Skip to content

ID Token

Structure

The default ID token with claims are shown in the below table.

The ID token structure builds on Keycloak.Three different token configurations are supported as suggested by the scope column, corresponding to three different combinations of the standard scopes openid and profile and the custom scope nnin_altsub.

  • A Minimum ID Token (scope = openid) that contains a minimum set of claims, among which sub and bankid_altsub are the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonymous way. The sub and bankid_altsub values do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely.
  • A Regular ID Token (scope = openid profile) that builds on a minimum ID Token by adding claims that identifies end-users by their name and birthdate.
  • An Enchanced ID Token (scope = ... nnin_altsub) that builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user.

Note finally that the OIDC Provider form BankID supports signed ID Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.

Claim Description Example
Minimum ID Token part
typ Token type. Always ID for ID Tokens. ID
acr Authentication Context Class Reference. Uniform Resource Name for IDP option being used, including Level of Assurance (LoA) urn:bankid:bid;LOA=4
amr Authentication Method Reference. Name of IDP options being used to authenticate the end-user. From API version 2, this value is changed from String to list of strings - as per the standard. If the end-user is subject to authentication step-up, note that this value may differ from any amr value specified in the login_hint parameter of the Authorize end-point. API v1: BID
API v2+: ["bid"]
aud Audience. Always client_id. oidc_testclient
auth_time Authentication time in Epoch time. 1510497762
azp Authorized party. Equals client_id. oidc_testclient
bankid_altsub Alternate BankID Subject Identifier (Personal Identifier (PID) / Serial Number) from associated BankID certificate. 9578-5999-4-1765512
originator Issuer DName of the identity. In case of BID, the issuer of the end user certificate is returned. CN=BankID Bankenes ID-tjeneste Bank CA 2, OU=988477052,O=Bankenes ID-tjeneste AS,* C=NO;OrginatorId=9775; OriginatorName=Gjensidige Bank RA 1; OriginatorId=9775;
exp Expiration time in Epoch time. Corresponds to a forward session window after iat 1510498063
iat Issuing time in Epoch time equal to auth_time for new sessions. Is otherwise set at each session refresh. 1510497763
iss Issuer of the token. Always the OIDC Provider base URL. https://auth.bankid.no/auth/realms/prod
jti Token identifier. A unique identifier for the token. Can be used to prevent replay attacks. 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873
nbf Not before time in Epoch time 0
nonce Cryptographically random and non-guessable string. This value ensures the integrity of the ID token and mitigates replay attacks. 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873
session_state GUID related to session abf823c2-9810-4133-9369-7bff1223d6c1
sub Subject Identifier. GUID that uniquely identifies the end user across the different IDPs. e8c523ff-52a2-42e2-a7a5-f1d0fbb76204
updated_at Update time. Epoch time of issuing / create / enrollment of ID in question. 1468582440
tid Transaction ID (reference) for the completed BankID authentication. NOTE: This is an alias for the actual TID value. We aim to change this to actual TID in the future. 2e1eebb7-d5d7-4c55-9410-6ab178070a1c
additionalCertInfo Additional information about the end user BankID certificate. Only applicable for BID, not BIS. { "certValidFrom": ...., ..}
api_ver The version of the BankID OIDC API that was used. 2
Regular ID Token part
birthdate Birthdate taken from associated BankID certificate 1986-10-01
family_name Surname (last name) from associated BankID certificate Nordmann
given_name Given name (first name) from associated BankID certificate Kari
name Full name from associated BankID certificate Kari Nordmann
Enhanced ID Token part
nnin_altsub Norwegian National Identity Number as alternate Subject Identifier. Available for OIDC clients that uses national identiy number as userID for its already existing users. 011086*****