Client authentication

OIDC Clients must authenticate with the OIDC Provider for the token and introspect Endpoints.

Among the standardized authentication methods the following are currently supported by the OIDC Provider from BankID: 


Per request

In order to use private_key_jwt or client_secret_jwt the merchant must send a request to BankID support as the options are not available when ordering a new client.

For private_key_jwt, the request must include a public URL that returns the public keys that should be used to verify the signature as a JSON Web Key Set (JWKS).

OIDC Clients requesting access to VAS-services that uses the OIDC Provider for authorization must in addition authenticate with VAS-Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to resource servers are specific for each of the supported kinds of services.