token

Token is a standard endpoint used for requesting various combinations of ID TokenAccess Token and Refresh Token. In addition, BankID OIDC extends the token response with the BankID Proof token if requested. The type of request (and corresponding response) is determined by the grant_type request parameter as described further below. 

Overview

URLhttps://<oidc-baseurl>/protocol/openid-connect/token
RequestPOST with parameters in body as application/x-www-form-urlencoded data
AuthenticationOIDC/OAuth2 client authentication according to supported methods
Success response200 OK with JSON containing response elements
Error response400 Bad request with JSON containing standard error reponse elements
ExampleSee below

The recommended practise for merchants is to use the Token URL from openid-configuration rather than hardcoding the below URL value.


Request parameters

The OIDC Provider supports three different grant types as described in the following, each with a corresponding set of request parameters. In addition comes request parameters related to Client authentication.

Authorization Code

This grant type is associated with the Authorization code flow and Hybrid flow. In both cases the other parameters shown below are related to a preceeding authorize request that involves interaction with the end-user.

NameDescription
grant_typeauthorization_code
codeValue from response of the foregoing authorize  request
redirect_uri

redirect_uri used in the foregoing authorize request.

Client Credentials

This grant type is associated with the Client credential flow. This grant type does not involve any end-user interaction and is not related to any preceeding authorize request.

NameDescription
grant_typeclient_credentials
scopeList of scopes specifying what kind of resources (dataset) the OIDC Client requests access to.


Example request:

POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
User-Agent: curl/7.64.1
Accept: */*
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OjAxMjM0NTY3LTg5YWItY2RlZi0wMTIzLTQ1Njc4OWFiY2RlZg==
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=signdoc/read_write

Refresh Token

This grant type is used to refresh a previously issued Access Token via a corresponding Refresh Token issued along with the previous Access Token.

NameDescription
grant_typerefresh_token
refresh_tokenJWT value for the refresh token from any foregoing Token response
scope

Requested scopes for the new set of tokens. Note: The scopes must be identical to or narrower that the original scopes of the associated authorize request. Note that scope values are case-sensitive.

Response elements

Reponses are similar for Authorization Code and Refresh Token but different for Client Credentials.

Authorization Code and Refresh Token

The response for Authorization Code and Refresh Token is a JSON structure according to Keycloack default with the following claims

NameDescriptionComment
id_tokenJWT encoded ID TokenStandard claim with Keycloack specific content
access_tokenJWT encoded Access TokenStandard claim with Keycloack specific content
token_typeAlways BearerStandard claim
expires_inLife-time of access_token.Standard claim. Related to the exp claim inside the Access Token. See session handling
refresh_token

JWT encoded Refresh Token  

Standard claim with Keycloack specific content
refresh_expires_inLife-time of refresh_tokenKeycloack specific claim. Related to the exp claim inside the Refresh Token. See session handling 
bankid_proofJWT encoded BankID Proof TokenBankID OIDC custom claim that includes proof of BankID authentication. Included if requested using the bankid_proof scope.
not-before-policyTBDKeycloack specific claim
session_stateTBDKeycloack specific claim

Client Credentials

The response for Client Credentials is a JSON structure similar to that for Authorization Code and Refresh Token with the exception that the id_token claim is not present.

Example

Authorization code grant token exchange

The following example shows a request / response pair for an authorization code grant token exchange.

Authorization Code Exchange
POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
User-Agent: curl/7.64.1
Accept: */*
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OjAxMjM0NTY3LTg5YWItY2RlZi0wMTIzLTQ1Njc4OWFiY2RlZg==
Content-Length: 207
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&redirect_uri=https%3A%2F%2Ftestclient.local%3A8487%2Fcallback&code=521e89e9-5b3e-49d2-9647-2aeed215c5d7.66801cef-7746-4391-a018-43bda5c7002b.0ab47fe7-0373-4b80-b517-065f5a5a3769

HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 11:27:37 GMT
Server: web
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 4301

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODYzNTcsImlhdCI6MTYyOTI4NjA1NywiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI2MzE5M2JlYS0zYzA3LTRhNGQtODY3YS02NWJjYzk3MDQ2NDgiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6InRpbmZvIiwic3ViIjoiMmNkN2NlY2QtZDQ0NC00Njg1LWJiMDQtOGJiZmRiNDVhMDY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbInByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiYW1yIjoiQklEIiwicmVzb3VyY2VfY2xhaW1zIjp7fSwiYmFua2lkX2FsdHN1YiI6Ijk1NzgtNjAwMC00LTYzNDU4MiIsIm9yaWdpbmF0b3IiOiJDTj1CYW5rSUQgLSBUZXN0QmFuazEgLSBCYW5rIENBIDMsT1U9MTIzNDU2Nzg5LE89VGVzdEJhbmsxIEFTLEM9Tk87T3JnaW5hdG9ySWQ9OTk4MDtPcmlnaW5hdG9yTmFtZT1CSU5BUztPcmlnaW5hdG9ySWQ9OTk4MCJ9.n1DGMVcHmEB5wL03QkE51cqAtl5uUr-slOd89lfy_ufF9U_X8JypI8WG_PXieX6eXMiFwR0vak3DtHKKmnx0Y1qRtfKAM12m1c6EvqrhbMa3NvLtdZoAQ8YfmQ2sB2bSg4bmtB4iEDbO9eLrMc1bb0yyFuT3bbQr0cqcLl5u3Ig0ZsNNoyRV-XJBfLEWjswEsPag6xwu6AG_4K1lDaqGiFM4XoQl0LrDAN0Wz9RGYyR7eBrohvfV22XZCZadt-T7Dyc6gr_UIY8tyoA3Lh7rXtnzxybL8a4rWDHAACp5VSFLRLS_61yumrB4g5AwJvdj0MF6ngJzHj2XyF0Eu3MdfA",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODc4NTcsImlhdCI6MTYyOTI4NjA1NywianRpIjoiNTM2NjI5ZTgtZWIzZS00MmY1LTgxYTAtMmUzZWJiZTI2ZGM3IiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.LwE6_mB1JSIF9EfjlP5cQeoQjvnGTzxtaVR2Qae4WIM",
    "token_type": "bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODYzNTcsImlhdCI6MTYyOTI4NjA1NywiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI1NDM5NjM5Mi0wZDdkLTQ0OTUtYjZlMy0xYTQ5NjZmOWM0ZmEiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6Im9pZGMtdGVzdGNsaWVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IklEIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwidXBkYXRlZF9hdCI6MTYyOTI4MDYyMDAwMCwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJhbXIiOiJCSUQiLCJiYW5raWRfYWx0c3ViIjoiOTU3OC02MDAwLTQtNjM0NTgyIiwib3JpZ2luYXRvciI6IkNOPUJhbmtJRCAtIFRlc3RCYW5rMSAtIEJhbmsgQ0EgMyxPVT0xMjM0NTY3ODksTz1UZXN0QmFuazEgQVMsQz1OTztPcmdpbmF0b3JJZD05OTgwO09yaWdpbmF0b3JOYW1lPUJJTkFTO09yaWdpbmF0b3JJZD05OTgwIiwiYWRkaXRpb25hbENlcnRJbmZvIjp7ImNlcnRWYWxpZEZyb20iOjE2MjkyODA2MjAwMDAsInNlcmlhbE51bWJlciI6IjE3MjI3NDQiLCJrZXlBbGdvcml0aG0iOiJSU0EiLCJrZXlTaXplIjoiMjA0OCIsInBvbGljeU9pZCI6IjIuMTYuNTc4LjEuMTYuMS4xMi4xLjEiLCJtb25ldGFyeUxpbWl0QW1vdW50IjoiMTAwMDAwIiwiY2VydFF1YWxpZmllZCI6dHJ1ZSwibW9uZXRhcnlMaW1pdEN1cnJlbmN5IjoiTk9LIiwiY2VydFZhbGlkVG8iOjE2OTIzNTI2MjAwMDAsInZlcnNpb25OdW1iZXIiOiIzIiwic3ViamVjdE5hbWUiOiJDTj1CYW5rSURcXCwgVGVzdCBVc2VyLE89VGVzdEJhbmsxIEFTLEM9Tk8sU0VSSUFMTlVNQkVSPTk1NzgtNjAwMC00LTYzNDU4MiJ9LCJ0aWQiOiIxMWRhYzNiMi04NGEzLTRjODQtOGQ5ZC1hODE5YzkwNmI3ODIifQ.olwtV8Hr7X-t-pcBx-4m8pj9BBQhkkxgD_dJo8NTV-MefnZljVGfXOSmXURo2H0OmLCFvMst_KXmuIw9XWVd_djl-EQACkD1Tu4ABT6T-kT8EvRU61JFrLGD5iypKAf3y91UJS3wUS6Mkxj273ITBPZa6tqLeugL712GaQoyDllEEluFfXrV7-MUTRt9f80b_rfY9mq8wpw84mycKUukJGZOqpBRgiME_i2WiFdAqEgqU3zNrCEW90NecBHF8xGgGQvD34dCn1djVImrYKeTxb7wNAxH-lUUVw4jB-51yIHV6fzfLixYz6eDpYjq0hlTRXo0sEoV-tpDuh7HmbV94A",
    "not-before-policy": 0,
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}


The following are decoding of the tokens returned in the above response:

Decoded Tokens
Access Token
{
  "jti": "5bebba2e-e10c-47d8-a63c-92ab55b4bb4f",
  "exp": 1510838469,
  "nbf": 0,
  "iat": 1510838169,
  "iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
  "aud": "tinfo",
  "sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
  "typ": "Bearer",
  "azp": "Postman",
  "auth_time": 1510838050,
  "session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
  "name": "Frode Beckmann Nilsen",
  "given_name": "Frode Beckmann",
  "family_name": "Nilsen",
  "acr": "4",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "nnin_altsub",
      "profile"
    ]
  },
  "resource_access": {
    "tinfo": {
      "roles": [
        "address",
        "phone",
        "email"
      ]
    }
  },
  "amr": "BID",
  "bankid_altsub": "9578-6000-4-30799"
} 
 
Refresh Token
{
    "exp": 1629287857,
    "iat": 1629286057,
    "jti": "536629e8-eb3e-42f5-81a0-2e3ebbe26dc7",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "https://auth.current.bankid.no/auth/realms/current",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "Refresh",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}
 
ID Token
{
    "exp": 1629286357,
    "iat": 1629286057,
    "auth_time": 1629285998,
    "jti": "54396392-0d7d-4495-b6e3-1a4966f9c4fa",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "oidc-testclient",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "ID",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "name": "Test User BankID",
    "given_name": "Test User",
    "family_name": "BankID",
    "birthdate": "2018-05-09",
    "updated_at": 1629280620000,
    "acr": "urn:bankid:bid;LOA=4",
    "amr": "BID",
    "bankid_altsub": "9578-6000-4-634582",
    "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
    "additionalCertInfo": {
        "certValidFrom": 1629280620000,
        "serialNumber": "1722744",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "policyOid": "2.16.578.1.16.1.12.1.1",
        "monetaryLimitAmount": "100000",
        "certQualified": true,
        "monetaryLimitCurrency": "NOK",
        "certValidTo": 1692352620000,
        "versionNumber": "3",
        "subjectName": "CN=BankID\\, Test User,O=TestBank1 AS,C=NO,SERIALNUMBER=9578-6000-4-634582"
    },
    "tid": "11dac3b2-84a3-4c84-8d9d-a819c906b782"
}

Refresh token exchange

The following example shows a request / response pair for an Refresh Token Exchange with the Token endpoint corresponding to the above example on a Authorization Code Exchange. 

Refresh Token Exchange
POST /auth/realms/current/protocol/openid-connect/token HTTP/1.1
Host: auth.current.bankid.no
User-Agent: curl/7.64.1
Accept: */*
Authorization: Basic b2lkYy10ZXN0Y2xpZW50OmYwOTg5NjgxLTkyM2YtNGUyYi1iMzRjLWU5NGQwOWIyYjIxYw==
Content-Length: 718
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&scope=openid+profile&refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODc4NTcsImlhdCI6MTYyOTI4NjA1NywianRpIjoiNTM2NjI5ZTgtZWIzZS00MmY1LTgxYTAtMmUzZWJiZTI2ZGM3IiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.LwE6_mB1JSIF9EfjlP5cQeoQjvnGTzxtaVR2Qae4WIM

HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 11:53:21 GMT
Server: web
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 4301

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODc5MDEsImlhdCI6MTYyOTI4NzYwMSwiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiJmMWUwZDczZi1iNWYxLTRlZWYtOTZjOS1jN2NmNWI3N2U1NWIiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6InRpbmZvIiwic3ViIjoiMmNkN2NlY2QtZDQ0NC00Njg1LWJiMDQtOGJiZmRiNDVhMDY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbInByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiYW1yIjoiQklEIiwicmVzb3VyY2VfY2xhaW1zIjp7fSwiYmFua2lkX2FsdHN1YiI6Ijk1NzgtNjAwMC00LTYzNDU4MiIsIm9yaWdpbmF0b3IiOiJDTj1CYW5rSUQgLSBUZXN0QmFuazEgLSBCYW5rIENBIDMsT1U9MTIzNDU2Nzg5LE89VGVzdEJhbmsxIEFTLEM9Tk87T3JnaW5hdG9ySWQ9OTk4MDtPcmlnaW5hdG9yTmFtZT1CSU5BUztPcmlnaW5hdG9ySWQ9OTk4MCJ9.ovary8mYylT5vsEgJ1ZF2yu1FbIIlnymsmjPhGTSCdGWCD08y03qrk6Nf6af_-ohM6kv33HQvWKcGL1Cuq_a5TEhKTgPyldXnTBnn1Fu9T33UlqwXiQWpi4o_ONOpZH6wO03R2-KgmKbPli7yzB_Xh_cD4sJy3zRK3d6veGP6Bjre5EMSyiAH3wpRhH7kmrdBkyaqKqRK8xfnnh-tu-7VSqurEM1km18a5dUw1uTozO-y2bFKrBt2ZWAsjVdLsBxTw8k-2oDBPpcyJ6_NubDJwrwGjfEgN4zz8GawHvcivQ1jCE1dMW7k3P8_bTQ5FVOQkyAY0PJRRCcuoobCUp_cA",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMWJjNDkyYy1jNDYwLTQ1ZWItYTQ5Yi1hYjAxY2IyZGJkOGIifQ.eyJleHAiOjE2MjkyODk0MDEsImlhdCI6MTYyOTI4NzYwMSwianRpIjoiYWQyNDIwMzItNjgyNy00MTcwLTg5ZDEtNmE1ZDRjN2EzZTEwIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmN1cnJlbnQuYmFua2lkLm5vL2F1dGgvcmVhbG1zL2N1cnJlbnQiLCJhdWQiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjLXRlc3RjbGllbnQiLCJub25jZSI6ImRlbW9Ob25jZSIsInNlc3Npb25fc3RhdGUiOiI2NjgwMWNlZi03NzQ2LTRkZDYtYTAxOC00M2JkYTVjNzAwMmIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.d5aLQRdmZny6H4BLbEJPVu5xpAh0jSSDIcD5pW-3yMU",
    "token_type": "bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJleHAiOjE2MjkyODc5MDEsImlhdCI6MTYyOTI4NzYwMSwiYXV0aF90aW1lIjoxNjI5Mjg1OTk4LCJqdGkiOiI3NDEwMzkxMC1iZTVjLTQ0MzAtYjhjNi1lNGI4MzVjY2UyNmUiLCJpc3MiOiJodHRwczovL2F1dGguY3VycmVudC5iYW5raWQubm8vYXV0aC9yZWFsbXMvY3VycmVudCIsImF1ZCI6Im9pZGMtdGVzdGNsaWVudCIsInN1YiI6IjJjZDdjZWNkLWQ0NDQtNDY4NS1iYjA0LThiYmZkYjQ1YTA2OSIsInR5cCI6IklEIiwiYXpwIjoib2lkYy10ZXN0Y2xpZW50Iiwibm9uY2UiOiJkZW1vTm9uY2UiLCJzZXNzaW9uX3N0YXRlIjoiNjY4MDFjZWYtNzc0Ni00ZGQ2LWEwMTgtNDNiZGE1YzcwMDJiIiwibmFtZSI6IlRlc3QgVXNlciBCYW5rSUQiLCJnaXZlbl9uYW1lIjoiVGVzdCBVc2VyIiwiZmFtaWx5X25hbWUiOiJCYW5rSUQiLCJiaXJ0aGRhdGUiOiIyMDE4LTA1LTA5IiwidXBkYXRlZF9hdCI6MTYyOTI4MDYyMDAwMCwiYWNyIjoidXJuOmJhbmtpZDpiaWQ7TE9BPTQiLCJhbXIiOiJCSUQiLCJiYW5raWRfYWx0c3ViIjoiOTU3OC02MDAwLTQtNjM0NTgyIiwib3JpZ2luYXRvciI6IkNOPUJhbmtJRCAtIFRlc3RCYW5rMSAtIEJhbmsgQ0EgMyxPVT0xMjM0NTY3ODksTz1UZXN0QmFuazEgQVMsQz1OTztPcmdpbmF0b3JJZD05OTgwO09yaWdpbmF0b3JOYW1lPUJJTkFTO09yaWdpbmF0b3JJZD05OTgwIiwiYWRkaXRpb25hbENlcnRJbmZvIjp7ImNlcnRWYWxpZEZyb20iOjE2MjkyODA2MjAwMDAsInNlcmlhbE51bWJlciI6IjE3MjI3NDQiLCJrZXlBbGdvcml0aG0iOiJSU0EiLCJrZXlTaXplIjoiMjA0OCIsInBvbGljeU9pZCI6IjIuMTYuNTc4LjEuMTYuMS4xMi4xLjEiLCJtb25ldGFyeUxpbWl0QW1vdW50IjoiMTAwMDAwIiwiY2VydFF1YWxpZmllZCI6dHJ1ZSwibW9uZXRhcnlMaW1pdEN1cnJlbmN5IjoiTk9LIiwiY2VydFZhbGlkVG8iOjE2OTIzNTI2MjAwMDAsInZlcnNpb25OdW1iZXIiOiIzIiwic3ViamVjdE5hbWUiOiJDTj1CYW5rSURcXCwgVGVzdCBVc2VyLE89VGVzdEJhbmsxIEFTLEM9Tk8sU0VSSUFMTlVNQkVSPTk1NzgtNjAwMC00LTYzNDU4MiJ9LCJ0aWQiOiIxMWRhYzNiMi04NGEzLTRjODQtOGQ5ZC1hODE5YzkwNmI3ODIifQ.EBcqS2r8qc1AOyxM9NNm2cgi9Q3ZsSrxn3ydS8h8QxA9Vfx2cervUfWNzS3lSibuz8PslAJC9iz8lxfjPWQKQ44u1pWtB4S-aUZKXnXNOb4qmwQZv0ZpK48iGr6jOm_4wb4W2FcfQnavVlOuGRfCdq_BokGQETFwKtRlU4F9ojnoi2MtNMrjAZ9An1eWdYRkS1Ramzrftskkrq4hEnFyCpWIZOQXMRp-7HkRMRfw6xjLudHNzPzNl0tmxOzxTke8SMAlTnG-eL03Z1LhJKo7bMB-1KIEvdD6jgQTJ0sGdSgGYHcKiWut5fWQ_6pHMCtWl9b8YbtcfCLjyxZkk7J86g",
    "not-before-policy": 0,
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}


The following are decoding of the tokens returned in the above response:

Decoded tokens
Access Token
{
    "exp": 1629287901,
    "iat": 1629287601,
    "auth_time": 1629285998,
    "jti": "f1e0d73f-b5f1-4eef-96c9-c7cf5b77e55b",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "tinfo",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "Bearer",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "name": "Test User BankID",
    "given_name": "Test User",
    "family_name": "BankID",
    "birthdate": "2018-05-09",
    "acr": "urn:bankid:bid;LOA=4",
    "realm_access": {
        "roles": [
            "profile"
        ]
    },
    "resource_access": {
        "tinfo": {
            "roles": [
                "profile"
            ]
        }
    },
    "scope": "openid profile",
    "amr": "BID",
    "resource_claims": {},
    "bankid_altsub": "9578-6000-4-634582",
    "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980"
}
 
Refresh Token
{
    "exp": 1629289401,
    "iat": 1629287601,
    "jti": "ad242032-6827-4170-89d1-6a5d4c7a3e10",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "https://auth.current.bankid.no/auth/realms/current",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "Refresh",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "scope": "openid profile"
}

ID Token
{
    "exp": 1629287901,
    "iat": 1629287601,
    "auth_time": 1629285998,
    "jti": "74103910-be5c-4430-b8c6-e4b835cce26e",
    "iss": "https://auth.current.bankid.no/auth/realms/current",
    "aud": "oidc-testclient",
    "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
    "typ": "ID",
    "azp": "oidc-testclient",
    "nonce": "demoNonce",
    "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
    "name": "Test User BankID",
    "given_name": "Test User",
    "family_name": "BankID",
    "birthdate": "2018-05-09",
    "updated_at": 1629280620000,
    "acr": "urn:bankid:bid;LOA=4",
    "amr": "BID",
    "bankid_altsub": "9578-6000-4-634582",
    "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
    "additionalCertInfo": {
        "certValidFrom": 1629280620000,
        "serialNumber": "1722744",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "policyOid": "2.16.578.1.16.1.12.1.1",
        "monetaryLimitAmount": "100000",
        "certQualified": true,
        "monetaryLimitCurrency": "NOK",
        "certValidTo": 1692352620000,
        "versionNumber": "3",
        "subjectName": "CN=BankID\\, Test User,O=TestBank1 AS,C=NO,SERIALNUMBER=9578-6000-4-634582"
    },
    "tid": "11dac3b2-84a3-4c84-8d9d-a819c906b782"
}