Refresh Token¶
Structure¶
The Refresh Token with claims as shown in the below table. Such claims are either added by Keycloak or the result of customization made by BankID.
Info
Implementers should not pay particular attention to the content of Refresh Tokens and should consider them as transparent values that are (first) issued and (then) consumed by the OIDC platform with the sole purpose to renew corresponding ID Tokens and Access Tokens.
See session handling for the life-time of a refresh token. The purpose of Refresh Tokens is to enhance security by keeping the life-time of Access Tokens shorter. An expired Access Token can easily be replaced with a new Access Token (without any user interaction) via a Refresh Token that was issued along with the most recent Access Token, but that was issued with a longer life-time than the Access Token itself.
We support signed Refresh Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.
| Claim | Example | Description |
|---|---|---|
| typ | Refresh | Token type. Always Refresh. |
| aud | tinfo | Audience. Always client_id. |
| auth_time | 1510497762 | Authentication time in Epoch time. |
| azp | oidc_testclient | Authorized party. Equals client_id. |
| exp | 1510498063 | Expiration time in Epoch time. Corresponds to a forward session window after iat |
| iat | 1510497763 | Issuing time in Epoch time equal to auth_time for new sessions. Is otherwise set at each session refresh. |
| iss | https://auth.bankid.no/auth/realms/prod | Issuer of the token. Always the OIDC Provider base URL. |
| jti | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Token identifier. A unique identifier for the token. Can be used to prevent replay attacks. |
| nbf | 0 | Not before time in Epoch time |
| nonce | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | Cryptographically random and non-guessable string. This value ensures the integrity of the ID token and mitigates replay attacks. |
| session_state | abf823c2-9810-4133-9369-7bff1223d6c1 | GUID related to session |
| sub | e8c523ff-52a2-42e2-a7a5-f1d0fbb76204 | Subject Identifier. GUID that uniquely identifies the end user across the different IDPs. |
| realm_access | {"roles:[]} | Deprecated. |
| resource_access | {"tinfo: {"roles": ["address","phone_number", "email", "nnin"]}} | Resource access designator. |