The OIDC Provider from BankID supports two general classes of Access Tokens.
- Tokens by-reference in terms of standard Bearer Tokens. Tokens of this kind comes with corresponding support for Introspection to determine the Authorization Context for any particular bearer token value.
- Tokens by-value in terms JSON WebTokens (JWT) that are signed (JWS) and optionally also encrypted (JWE). Tokens of this kind are self-contained as the token value contains all required information to determine the Authorization Context.
The Authorization Context of any Access Token referes to the following characteristics:
- The issuer (
iss)of the access token. See corresponding claim in ID Token. - The subject identifier (
sub)of the access token, ie. a reference to the end-user (resource owner) that authorized the access token. See corresponding claim in ID Token. - Intended audience (
aud)for the access token, ie. a reference to the service (resource server) that the access token regulates access to. Note that this is not related to the corresponding claim in the ID Token. The audience for the ID Token (being the OIDC Client) is different from the audience for an Access Token (being the Resource Server in question). - Active state / expiry (
exp)ofthe access token - The specific set of scopes and claims associated with the access token, ie. the set included in the Authorize request that subsequently resulted in the issuance of the Access Token in a reponse to a Token request
The OIDC Provider issues different types of Access Tokens to OIDC Clients depending on the scope and claims contained in the request. Each Supplementary Services as described separately:
- The Additional Information (Userinfo) service uses a standard by-reference token of the bearer type.
- The PSD2 Service involves a set of non-standard tokens, including both by-reference tokens and by-value tokens.