ID Token¶
The ID token is provided as a signed JWT. The claims included in the ID token depend on the scopes requested during authentication:
Scoped information¶
- The
openidscope provides a basic ID token with minimal identity information - Adding the
profilescope includes additional user information - The
nnin_altsubscope can add Norwegian National Identity Number when needed and allowed
Personal identifier¶
- The
subclaim is considered unstable identifier and might suddenly change for any user. - It is recommended to use
bankid_altsubas a stable user identifier.
Structure¶
The table below shows all possible claims in the ID token payload:
| Claim | Description | Example |
|---|---|---|
| typ | Token type. Always ID for ID Tokens. | ID |
| acr | Authentication Context Class Reference. Uniform Resource Name for IDP option being used, including Level of Assurance (LoA) | urn:bankid:bid;LOA=4 |
| amr | Authentication Method Reference. Name of IDP options being used to authenticate the end-user. From API version 2, this value is changed from String to list of strings - as per the standard. Read more here. | API v1: BID API v2+: ["bid", ...] |
| aud | Audience. Always client_id. | oidc_testclient |
| auth_time (Deprecated) | Authentication time in Epoch time. This claim is deprecated in API Version 4. See iat claim. |
1510497762 |
| azp | Authorized party. Equals client_id. | oidc_testclient |
| bankid_altsub | BankID Personal Identifier (PID). Use this as a stable user identifier. | 9578-5999-4-1765512 |
| originator (Deprecated) | Issuer DName of the identity. In case of BID, the issuer of the end user certificate is returned. This claim is deprecated in API Version 4. | CN=BankID Bankenes ID-tjeneste Bank CA 2, OU=988477052,O=Bankenes ID-tjeneste AS,* C=NO;OrginatorId=9775; OriginatorName=Gjensidige Bank RA 1; OriginatorId=9775; |
| exp | Expiration time in Epoch time. Corresponds to a forward session window after iat | 1510498063 |
| iat | Issuing time in Epoch time equal to auth_time for new sessions. Is otherwise set at each session refresh. | 1510497763 |
| iss | Issuer of the token. Always the OIDC Provider base URL. | https://auth.bankid.no/auth/realms/prod |
| jti | Token identifier. A unique identifier for the token. Can be used to prevent replay attacks. | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 |
| nonce | Cryptographically random and non-guessable string. This value ensures the integrity of the ID token and mitigates replay attacks. | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 |
| session_state | GUID related to session | abf823c2-9810-4133-9369-7bff1223d6c1 |
| sub | Subject Identifier. GUID that uniquely identifies the end user across the different IDPs. This is considered an unstable identifier and might suddenly change for any user. It is recommended to use bankid_altsub as a stable user identifier. |
e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 |
| updated_at | Update time. Epoch time of issuing / create / enrollment of ID in question. | 1468582440 |
| tid (Deprecated) | Transaction ID (reference) for the completed BankID authentication. This claim is deprecated in API Version 4. | 2e1eebb7-d5d7-4c55-9410-6ab178070a1c |
| additionalCertInfo (Deprecated) | Additional information about the end user BankID certificate. Only applicable for BID, not BIS. This claim is deprecated in API Version 4. | { "certValidFrom": ...., ..} |
| api_ver | The version of the BankID API that was used. | 2 |
| Regular ID Token part | ||
| birthdate | Birthdate taken from associated BankID certificate | 1986-10-01 |
| family_name | Surname (last name) from associated BankID certificate | Nordmann |
| given_name | Given name (first name) from associated BankID certificate | Kari |
| name | Full name from associated BankID certificate | Kari Nordmann |
| nnin_altsub | Norwegian National Identity Number as alternate Subject Identifier. Available for Clients with legal basis to store this information. | 20902223127 |
Note: ID Tokens can be verified using standard JWT validation procedures.