Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 47 Next »

The claims returned in an ID Token from the OIDC Provider depends one the scopes requested by the OIDC Client. Two different configurations are supported as suggested by the below table, corresponding to the standard scopes openid and profile. Supported claims are marked (tick) wheras  (warning)  indicates future support. See a separate list for unsupported standard claims 

A Minimum ID Token contains a minimum set of standard claims, among which sub is the only claim that is linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub value does not identify the user unless it is linked by the OIDC Client to other claims about the end user associated with that sub value.

An Enlarged ID Token adds a small set of basic claims about the end user. Note that some of the claims in this basic set require consent from the end user, marked by (thumbs up) in the table.

Additional claims about the end user beyond this basic set is available via Userinfo associated with the Additional Information service. 

ClaimSupportExampleDescriptionCommentEditorial comment
Minimum ID Token (scope = openid)  
iss(tick)https://preview.bankidapis.noIssuer Identifier for the Issuer  
sub(tick)9578-5999-4-1765512Subject IdentifierPersonal Identifier from BankID
(Serial number from associated BankID certificate)
 
aud(tick)DotNetClientAudienceAlways includes client_id 
exp(tick)1494144386Expiration timeEpoc time 
iat(tick)1494140787Issuing timeEpoc time 
auth_time(tick)1494140786Authentication timeEpoc time 
nonce(tick)<random value>Nonce  
acr(warning)4Authentication Context ClassLevel of Assurance for IDP option being usedMust be added
amr(tick)BankIDAuthentication Method ReferenceName of IDP option being used 
azp(tick)DotNetClientAuthorized partyEquals client_id 
alg(tick)RS256Algorithm used to sign ID Token  
typ(tick)JWTType of key used to sign ID Token  
kid(tick)bankid-oauthID of key used to sign ID Token  
at_hash(warning)<hash value>Access Token hash value Must be added. Required for hybrid flow and implicit flow
c_hash(tick)<hash value>Code hash valueHybrid flow 
Enlarged ID Token (scope = openid profile)
name(tick)Nilsen, Frode BeckmannFull nameCommonName from associated BankID certificate 
given_name(tick)Frode BeckmannGiven name (first name)  
family_name(tick)NilsenSurname (last name)  
preferred_username(tick)Nilsen, Frode BeckmannShorthand name Must be reviewed
gender(warning) (thumbs up) MaleGenderGender derived from NNI from associated BankID certificateMust be added
birthdate(tick) (thumbs up)1966-12-18BirthdateBirthDate from associated BankID certificate 
updated_at(warning)1468582440Update timeEpoc time of issuing time of associated BankID certificateMust be added

  

given_name(tick)Frode BeckmannGiven name (first name)  
family_name(tick)NilsenSurname (last name) 

 

 

 

  • No labels