ID Token

The OpenID Connect Provider from BankID provides ID Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by Keycloak or the result of customization made by the BankID OIDC Provider.

The ID token structure builds on Keycloak. Three different token configurations are supported as suggested by the scope column, corresponding to three different combinations of the standard scopes openid and profile and the custom scope nnin_altsub.

  • A Minimum ID Token (scope = openid) that contains a minimum set of claims, among which sub and bankid_altsub are the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonumous way. The sub and bankid_altsub values do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely.
  • Regular ID Token (scope = openid profile) that builds on a minimum ID Token by adding claims that identifies the end-user by his name and birthdate.
  • An Enchanced ID Token (scope = ....... nnin_altsub) that builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user.

The Eligibility column indicates if a claim is available for any OIDC client or if specific conditions apply. In the latter case eligible OIDC clients must be configured for access in the provisioning process.

Note finally that the OIDC Provider from BankID supports signed ID Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.

ClaimOriginScopeExampleEligibilityDescriptionComment
Minimum ID Token part
typ
Keycloak
openid
ID
AnyToken type

Always ID for ID Tokens

acr
Standard
openid
urn:bankid:bid;LOA=4
AnyAuthentication Context Class ReferenceUniform Resource Name for IDP option being used, including Level of Assurance (LoA)
amr
Standard
openid
Version 1: BID
From Version 2: ["bid"]
AnyAuthentication Method Reference

Name of IDP options being used to authenticate the end-user.

From API version 2, this value is changed from String to list of strings - as per the standard.

If the end-user is subject to authentication step-up, note that this value may differ from any amr value specified in the login_hint parameter of the authorize end-point.

aud
Standard
openid
oidc_testclient
AnyAudienceAlways client_id
auth_time
Standard
openid
1510497762
AnyAuthentication timeEpoc time
azp
Standard
openid
oidc_testclient
AnyAuthorized partyEquals client_id
bankid_altsub
Custom
openid
9578-5999-4-1765512
AnyAlternate BankID Subject Identifier 

Personal Identifier (PID) / Serial Number) from associated BankID certificate.

originator
Custom
openid
CN=BankID Bankenes ID-tjeneste Bank CA 2,
OU=988477052,
O=Bankenes ID-tjeneste AS,*
C=NO;OrginatorId=9775;OriginatorName=Gjensidige Bank RA 1
AnyIssuer DName of the identityIn case of BID or BIM, the issuer of the end user certificate is returned.
exp
Standard
openid
1510498063
AnyExpiration timeEpoc time. Corresponds to a forward session window after iat
iat
Standard
openid
1510497763
AnyIssuing time

Epoc time

Equal to auth_time for new sessions. Is otherwise set at each session refresh.

iss
Standard
openid
<oidc-baseurl>
AnyIssuer Identifier for the Issuer
jti
Standard
openid
7f22fd6a-3d46-4d5a-ae56-6de3c53e1873
AnyToken identifier
nbf
Standard
openid
0
AnyNot before timeEpoc time
nonce
Standard
openid
<random value>AnyNonce
session_state
Keycloak
openid
abf823c2-9810-4133-9369-7bff1223d6c1
AnyGUID related to session handling
sub
Standard
openid
e8c523ff-52a2-42e2-a7a5-f1d0fbb76204
AnySubject IdentifierGUID that uniquely identifies the end user across the different IDPs
updated_at
Standard
openid
1468582440
AnyUpdate timeEpoc time of issuing / create / enrollment of ID in question.
tid
Custom
openid
2e1eebb7-d5d7-4c55-9410-6ab178070a1c
AnyTransaction ID (reference) for the completed authentication sessionCurrently used as an input parameter for the securityData endpoint of the Fraud Data service
additionalCertInfo
Custom
openid
{
"certValidFrom": 1554448774000,
"serialNumber": "1055610",
"keyAlgorithm": "RSA",
"keySize": "2048",
"policyOid": "2.16.578.1.16.1.12.1.1",
"monetaryLimitAmount": "100000",
"certQualified": true,
"monetaryLimitCurrency": "NOK",
"certValidTo": 1617607174000,
"versionNumber": "3",
"subjectName": "CN=Nilsen\\, Frode Beckmann,O=TestBank1 AS,
C=NO,SERIALNUMBER=9578-6000-4-353032"
}
AnyAdditional information about the end user certificate.Only applicable for BIM and BID IDPs, not BIS
api_ver
Custom
openid
2
When providing api_version

Regular ID Token part

birthdate
Standard
profile
1966-12-18
AnyBirthdateFrom associated BankID certificate
family_name
Standard
profile
Nilsen
AnySurname (last name)From associated BankID certificate
given_name
Standard
profile
Frode Beckmann
AnyGiven name (first name)From associated BankID certificate
name
Standard
profile
Frode Beckmann Nilsen
AnyFull nameFrom associated BankID certificate

Enhanced ID Token part

nnin_altsub
Custom
nnin_altsub
181266*****

Available for OIDC clients that uses national identiy number as userID for its already existing users.

Norwegian National Identity Number as alternate Subject Identifier

Only available with authorization code flow.