Most of the claims supported by TINFO require consent from the end user as indicated in the table of supported claims. The consent GUI for TINFO may include each of the following entries corresponding to the supported scopes. The entries actually shown depend on the scopes requested by OIDC Client.
The end-user may accept (or reject) each scope separately. Rejected scopes are not contained in the set of scopes returned via introspection for any associated Access token. Note that consent handling happens on a per-scope basis. The end-user may not reject individual claims associated with any scope.
Consent is currently required for a scope each time an OIDC Client requests that scope. A possible future feature is to allow the end-user's consent to become persistent, thus applying also for sub-sequent access from the same OIDC Client. Such an extension will be accompanied by a MyPage allowing the end-user to withdraw any such persistent consent at any time.
Note that Note that the
nnin claim does not require consent from the end-user. The rationale is to continue the current BankID practise to provide this data element as a silent side-effect of the authentication to specific OIDC Clients that are eligible to register such data. Since such business (banks, insurance companies, health-care organizations, etc.) normally use
nnin rather than
sub (the BankID PID) as the reference for the end-user it must be possible to perform a basic authentication, ie. requesting an ID Token along with just
nnin from Userinfo without presenting the user with any consent screen. The
nnin cannot be part of the ID Token for privacy reason since the ID Token for several of the supported flows is passed via the User-agent. The practise to provide
nnin as an non-consented claim is regulated in the end-user license agreement (EULA) for all of the supported IDP options.