Access Token¶
Structure¶
The access token is a self-contained JWT that includes:
iss
- Token issuerazp
- Authorized partysub
- Subject identifier (usebankid_altsub
for a stable user identifier when applicable)aud
- Intended audience (resource servers)resource_access
- scope and access details based on the requested scopes
Access tokens can be validated using the introspect endpoint.
Client Credential tokens
Access tokens for the Client Credential Grant have a different structure since there is no ID Token involved.
Claims¶
Claim | Example | Description |
---|---|---|
typ | Bearer | Token type. Always Bearer for Access Tokens. |
allowed-origins | [] | Not in use by the OIDC Provider from BankID |
acr | urn:bankid:bid;LOA=4 | Authentication Context Class Reference. Uniform Resource Name for IDP option being used, including Level of Assurance (LoA) |
amr | API v1: BID API v2+: ["bid", ...] |
Authentication Method Reference. Name of IDP options being used to authenticate the end-user. From API version 2, this value is changed from String to list of strings - as per the standard. Read more here. |
auth_time (Deprecated) | 1510497762 | Authentication time in Epoch time. This claim is deprecated in API Version 4. See iat claim. |
azp | oidc_testclient | Authorized party. Equals your client_id. |
bankid_altsub | 9578-5999-4-1765512 | BankID Personal Identifier (PID). Use this as a stable user identifier. |
exp | 1510498063 | Expiration time in Epoch time. Corresponds to a forward session window after iat |
iat | 1510497763 | Issuing time in Epoch time equal to auth_time for new sessions. Is otherwise set at each session refresh. |
iss | https://auth.bankid.no/auth/realms/prod | Issuer of the token. Always the OIDC Provider base URL. |
jti | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Token identifier. A unique identifier for the token. Can be used to prevent replay attacks. |
nonce (deprecated) | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Deprecated in access token (see ID Token). Cryptographically random and non-guessable string. This value ensures the integrity of the ID token and mitigates replay attacks. |
session_state (Deprecated) | abf823c2-9810-4133-9369-7bff1223d6c1 | Deprecated in access token (see ID Token). GUID related to session |
sub | e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 | Subject Identifier. GUID that uniquely identifies the end user across the different IDPs. This is considered an unstable identifier and might suddenly change for any user. It is recommended to use bankid_altsub as a stable user identifier. |
birthdate | 1986-10-01 | Birthdate taken from associated BankID certificate |
family_name | Nordmann | Surname (last name) from associated BankID certificate |
given_name | Kari | Given name (first name) from associated BankID certificate |
name | Kari Nordmann | Full name from associated BankID certificate |
preferred_username | Nordmann, Kari | Equal to name. |
api_ver | 4 | Which API version the access token is issued for. See API Versions. |
aud | tinfo | The intended recipient of the access token, which is the client application (OIDC Client) that requested it. |
realm_access (Deprecated) | "roles": [] | (deprecated) Resource access designator at the OIDC platform level. |
resource_access | {"tinfo": {"roles": ["address","phone_number", "email", "nnin"]}} | Resource access designator. |
Examples¶
Access token for electronic signing¶
The following is an example of a valid access token for the SignDoc resource server. The resource designator signdoc
as well
as the role read_write
is added to the resource_access
claim of the access token to grant access to the associated endpoint
of the SignDoc resource server API.
{
"exp": 1629281602,
"iat": 1629281302,
"jti": "7cc03090-7c8b-4775-9532-51169932adc7",
"iss": "https://auth.current.bankid.no/auth/realms/current",
"aud": "signdoc",
"sub": "b9ce6414-2ddc-46e2-8330-7f3d59000c64",
"typ": "Bearer",
"azp": "oidc-testclient",
"acr": "1",
"realm_access": {
"roles": []
},
"resource_access": {
"signdoc": {
"roles": [
"read_write"
]
}
},
"scope": "signdoc/read_write",
"clientHost": "xxx.xxx.xxx.xx",
"clientId": "oidc-testclient",
"resource_claims": {},
"clientAddress": "xxx.xxx.xxx.xx"
}
Access token for access to userinfo¶
Below is example of a valid Access Token for access to the Userinfo,
used in context of the userinfo API. The resource designatortinfo
is added to theresource_access
claim of the access token to grant access to Userinfo.
{
"sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
"resource_access" : {
"tinfo" : {
"roles" : [ "address", "phone", "nnin", "profile", "email" ]
}
},
"birthdate": "2018-05-09",
"amr": ["bid", "bid-mfa", "bid-app", "bid-pwd"],
"iss": "https://auth.current.bankid.no/auth/realms/current",
"typ": "Bearer",
"bankid_altsub": "9578-6000-4-634582",
"originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
"given_name": "Test User",
"nonce": "a6c03ff5-936c-4bff-ab98-a9898d37984f",
"aud": "tinfo",
"acr": "urn:bankid:bid;LOA=4",
"realm_access": {
"roles": []
},
"azp": "oidc-testclient",
"auth_time": 1629280890,
"scope": "openid phone address profile email",
"resource_claims": {
},
"name": "Test User BankID",
"exp": 1629281190,
"session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
"iat": 1629280890,
"api_ver" : 2,
"family_name": "BankID",
"jti": "2fc59b32-e1ed-47cb-abf7-87786504912a"
}