full name||CommonName from associated BankID certificate|
|Male||Gender||Gender derived from NNI from associated BankID certificate||Must be added|
|1966-12-18||Birthdate||BirthDate from associated BankID certificate|
|1468582440||Update time||Epoc time of issuing time of associated BankID certificate||Must be added|
Additional claims about the authenticated user beyond this basic set is available via Userinfo associated with the Additional Information service. The above basic claims from the ID Token are duplicated in the reponse from Userinfo.
Note that the basic claims are returned in the ID Token automatically without requesting an explicit consent from the end-user. This is in contrast to additional claims available via Userinfo that as a rule-of-thumb demand explicit consent from the user.