Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 41 Next »

A Minimum ID Token returned by the OIDC Provider from BankID contains a minimum set of standardized claims marked by (tick) and (warning), among which sub is the only claim that is linked to the actual user. Claims marked by (warning) are currently not supported but will be added. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub value does not identify the user unless it is linked by the OIDC Client to other claims about the end user associated with that sub value.

An Enlarged ID Token adds some basic (and standardized) claims about the end user to the ID Token, depending on the scopes and claims actually requested by the OIDC Client. Additional claims about the authenticated user beyond this basic set is available via Userinfo associated with the Additional Information service. The basic claims from the enlarged ID Token are duplicated in the reponse from Userinfo. Note that the basic claims of the enlarged ID Token are returned without requesting an explicit consent from the end-user. This is in contrast to additional claims available via Userinfo that as a rule-of-thumb demand explicit consent from the user.  

ClaimSupportExampleDescriptionCommentConsentEditorial comment
Minimum ID Token (todo: corresponds to scope=openid)
iss(tick)https://preview.bankidapis.noIssuer Identifier for the Issuer NA 
sub(tick)9578-5999-4-1765512Subject IdentifierPersonal Identifier from BankID
(Serial number from associated BankID certificate)
aud(tick)DotNetClientAudienceAlways includes client_idNA 
exp(tick)1494144386Expiration timeEpoc timeNA 
iat(tick)1494140787Issuing timeEpoc timeNA 
auth_time(tick)1494140786Authentication timeEpoc timeNA 
nonce(tick)<random value>Nonce NA 
acr(warning)4Authentication Context ClassLevel of Assurance for IDP option being usedNAMust be added
amr(tick)BankIDAuthentication Method ReferenceName of IDP option being usedNA 
azp(tick)DotNetClientAuthorized partyEquals client_idNA 
alg(tick)RS256Algorithm used to sign ID Token NA 
typ(tick)JWTType of key used to sign ID Token NA 
kid(tick)bankid-oauthID of key used to sign ID Token NA 
at_hash(warning)<hash value>Access Token hash value NAMust be added. Required for hybrid flow and implicit flow
c_hash(tick)<hash value>Code hash valueHybrid flowNA 
Enlarged ID Token (todo: corresponds to scope=profile)
name(tick)Nilsen, Frode BeckmannFull nameCommonName from associated BankID certificateNo 
given_name(tick)Frode BeckmannGiven name (first name) No 
family_name(tick)NilsenSurname (last name) No 
preferred_username(tick)Nilsen, Frode BeckmannShorthand name NoMust be reviewed
gender(warning) MaleGenderGender derived from NNI from associated BankID certificateYesMust be added
birthdate(tick)1966-12-18BirthdateBirthDate from associated BankID certificateYes 
updated_at(warning)1468582440Update timeEpoc time of issuing time of associated BankID certificate Must be added


given_name(tick)Frode BeckmannGiven name (first name)  
family_name(tick)NilsenSurname (last name) 




  • No labels