Client authentication

Relaying Parties must authenticate with BankID OIDC for the token and introspect endpoints.

Among the standardized authentication methods the following are currently supported:

• client_secret_basic according to OAuth2 using the HTTP Basic authentication scheme
• client_secret_post according to OAuth2 by including the Client Credentials (client_id and client_secret) in the request body

We also support and recommend the following:

• private_key_jwt in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.
• client_secret_jwt in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants and Assertion Framework for OAuth 2 0 Client Authentication and Authorization Grants.

Info

In order to use private_key_jwt or client_secret_jwt the merchant must send a request to BankID support as the options are not available when ordering a new client.

For private_key_jwt, the request must include a public key (or a URL) that should be used to verify the signature as a JSON Web Key Set (JWKS).