Client authentication
OIDC Clients must authenticate with the OIDC Provider for the token and introspect Endpoints.
Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID:
Default
client_secret_basicaccording to OAuth2 using the HTTP Basic authentication schemeclient_secret_postaccording to OAuth2 by including the Client Credentials (client_idandclient_secret) in the request body
Per request
private_key_jwtin accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.client_secret_jwtin accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.
In order to use private_key_jwt or client_secret_jwt the merchant must send a request to BankID support as the options are not available when ordering a new client.
For private_key_jwt, the request must include a public URL that returns the public keys that should be used to verify the signature as a JSON Web Key Set (JWKS).
OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to resource servers are specific for each of the supported kinds of services.