The Additional Information service (aka: Userinfo) provides claims about the authenticated user beyond what is contained directly in the ID Token. The set of supported scopes and claims are described in the following section, followed by a description of consent handling for the supported scopes. The specific type of Access Token that is required to get access to the Additional Information service is also described.
The following table summarizes how the Additional Information service impacts key features of the OIDC Provider:
Function | Impact |
---|---|
IDP options | All supported options are availble to the OIDC Client |
Authorize endpoint | Adds support for a small set of non-standard scopes and claims |
Token endpoint | Adds support for a by-reference access bearer token that grants access to Userinfo |
Resource endpoint(s) | Implements the Userinfo endpoint |
Scopes and claims
The Userinfo endpoint supports an additional set of claims about the end user beyond the basic set of claims included in the ID Token. The set of additional claims returned via Userinfo depends on the scopes
requested by the OIDC Client. Four different configurations are supported as suggested by the below table, corresponding to the standard scopes email
, phone
and address
and the non-standard scope nnin
.
Note that the basic set of claims about the end user from the ID Token are duplicated in the Userinfo response. Such duplicated claims are not shown in the table. The standard claims sub
and updated_at
are always returned in the Userinfo response.
Supported claims are marked wheras indicates future support. Claims that require consent from the end user are marked . Non-standard claims are marked and are specific for the OIDC Provider from BankID. See a separate list of unsupported standard claims.
The OIDC Provider from BankID supports signed responses from Userinfo
Claim | Support | Example | Description | Comment | Editorial comment |
---|---|---|---|---|---|
sub | 9578-5999-4-1765512 | Subject Identifier | |||
updated_at | 1468582440 | Update time | Epoc time of latest update of any data element behind any of the supported claims | Must be added | |
Email ( scope = email ) | |||||
email | Preferred email | Must be added | |||
email_verified | Email verification status | Must be added | |||
Phone ( scope = phone ) | |||||
phone_number | 95871775 | Preferred phone numer | |||
phone_number_verified | false | Phone number verification status | Depending on the source for the number. Numbers for BankID on Mobile are regarded as verified. | Numbers from other sources may also be regarded verified. | |
all_phone_numbers | {{"number":"95871775","number_verified":false},{"number":"46897469","number_verified":false},{"number":"94782958","number_verified":false}} | All phone numbers with verification status | |||
Address ( scope = address ) | |||||
address | { "formatted": "Lybekkveien 11C\n0772 Oslo\nNorway", "country": "Norway", "street_address": "Lybekkveien 11C", "postal_code": "0772", "locality": "Oslo", "house_number": "11", "house_letter": "C", "street_name": "Lybekkveien" } | Postal address | Standardized claim with both standardized and non-standard sub-claims | ||
address.formatted | Lybekkveien 11C\n0772 Oslo\nNorway | Full mailing address | |||
address.street_address | Lybekkveien 11C | Full street address | |||
address.locality | Oslo | City or locality | |||
address.postal_code | 0772 | Postal code | |||
address.country | Norway | Country | |||
address.street_name | Lybekkveien | Street name component from | To be reviewed | ||
address.house_numer | 11 | House number component from street_address | To be reviewed | ||
address.house_letter | C | House letter component from street_address | To be reviewed | ||
National Identity Number ( scope = nnin ) | |||||
nnin | 181266***** | Norwegian National Identity Number (fødselsnummer) |
Consent handling
TBC
Characteristics of Access Token
The Userinfo endpoint demands an Access Token of the bearer type with the proper characteristics to grant access. Appropriate tokens are returned from the Token endpoint. A token of this kind has a generic nature, meaning that it grants access to any of the claims supported by Userinfo. The service behind Userinfo performs Introspect to determine (among other things) that it is the correct audience for the incomming token and also the specific set of claims that the token should gain access to. The following set of token attributes are returned by introspection for this particular kind of access token:
TODO: hvilke av disse støtter vi over Introspect og hvilke verdier gjelder for Access Tokens for Userinfo-tjenesten
Attribute | Example | Description |
---|---|---|
active | xxxx | |
scope | xxxx | |
client_id | xxxx | |
username | xxxx | |
token_type | xxxx | |
exp | xxxx | |
iat | xxxx | |
nbf | xxxx | |
sub | xxxx | |
aud | xxxx | |
iss | xxxx | |
jti | xxxx |