ID Token¶
Structure¶
The default ID token with claims are shown in the below table.
The ID token structure builds on Keycloak.Three different token configurations are supported
as suggested by the scope column, corresponding to three different
combinations of the standard scopes openid and
profile and the custom scope nnin_altsub.
- A Minimum ID Token (scope =
openid) that contains a minimum set of claims, among whichsubandbankid_altsubare the only claims that are linked to the actual user. A minimum ID Token can be used by OIDC Clients that need to authenticate end-users in an anonymous way. Thesubandbankid_altsubvalues do not identify the user unless they are linked by the OIDC Client to other claims about the end user associated that identifies him more precisely. - A Regular ID Token (scope =
openid profile) that builds on a minimum ID Token by adding claims that identifies end-users by theirnameandbirthdate. - An Enchanced ID Token (scope =
... nnin_altsub) that builds either on a minimum ID Token or a regular ID Token by adding a claim containing the Norwegian National Identity Number of the end-user.
Note finally that the OIDC Provider form BankID supports signed ID Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.
| Claim | Description | Example |
|---|---|---|
| Minimum ID Token part | ||
| typ | Token type. Always ID for ID Tokens. | ID |
| acr | Authentication Context Class Reference. Uniform Resource Name for IDP option being used, including Level of Assurance (LoA) | urn:bankid:bid;LOA=4 |
| amr | Authentication Method Reference. Name of IDP options being used to authenticate the end-user. From API version 2, this value is changed from String to list of strings - as per the standard. If the end-user is subject to authentication step-up, note that this value may differ from any amr value specified in the login_hint parameter of the Authorize end-point. | API v1: BID API v2+: ["bid"] |
| aud | Audience. Always client_id. | oidc_testclient |
| auth_time | Authentication time in Epoch time. | 1510497762 |
| azp | Authorized party. Equals client_id. | oidc_testclient |
| bankid_altsub | Alternate BankID Subject Identifier (Personal Identifier (PID) / Serial Number) from associated BankID certificate. | 9578-5999-4-1765512 |
| originator | Issuer DName of the identity. In case of BID, the issuer of the end user certificate is returned. | CN=BankID Bankenes ID-tjeneste Bank CA 2, OU=988477052,O=Bankenes ID-tjeneste AS,* C=NO;OrginatorId=9775; OriginatorName=Gjensidige Bank RA 1; OriginatorId=9775; |
| exp | Expiration time in Epoch time. Corresponds to a forward session window after iat | 1510498063 |
| iat | Issuing time in Epoch time equal to auth_time for new sessions. Is otherwise set at each session refresh. | 1510497763 |
| iss | Issuer of the token. Always the OIDC Provider base URL. | https://auth.bankid.no/auth/realms/prod |
| jti | Token identifier. A unique identifier for the token. Can be used to prevent replay attacks. | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 |
| nbf | Not before time in Epoch time | 0 |
| nonce | Cryptographically random and non-guessable string. This value ensures the integrity of the ID token and mitigates replay attacks. | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 |
| session_state | GUID related to session | abf823c2-9810-4133-9369-7bff1223d6c1 |
| sub | Subject Identifier. GUID that uniquely identifies the end user across the different IDPs. | e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 |
| updated_at | Update time. Epoch time of issuing / create / enrollment of ID in question. | 1468582440 |
| tid | Transaction ID (reference) for the completed BankID authentication. Used in the Fraud Data API. | 2e1eebb7-d5d7-4c55-9410-6ab178070a1c |
| additionalCertInfo | Additional information about the end user BankID certificate. Only applicable for BID, not BIS. | { "certValidFrom": ...., ..} |
| api_ver | The version of the BankID OIDC API that was used. | 2 |
| Regular ID Token part | ||
| birthdate | Birthdate taken from associated BankID certificate | 1986-10-01 |
| family_name | Surname (last name) from associated BankID certificate | Nordmann |
| given_name | Given name (first name) from associated BankID certificate | Kari |
| name | Full name from associated BankID certificate | Kari Nordmann |
| Enhanced ID Token part | ||
| nnin_altsub | Norwegian National Identity Number as alternate Subject Identifier. Available for OIDC clients that uses national identiy number as userID for its already existing users. | 011086***** |