Skip to content

Changelog

15-04-2026

Documentation

  • Added Data Validation guidance to ID Token documentation, clarifying RP responsibility for validating identity data against their own compliance requirements

10-03-2026

Documentation

  • Updated OpenAPI spec examples: all authorization callback and error redirect URIs now include the iss parameter per RFC 9207
  • Updated Implementation Guide with iss parameter in callback example and validation guidance
  • Updated Implementation Guide token response example with access_token and token_type fields
  • Updated Common Errors with iss parameter in error callback example and handling steps

09-03-2026

Changes

  • Authorization response iss parameter: The authorization callback now includes the iss parameter per RFC 9207, enabling relying parties to verify the identity of the authorization server that issued the response.
  • Token response token_type field: The token response now includes token_type: "Bearer" per RFC 6749 §5.1.
  • Token response access_token value: The access_token field now returns "not_applicable" instead of an empty string. DIP is an identity verification service where the ID token is the primary artifact.
  • Token endpoint cache headers: The token endpoint now returns Cache-Control: no-store and Pragma: no-cache headers to prevent caching of token responses.
  • Discovery metadata: Added authorization_response_iss_parameter_supported, code_challenge_methods_supported, and grant_types_supported to the OpenID Configuration endpoint.

Documentation

  • Updated Token documentation with response headers and new fields
  • Updated OpenID Configuration documentation with FAPI 2.0 fields
  • Updated OpenAPI specs with new fields and response headers

12-02-2026

Breaking Changes

  • personal_number in document details is now always a plain string: For Norwegian documents, this is the fødselsnummer (NNIN). For non-Norwegian documents, this may contain a national identification number from the issuing country, or may be absent.

Changes

  • Document details Changed how document issuer is requested
  • Requesting document issuer details is now done by setting "issuer": null in the document_details object of the PAR request.
  • No changes in how it is presented in the ID Token.

Documentation

  • Updated PAR documentation to reflect new request format for document issuer details

11-02-2026

New Features

  • Document Check Details: Added OIDC4IA-compliant check_details array on document evidence, always included in the response
  • vcrypt entry for active authentication result (always present)
  • data entry for issuer registry verification (present when issuer check is available)

Breaking Changes

  • Removed active_authentication_result and issuer_check from document_details: These legacy fields have been replaced by the check_details array on the document evidence object. Remove these fields from your PAR request document_details and read verification results from check_details instead.
  • Discovery config documents_check_methods_supported changed: Changed from ["bvr"] to ["vcrypt", "data"].

Documentation

06-02-2026

New Features

  • OIDC4IA trust_framework format: trust_framework must be an object with a value field
  • Example: {"trust_framework": {"value": "stoe"}}
  • trust_framework is required when requesting verified claims

Documentation