The claims returned in an ID Token from the OIDC Provider depends one the scopes
requested by the OIDC Client. Two different configurations are supported as suggested by the below table, corresponding to the standard scopes openid
and profile
. Supported claims are marked wheras indicates future support. See a separate list for unsupported standard claims
A Minimum ID Token contains a minimum set of standard claims, among which sub
is the only claim that is linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub
value does not identify the user unless it is linked by the OIDC Client to other claims about the end user associated with that sub
value.
An Enlarged ID Token adds a set of basic claims about the end user. Note that some of the claims in this basic set require consent from the end user, marked by in the table.
Claims beyond this basic set is available via Userinfo associated with the Additional Information service.
Claim | Support | Example | Description | Comment | Editorial comment |
---|---|---|---|---|---|
Minimum ID Token (scope = openid ) | |||||
iss | https://preview.bankidapis.no | Issuer Identifier for the Issuer | |||
sub | 9578-5999-4-1765512 | Subject Identifier | Personal Identifier from BankID (Serial number from associated BankID certificate) | ||
aud | DotNetClient | Audience | Always includes client_id | ||
exp | 1494144386 | Expiration time | Epoc time | ||
iat | 1494140787 | Issuing time | Epoc time | ||
auth_time | 1494140786 | Authentication time | Epoc time | ||
nonce | <random value> | Nonce | |||
acr | 4 | Authentication Context Class | Level of Assurance for IDP option being used | Must be added | |
amr | BankID | Authentication Method Reference | Name of IDP option being used | ||
azp | DotNetClient | Authorized party | Equals client_id | ||
alg | RS256 | Algorithm used to sign ID Token | |||
typ | JWT | Type of key used to sign ID Token | |||
kid | bankid-oauth | ID of key used to sign ID Token | |||
at_hash | <hash value> | Access Token hash value | Must be added. Required for hybrid flow and implicit flow | ||
c_hash | <hash value> | Code hash value | Hybrid flow | ||
Enlarged ID Token (scope = openid profile ) | |||||
name | Nilsen, Frode Beckmann | Full name | CommonName from associated BankID certificate | ||
given_name | Frode Beckmann | Given name (first name) | |||
family_name | Nilsen | Surname (last name) | |||
preferred_username | Nilsen, Frode Beckmann | Shorthand name | Must be reviewed | ||
gender | Male | Gender | Gender derived from NNI from associated BankID certificate | Must be added | |
birthdate | 1966-12-18 | Birthdate | BirthDate from associated BankID certificate | ||
updated_at | 1468582440 | Update time | Epoc time of issuing time of associated BankID certificate | Must be added |
given_name | Frode Beckmann | Given name (first name) | |||
family_name | Nilsen | Surname (last name) |