The claims returned in an ID Token from the OIDC Provider depends one the scopes requested by the OIDC Client. Two different configurations are supported as suggested by the below table, corresponding to the standard scopes openid and profile.

Additional claims about the end-user are supported by the TINFO service and made available via Userinfo. Note that all claims supported in ID Tokens are available to any OIDC Client and none of the claims demand consent from the end user.  This is in contrast to claims supported by TINFO that must meet certain conditions before actually being returned to a requesting OIDC Client.

The OIDC Provider form BankID supports signed ID Tokens.

(tick) = According to standard.  (warning) = In progress / future support. (info) = Custom additions

ClaimSupportExampleDescriptionCommentEditorial comment
Minimum ID Token (scope = openid)  
iss(tick)https://preview.bankidapis.noIssuer Identifier for the Issuer  
sub(tick)9578-5999-4-1765512Subject IdentifierPersonal Identifier from BankID
(Serial number from associated BankID certificate)
nnin_altsub(warning)(info)181266*****Norwegian National Identity Number (fødselsnummer)

Alternate sub, providing eligible OIDC clients nnin as a reference to already existing users.

Only availble with authorization code flow. Other flows would expose nnin via the IDToken flowing through the end-user browser.

For acces to nnin for eligible OIDC clients for enrollment of new users, see Userinfo.

aud(tick)DotNetClientAudienceAlways includes client_id 
exp(tick)1494144386Expiration timeEpoc time 
iat(tick)1494140787Issuing timeEpoc time 
auth_time(tick)1494140786Authentication timeEpoc time 
nonce(tick)<random value>Nonce  
acr(warning)4Authentication Context Class ReferenceLevel of Assurance (LoA) for IDP option being used 
amr(tick)BankIDAuthentication Method ReferenceName of IDP option being used 
azp(tick)DotNetClientAuthorized partyEquals client_id 
alg(tick)RS256Algorithm used to sign ID Token  
typ(tick)JWTType of key used to sign ID Token  
kid(tick)bankid-oauthID of key used to sign ID Token  
at_hash(warning)<hash value>Access Token hash valueRequired for hybrid flow and implicit flow 
c_hash(tick)<hash value>Code hash valueHybrid flow 
Regular ID Token (scope = openid profile)
name(tick)Nilsen, Frode BeckmannFull nameCommonName from associated BankID certificate 
given_name(tick)Frode BeckmannGiven name (first name)  
family_name(tick)NilsenSurname (last name)  
preferred_username(tick)Nilsen, Frode BeckmannShorthand name Must be reviewed
birthdate(tick)1966-12-18BirthdateBirthDate from associated BankID certificate 
updated_at(warning)1468582440Update timeEpoc time of issuing time of associated BankID certificateMust be added