ID Token

The OpenID Connect Provider from BankID provides ID Tokens with uniform characteristics regarless of the IDP being used in any particular case. The claims returned depends on the scopes requested by the OIDC Client. Three different configurations are supported as suggested by the below table, corresponding to various combinations of the standard scopes openid and profile and the proprietary scope nnin_altsub.

A Minimum ID Token (scope = openid) contains a minimum set of claims, among which sub and bankid_altsub are the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub and bankid_altsub values do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely.

Regular ID Token (scope = openid profile) builds on a minimum ID Token by adding claims that identifies the end-user by his name and birthdate.

Enchanced ID Token (scope = ....... nnin_altsub) builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user 

The TINFO value-added service supports even more claims about the end-user beyond those contained in the ID Token. 

All  claims supported in ID Tokens, with the exception from nnin_altsub, are available to any OIDC Client and none of the claims demand consent from the end user.  This is in contrast to claims supported by TINFO that must meet certain conditions before actually being returned to a requesting OIDC Client.

The OIDC Provider form BankID supports signed ID Tokens. Note that signing related claims contained in the header part of the ID Token are not shown in the below table.

(tick) = According to standard. (info) = Custom additions

Claim Support Scope Example Description Comment
typ (tick) openid ID Token type Type of token
acr (tick) openid
4 Authentication Context Class Reference Level of Assurance (LoA) for IDP option being used
amr (tick) openid
BID Authentication Method Reference Name of IDP option being used
aud
(tick) openid
oidc_testclient Audience Always includes client_id
auth_time (tick) openid
1510497762 Authentication time Epoc time
azp (tick) openid
oidc_testclient Authorized party Equals client_id
bankid_altsub (info) openid

9578-5999-4-1765512

Alternate Subject Identifier

Personal Identifier (PID) for BankID (Serial number from associated BankID certificate)

Applicable for BankID and other IDPs derived from BankID.

exp (tick) openid
1510498063 Expiration time Epoc time
iat (tick) openid
1510497763 Issuing time Epoc time
iss (tick) openid
https://oidc-preprod.bankidapis.no/auth/realms/preprod Issuer Identifier for the Issuer  
jti (tick) openid
7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 Token identifier  
nbf (tick) openid
0 Not before time Epoc time
nonce (tick) openid
<random value> Nonce  
session_state (info) openid
abf823c2-9810-4133-9369-7bff1223d6c1 GUID related to session-handling in Keycloak.  
sub (tick) openid

e8c523ff-52a2-42e2-a7a5-f1d0fbb76204

Subject Identifier Personal Identifier from BankID
(Serial number from associated BankID certificate)
updated_at (tick) openid
1468582440 Update time Epoc time of issuing time of associated BankID certificate
at_hash
(tick) openid
<hash value> Access Token hash value Included for hybrid- and implicit flows
c_hash
(tick) openid
<hash value> Code hash value Included for hybrid flow
birthdate (tick) profile 1966-12-18 Birthdate BirthDate from associated BankID certificate
family_name (tick) profile
Nilsen Surname (last name)  
given_name (tick) profile
Frode Beckmann Given name (first name)  
name (tick) profile
Nilsen, Frode Beckmann Full name CommonName from associated BankID certificate
preferred_username (tick) profile
Nilsen, Frode Beckmann Shorthand name  
nnin_altsub (info) nnin_altsub 181266***** Norwegian National Identity Number (fødselsnummer) as alternate Subject Identifier

Providing eligible OIDC clients nnin as a reference to already existing users.

Only availble with authorization code flow. Other flows would expose nnin via the IDToken flowing through the end-user browser.

For acces to nnin for eligible OIDC clients for enrollment of new users, see TINFO.