Most of the claims supported by TINFO require consent from the end user as indicated in the table of supported claims.
. The nnin claim does however not require consent from the end-user. The rationale is to continue the current BankID practise to provide this data element as a silent side-effect of the authentication to specific OIDC Clients that have lawful rights (or obligations) to register such data. Since such business (banks, insurance companies, health-care organizations, etc.) normally use nnin rather than sub (the BankID PID) as the reference for the end-user it must be possible to perform a basic authentication, ie. requesting an ID Token along with just nnin from Userinfo without presenting the user with any consent screen. The nnin cannot be part of the ID Token for privacy reason since the ID Token for several of the supported flows is passed via the User-agent. The practise to provide nnin as an non-consented claim is regulated in the end-user license agreement (EULA) for all of the supported IDP options