The TINFO service ("Tilleggsinfo") implements Userinfo being a Protected Resource endpoint. This service supports claims about the authenticated user beyond what is contained directly in the ID Token. The set of supported scopes and claims are described in the following section, followed by a description of consent handling for the supported scopes. The type of Access Token that grants access to Userinfo is also described.
The following table summarizes how the TINFO service impacts key features of the OIDC Provider:
| Function | Impact |
|---|---|
| IDP options | None (all supported options are availble) |
| Resource endpoint(s) | Adds support for the Userinfo endpoint |
| Authorize endpoint | Adds support for a small set of non-standard scopes and claims |
| Token endpoint | None (userinfo accepts Access Tokens of the default type) |
Scopes and claims
The set of claims returned via Userinfo depends on the scopes requested by the OIDC Client. Five different configurations are supported as suggested by the below table, corresponding to the standard scopes profile, email, phone and address and the non-standard scope nnin. Note that some of the claims associated with the profile scope are returned with the ID Token whereas others are returned via Userinfo.
The standard claims iss, sub, and audupdated_at are always returned in the Userinfo response.
Supported claims are marked 
wheras 
indicates future support. Most of the claims require consent from the end user as marked 
. Non-standard claims are marked 
and are specific for the OIDC Provider from BankID. See a separate list of unsupported standard claims.
Note that the nnin claim does not require consent from the end-user. The rationale is to continue the current BankID practise to provide this data element as a silent side-effect of the authentication to specific OIDC Clients that have lawful rights (or obligations) to register such data. Since such business (banks, insurance companies, health-care organizations, etc.) normally use nnin rather than sub (the BankID PID) as the reference for the end-user it must be possible to perform a basic authentication, ie. requesting an ID Token along with just nnin from Userinfo without presenting the user with any consent screen. The nnin cannot be part of the ID Token for privacy reason since the ID Token for several of the supported flows is passed via the User-agent. This practise to provide nnin as an non-consented claim is regulated in the end-user license agreement (EULA) for all of the supported IDP options
The OIDC Provider from BankID supports signed responses from Userinfo.
| Claim | Support | Example | Description | Comment | Editorial comment |
|---|---|---|---|---|---|
iss | | https://preview.bankidapis.no | Issuer Identifier for the Issuer | ||
sub | | 9578-5999-4-1765512 | Subject Identifier | ||
aud | | DotNetClient | Audience | Always includes client_id | |
updated_at | | 1468582440 | Update time | Epoc time of latest update of any data element behind any of the supported claims | Must be added |
Profile ( scope = profile ) | |||||
gender | | Male | Gender | Gender derived from National Identity Number from associated BankID certificate | Must be added |
Email ( scope = email ) | |||||
email | | Preferred email | Must be added | ||
email_verified | | Email verification status | Must be added | ||
Phone ( scope = phone ) | |||||
phone_number | | 95871775 | Preferred phone numer | ||
phone_number_verified | | false | Phone number verification status | Depending on the source for the number. Numbers for BankID on Mobile are regarded as verified. | Numbers from other sources may also be regarded verified. |
all_phone_numbers | | {{"number":"95871775","number_verified":false},{"number":"46897469","number_verified":false},{"number":"94782958","number_verified":false}} | All phone numbers with verification status | ||
Address ( scope = address ) | |||||
address | | { "formatted": "Lybekkveien 11C\n0772 Oslo\nNorway", "country": "Norway", "street_address": "Lybekkveien 11C", "postal_code": "0772", "locality": "Oslo", "house_number": "11", "house_letter": "C", "street_name": "Lybekkveien" } | Postal address | Standardized claim with both standardized and non-standard sub-claims | |
address.formatted | | Lybekkveien 11C\n0772 Oslo\nNorway | Full mailing address | ||
address.street_address | | Lybekkveien 11C | Full street address | ||
address.locality | | Oslo | City or locality | ||
address.postal_code | | 0772 | Postal code | ||
address.country | | Norway | Country | ||
address.street_name | | Lybekkveien | Street name component from | To be reviewed | |
address.house_numer | | 11 | House number component from street_address | To be reviewed | |
address.house_letter | | C | House letter component from street_address | To be reviewed | |
National Identity Number ( scope = nnin ) | |||||
nnin | | 181266***** | Norwegian National Identity Number (fødselsnummer) | ||
Consent handling
According to default handling.
Access Tokens
Uses default tokens. The service behind Userinfo performs Introspection to determine the specific set of claims that the token should gain access to.