Skip to content

Access Token

Structure

The access token is a self-contained JWT that includes:

  • iss - Token issuer
  • azp - Authorized party
  • sub - Subject identifier (use bankid_altsub for a stable user identifier when applicable)
  • aud - Intended audience (resource servers)
  • resource_access - scope and access details based on the requested scopes

Access tokens can be validated using the introspect endpoint.

Client Credential tokens

Access tokens for the Client Credential Grant have a different structure since there is no ID Token involved.

Claims

Claim Example Description
typ Bearer Token type. Always Bearer for Access Tokens.
allowed-origins [] Not in use by the OIDC Provider from BankID
acr urn:bankid:bid;LOA=4 Authentication Context Class Reference. Uniform Resource Name for IDP option being used, including Level of Assurance (LoA)
amr API v1: BID
API v2+: ["bid", ...]
Authentication Method Reference. Name of IDP options being used to authenticate the end-user. From API version 2, this value is changed from String to list of strings - as per the standard. Read more here.
auth_time (Deprecated) 1510497762 Authentication time in Epoch time. This claim is deprecated in API Version 4. See iat claim.
azp oidc_testclient Authorized party. Equals your client_id.
bankid_altsub 9578-5999-4-1765512 BankID Personal Identifier (PID). Use this as a stable user identifier.
exp 1510498063 Expiration time in Epoch time. Corresponds to a forward session window after iat
iat 1510497763 Issuing time in Epoch time equal to auth_time for new sessions. Is otherwise set at each session refresh.
iss https://auth.bankid.no/auth/realms/prod Issuer of the token. Always the OIDC Provider base URL.
jti 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 Token identifier. A unique identifier for the token. Can be used to prevent replay attacks.
nonce (deprecated) 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 Deprecated in access token (see ID Token). Cryptographically random and non-guessable string. This value ensures the integrity of the ID token and mitigates replay attacks.
session_state (Deprecated) abf823c2-9810-4133-9369-7bff1223d6c1 Deprecated in access token (see ID Token). GUID related to session
sub e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 Subject Identifier. GUID that uniquely identifies the end user across the different IDPs. This is considered an unstable identifier and might suddenly change for any user. It is recommended to use bankid_altsub as a stable user identifier.
birthdate 1986-10-01 Birthdate taken from associated BankID certificate
family_name Nordmann Surname (last name) from associated BankID certificate
given_name Kari Given name (first name) from associated BankID certificate
name Kari Nordmann Full name from associated BankID certificate
preferred_username Nordmann, Kari Equal to name.
api_ver 4 Which API version the access token is issued for. See API Versions.
aud tinfo The intended recipient of the access token, which is the client application (OIDC Client) that requested it.
realm_access (Deprecated) "roles": [] (deprecated) Resource access designator at the OIDC platform level.
resource_access {"tinfo": {"roles": ["address","phone_number", "email", "nnin"]}} Resource access designator.

Examples

Access token for electronic signing

The following is an example of a valid access token for the SignDoc resource server. The resource designator signdoc as well as the role read_write is added to the resource_access claim of the access token to grant access to the associated endpoint of the SignDoc resource server API.

{
  "exp": 1629281602,
  "iat": 1629281302,
  "jti": "7cc03090-7c8b-4775-9532-51169932adc7",
  "iss": "https://auth.current.bankid.no/auth/realms/current",
  "aud": "signdoc",
  "sub": "b9ce6414-2ddc-46e2-8330-7f3d59000c64",
  "typ": "Bearer",
  "azp": "oidc-testclient",
  "acr": "1",
  "realm_access": {
    "roles": []
  },
  "resource_access": {
    "signdoc": {
      "roles": [
        "read_write"
      ]
    }
  },
  "scope": "signdoc/read_write",
  "clientHost": "xxx.xxx.xxx.xx",
  "clientId": "oidc-testclient",
  "resource_claims": {},
  "clientAddress": "xxx.xxx.xxx.xx"
}

Access token for access to userinfo

Below is example of a valid Access Token for access to the Userinfo, used in context of the userinfo API. The resource designatortinfois added to theresource_accessclaim of the access token to grant access to Userinfo.

{
  "sub": "2cd7cecd-d444-4685-bb04-8bbfdb45a069",
  "resource_access" : {
    "tinfo" : {
      "roles" : [ "address", "phone", "nnin", "profile", "email" ]
    }
  },
  "birthdate": "2018-05-09",
  "amr": ["bid", "bid-mfa", "bid-app", "bid-pwd"],
  "iss": "https://auth.current.bankid.no/auth/realms/current",
  "typ": "Bearer",
  "bankid_altsub": "9578-6000-4-634582",
  "originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
  "given_name": "Test User",
  "nonce": "a6c03ff5-936c-4bff-ab98-a9898d37984f",
  "aud": "tinfo",
  "acr": "urn:bankid:bid;LOA=4",
  "realm_access": {
    "roles": []
  },
  "azp": "oidc-testclient",
  "auth_time": 1629280890,
  "scope": "openid phone address profile email",
  "resource_claims": {
  },
  "name": "Test User BankID",
  "exp": 1629281190,
  "session_state": "66801cef-7746-4dd6-a018-43bda5c7002b",
  "iat": 1629280890,
  "api_ver" : 2,
  "family_name": "BankID",
  "jti": "2fc59b32-e1ed-47cb-abf7-87786504912a"
}