The OIDC Provider from BankID supports two general classes of Access Tokens. 

• By-reference in terms of standard Bearer Tokens. Tokens of this kind comes with corresponding support for Introspection to determine the Authorization Context for any particular token value.
• Self-contained in terms JSON WebTokens (JWT) that are signed (JWS) and optionally also encrypted (JWE). Tokens of this kind contain all required information to determine the Authorization Context.

The Authorization Context of an Access Token referes to attributes such as:

• The issuer (iss)of the access token. See corresponding claim in ID Token.
• The subject identifier (sub) of the access token, ie. a reference to the end-user (resource owner) that authorized the access token. See corresponding claim in ID Token.
• Intended audience (aud)for the access token, ie. a reference to the Protected Resouce that the access token regulates access to. Note that this is not related to the corresponding claim in the ID Token. The audience for the ID Token (being the OIDC Client) is different from the audience for an Access Token (being the Resource Server in question). 
• Active state / expiry (exp)of the access token
• The specific set of scopes and claims associated with the access token, ie. the set included in the Authorize request that subsequently resulted in the issuance of the Access Token in a reponse to a Token request

The OIDC Provider issues different types of Access Tokens to OIDC Clients depending on the requested types of Protected Resources (as given by the Scopes and Claims contained in the request). The OIDC Provider returns by default a standard bearer token of generic nature having the following characteristics:

• Works with all scopes and claims
• Is not  associated with any particular value for the audience  (aud)attribute.
• Has a lifetime of 3600 seconds

The default token can be used by any Resource Server that is registered with (and hence trust) the OIDC Provider from BankID. The TINFO (Userinfo) service accepts the default token. The PSD2 Service does in contrast defined a set of customized tokens, including both by-reference tokens and self-contained tokens, for access to Protected Resources.

Support for other types of access tokens may be added to support authorization for other kinds of Protected Resources.