Most of the claims supported by TINFO require consent from the end user as indicated in the table of supported claims.
The consent GUI for TINFO may include each of the following entries corresponding to the supported scopes. The entries actually shown depends on the scopes requested by OIDC Client.
- Profile (Gender)
- Phone
- Address
The end-user may accept (or reject) each scope separately. Rejected scopes are not contained in the set of scopes returned via introspection for any associated Access token. Note that consent handling happens on a per-scope basis. The end-user may not reject individual claims associated with any scope.
Note that the nnin claim does not require consent from the end-user. The rationale is to continue the current BankID practise to provide this data element as a silent side-effect of the authentication to specific OIDC Clients that are eligible to register such data. Since such business (banks, insurance companies, health-care organizations, etc.) normally use nnin rather than sub (the BankID PID) as the reference for the end-user it must be possible to perform a basic authentication, ie. requesting an ID Token along with just nnin from Userinfo without presenting the user with any consent screen. The nnin cannot be part of the ID Token for privacy reason since the ID Token for several of the supported flows is passed via the User-agent. The practise to provide nnin as an non-consented claim is regulated in the end-user license agreement (EULA) for all of the supported IDP options.