The Additional Information service provides claims about the authenticated user beyond what is contained directly in the ID Token. The set of supported scopes and claims along with characteristics of the associated Access Token are described in the following.
Supported scopes and claims
The Userinfo endpoint supports an additional set of claims about the end user beyond the basic set of claims included in the ID Token. The set of additional claims returned via Userinfo depends on the scopes
requested by the OIDC Client. Four different configurations are supported as suggested by the below table, corresponding to the standard scopes email
, phone
and address
and the non-standard scope nnin
.
Note that the basic set of claims about the end user from the ID Token are duplicated in the Userinfo response. Such duplicated claims are not shown in the table. The standard claims sub
and updated_at
are always returned in the Userinfo response.
Supported claims are marked wheras indicates future support. Claims that require consent from the end user are marked . Non-standard claims are marked and are specific for the OIDC Provider from BankID. See a separate list of unsupported standard claims.
The OIDC Provider from BankID supports signed responses from Userinfo
Claim | Support | Example | Description | Comment | Editorial comment |
---|---|---|---|---|---|
sub | 9578-5999-4-1765512 | Subject Identifier | |||
updated_at | 1468582440 | Update time | Epoc time of latest update of any data element behind any of the supported claims | Must be added | |
Email ( scope = email ) | |||||
email | Preferred email | Must be added | |||
email_verified | Email verification status | Must be added | |||
Phone ( scope = phone ) | |||||
phone_number | 95871775 | Preferred phone numer | |||
phone_number_verified | false | Phone number verification status | Depending on the source for the number. Numbers for BankID on Mobile are regarded as verified. | Numbers from other sources may also be regarded verified. | |
all_phone_numbers | {{"number":"95871775","number_verified":false},{"number":"46897469","number_verified":false},{"number":"94782958","number_verified":false}} | All phone numbers with verification status | |||
Address ( scope = address ) | |||||
address | { "formatted": "Lybekkveien 11C\n0772 Oslo\nNorway", "country": "Norway", "street_address": "Lybekkveien 11C", "postal_code": "0772", "locality": "Oslo", "house_number": "11", "house_letter": "C", "street_name": "Lybekkveien" } | Postal address | Standardized claim with both standardized and non-standard sub-claims | ||
address.formatted | Lybekkveien 11C\n0772 Oslo\nNorway | Full mailing address | |||
address.street_address | Lybekkveien 11C | Full street address | |||
address.locality | Oslo | City or locality | |||
address.postal_code | 0772 | Postal code | |||
address.country | Norway | Country | |||
address.street_name | Lybekkveien | Street name component from | To be reviewed | ||
address.house_numer | 11 | House number component from street_address | To be reviewed | ||
address.house_letter | C | House letter component from street_address | To be reviewed | ||
National Identity Number ( scope = nnin ) | |||||
nnin | 181266***** | Norwegian National Identity Number (fødselsnummer) |
Characteristics of Access Token
Access to the Userinfo endpoint is regulated by a standard Access Token of the bearer type. Appropriate tokens for this purpose are returned from the Token endpoint. A token of this kind has a generic nature, meaning that it grants access to any of the claims supported by Userinfo. The service behind Userinfo performs Introspect to determine (among other things) that it is the correct audience for the incomming token and also the specific set of claims that the token should gain access to. The following set of characteristics are returned by introspection for this particular kind of access token:
Element | Example | Description |
---|---|---|
active | ||
scope | ||
client_id | ||
username | ||
toke_type | ||
exp | ||
iat | ||
nbf | ||
sub | ||
aud | ||
iss | ||
jti |