Refresh Tokens

In parallel to supporting a Default Access Token used by TINFO-sevice,  this release of the OIDC Provider from BankID also supports a corresponding Default Refresh Token. As suggested by the below table the Refresh Token contains just a minimum of information compared to both the ID Token and Access Token. The purpose of Refresh Tokens is to enhance security by keeping the life-time of Access Tokens shorter. An expired Access Token can easily be replaced with a new Access Token (without any user interaction) via a Refresh Token that was issued along with the most recent Access Token, but that was issued with a longer life-time than the Access Token itself.

The supported Default Refresh Token has its origin from Keycloak and has the following characteristics. The Refresh Token can be used by other VAS-services than TINFO by replacing the aud attribute with a different value.

(tick) = According to standard. (info) = Custom additions

Claim Support Example Description Comment
typ (tick) Refresh Token type Type of token
(tick) tinfo Audience Always includes client_id
auth_time (tick) 1510497762 Authentication time Epoc time
azp (tick) oidc_testclient Authorized party Equals client_id
exp (tick) 1510498063 Expiration time Epoc time
iat (tick) 1510497763 Issuing time Epoc time
iss (tick) Issuer Identifier for the Issuer  
jti (tick) 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 Token identifier  
nbf (tick) 0 Not before time Epoc time
nonce (tick) <random value> Nonce  
session_state (info) abf823c2-9810-4133-9369-7bff1223d6c1 GUID related to session-handling in Keycloak.  
sub (tick)


Subject Identifier Personal Identifier from BankID
(Serial number from associated BankID certificate)