Refresh Tokens

The OpenID Connect Provider from BankID provides Refresh Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by Keycloack or the result of customization made by the OIDC Provider from BankID.

Readers/implementors should not pay particular attention to the content of Refresh Tokens and should consider them as transparent values that are (first) issued and (then) consumed by the OIDC platform with the sole purpose to renew corresponding ID Tokens and Access Tokens.

See session handling for the life-time of a refresh token. The purpose of Refresh Tokens is to enhance security by keeping the life-time of Access Tokens shorter. An expired Access Token can easily be replaced with a new Access Token (without any user interaction) via a Refresh Token that was issued along with the most recent Access Token, but that was issued with a longer life-time than the Access Token itself.

Note finally that the OIDC Provider form BankID supports signed Refresh Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.

ClaimOriginExampleDescriptionComment
typKeycloackRefreshToken type

Either Refresh or Offline for Refresh Tokens.

See scope offline_access for Offline tokens. See session handling for further details.

aud
StandardtinfoSee Access Token
auth_timeStandard1510497762See ID Token
azpStandardoidc_testclientSee ID Token 
expStandard1510498063See session handling
iatStandard1510497763See session handling 
issStandard<oidc-baseurl>See ID Token 
jtiStandard7f22fd6a-3d46-4d5a-ae56-6de3c53e1873See ID Token 
nbfStandard0See ID Token 
nonceStandard<random value>See ID Token 
session_stateKeycloackabf823c2-9810-4133-9369-7bff1223d6c1See ID Token 
subStandard

e8c523ff-52a2-42e2-a7a5-f1d0fbb76204

See ID Token 
realm_accessKeycloack
{"roles:["profile","address","phone","email","nnin_altsub","nnin"]}
See Access Token
resource_accessKeycloack
{"tinfo:{"roles ["address","phone_number", "email", "nnin"]}}
See Access Token