National Identity Number

We offer a method to have BankID ask consent for storing National Identity Number on your behalf.

This method is relevant for you if you need to store the end user's national identity number in your own systems and prefer to let BankID OIDC handle the UX when collecting the consent from the End User.

By implementing this flow you can trigger an on-demand dialogue asking for end-user consent to share NNIN (fødselsnummer) with the merchant.

In summary the solution makes the following assumptions:

Merchants are responsible to store the end-user consent. BankID does not store consent.
Ideally, merchants will only ask for a user's consent to share NNIN once per user.
The merchant application must be able to check if a NNIN is already stored in the context of the authentication session (explained below)

Beware that you are responsible for storing the End User's consent in your own systems. BankID OIDC does not store any consent.

Implementation steps

Step	What you do	Endpoint	Method	Considerations	Remarks
1	Start a Authorization Request to BankID OIDC with scope `nnin_altsub` in the scope list. Do not include `nnin` scope now.	authorize	GET		This is your bread-and-butter request that will initiate BankID identification. We highly recommend using redirect mode as this is the industry standard. Iframe integrations are strongly discouraged, prone to errors and unsupported.
2	Exchange authorization code for tokens and get NNIN from ID Token.	token	POST	Check matching `nonce` and remember to verify JWT tokens.	You can get the NNIN from the claim `nnin_altsub` in ID token to identify the user.
3	Check your system if NNIN is already stored for the user. If yes, all is well and we stop here. If no, we continue with steps 4-6.				Unless you ask for email, address or phone, there is no need to call Userinfo endpoint here as all userinfo should be available in the ID token (name, NNIN etc.)
4	Make a new authorize-request with `nnin` scope in the scope list and ID Token in `id_token_hint` parameter.	authorize	GET	Include scope `nnin`. Add ID token from 4) as `id_token_hint`	The `id_token_hint` will skip BankID identification (to avoid users having to identify twice in a row). Instead, the end-user will be prompted for consent for sharing their national identity number with you.
5	Exchange authorization code for tokens	token	POST	Check matching `nonce` and remember to verify JWT tokens.
6	Call Userinfo endpoint to get National Identity Number	Userinfo	GET	Use Access token from 5) as Bearer token	If the user has given consent, the NNIN will be available in the claim `nnin`. If the user has not given consent, you won't be able to find the `nnin` claim.