OIDC4IA ID Token¶
The ID token returned by DIP follows the OIDC4IA (OpenID Connect for Identity Assurance) specification. It contains verified identity claims with evidence of how the identity was verified.
Token Format¶
The ID token is returned as an encrypted JWT (JWE) containing a signed JWT.
| Layer | Format | Algorithm |
|---|---|---|
| Outer | JWE | RSA-OAEP-256 with A256GCM |
| Inner | Signed JWT | ES256 |
Complete Token Structure¶
After decryption and signature verification:
{
"iss": "https://{dip-base-url}",
"sub": "pairwise-hashed-subject-identifier",
"aud": "dip_aci_your_client_id",
"exp": 1759839472,
"iat": 1759835872,
"auth_time": 1759835872,
"nonce": "n-0S6_WzA2Mj",
"acr": "urn:bankid:idcheck",
"amr": ["face", "user"],
"verified_claims": {
"verification": {
"trust_framework": "stoe",
"evidence": [
{
"type": "document",
"document_details": {
"type": "passport",
"document_number": "AB1234567",
"date_of_issuance": "2020-01-15",
"date_of_expiry": "2030-01-15",
"issuer": {
"country_code": "NOR",
"name": "INNLANDET POLITIDISTRIKT"
},
"personal_number": {
"type": "no-fnr",
"value": "12345678901"
},
"active_authentication_result": "passed",
"issuer_check": {
"valid": "VALID"
}
}
}
]
},
"claims": {
"given_name": "AASAMUND SPECIMEN",
"family_name": "OESTENBYEN",
"picture": "data:image/jpeg;base64,/9j/4AAQSkZJRg...",
"birthdate": "1990-01-15",
"gender": "male",
"nationalities": ["NOR"]
}
}
}
Standard OIDC Claims¶
These claims are always present in the ID token:
| Claim | Type | Required | Description |
|---|---|---|---|
iss |
string | Yes | Issuer identifier (DIP base URL) |
sub |
string | Yes | Pairwise subject identifier (unique per client) |
aud |
string | Yes | Audience (your client_id) |
exp |
number | Yes | Expiration time (Unix timestamp) |
iat |
number | Yes | Issued at time (Unix timestamp) |
auth_time |
number | Yes | Time of authentication (Unix timestamp) |
nonce |
string | Yes | Nonce from authorization request |
acr |
string | Yes | Authentication Context Class Reference |
amr |
string[] | Yes | Authentication Methods References |
Example Standard Claims¶
{
"iss": "https://{dip-base-url}",
"sub": "a1b2c3d4e5f6g7h8i9j0",
"aud": "dip_aci_your_client_id",
"exp": 1759839472,
"iat": 1759835872,
"auth_time": 1759835872,
"nonce": "n-0S6_WzA2Mj",
"acr": "urn:bankid:idcheck",
"amr": ["face", "user"]
}
ACR Values¶
| Value | Description |
|---|---|
urn:bankid:idcheck |
Identity verified via document and facial recognition |
AMR Values¶
| Value | Description |
|---|---|
face |
Facial recognition performed |
user |
User interaction completed |
Verified Claims Structure¶
The verified_claims object contains identity data with verification evidence.
Top-Level Structure¶
| Field | Type | Description |
|---|---|---|
verification |
object | How the identity was verified |
claims |
object | The verified identity claims |
Verification Object¶
The verification object describes the trust framework and evidence used.
| Field | Type | Description |
|---|---|---|
trust_framework |
string | Trust framework identifier |
evidence |
array | List of evidence objects |
Trust Framework Values¶
| Value | Description |
|---|---|
stoe |
Standard trust framework for identity verification |
stoe_etsi |
ETSI-compliant with stricter requirements. Requires given_name and family_name to be requested. Issuer check must be valid (only available for Norwegian documents). |
Evidence Object¶
Each evidence object describes one piece of verification evidence. DIP supports two evidence types: document and electronic_record.
Note: Any requested evidence or claims that are not available in the ID check data will be omitted from the response. The response only contains data that was successfully retrieved.
Document Evidence¶
{
"type": "document",
"document_details": {
"type": "passport",
"document_number": "AB1234567",
"date_of_issuance": "2020-01-15",
"date_of_expiry": "2030-01-15",
"issuer": {
"country_code": "NOR",
"name": "INNLANDET POLITIDISTRIKT"
},
"personal_number": {
"type": "no-fnr",
"value": "12345678901"
},
"active_authentication_result": "passed",
"issuer_check": {
"valid": "VALID"
}
}
}
Document Details Fields¶
| Field | Type | Description |
|---|---|---|
type |
string | Document type |
document_number |
string | Document identification number |
date_of_issuance |
string | Issue date (ISO 8601: YYYY-MM-DD) |
date_of_expiry |
string | Expiry date (ISO 8601: YYYY-MM-DD) |
issuer |
object | Issuing authority details |
issuer.country_code |
string | Issuing country (ISO 3166-1 alpha-3) |
issuer.name |
string | Issuing authority name |
personal_number |
string or object | For Norwegian documents, this is returned as an object: {"type": "no-fnr", "value": "<NNIN>"}. For non-Norwegian documents, this is returned as a plain string containing the NIN (National Identification Number) from the issuing country, if available. |
active_authentication_result |
string | Document chip authentication result |
issuer_check |
object | Issuer verification result |
Document Type Values¶
| Value | Description |
|---|---|
passport |
Passport document |
idcard |
National ID card |
Active Authentication Result Values¶
| Value | Description |
|---|---|
passed |
Document chip authentication successful |
failed |
Document chip authentication failed |
not_applicable |
Active authentication not performed |
Issuer Check Values¶
Note: Issuer check is only available for Norwegian documents (passports and ID cards issued by Norway). For non-Norwegian documents, the issuer check will be
UNKNOWNor omitted from the response.
| Value | Description |
|---|---|
VALID |
Document verified as valid by issuing authority |
REVOKED |
Document has been revoked |
UNKNOWN |
Issuer check could not be performed |
Electronic Record Evidence (Population Register)¶
When Folkeregisteret (Norwegian Population Register) verification is requested, an electronic_record evidence object is included.
Important: Folkeregisteret lookup is only available for RPs that have a contractual agreement with us for this service. Contact us to enable this feature for your client.
{
"type": "electronic_record",
"record": {
"type": "population_register",
"source": {
"name": "Folkeregisteret",
"country_code": "NOR"
},
"personal_number": {
"type": "no-fnr",
"value": "12345678901"
},
"created_at": "2024-01-15T10:30:00Z"
},
"check_details": [
{
"check_method": "data",
"organization": "Skatteetaten",
"time": "2024-01-15T10:30:00Z"
}
]
}
Electronic Record Fields¶
| Field | Type | Description |
|---|---|---|
type |
string | Always electronic_record |
record.type |
string | Always population_register |
record.source.name |
string | Always Folkeregisteret |
record.source.country_code |
string | Always NOR |
record.personal_number |
object | Norwegian National ID Number |
record.personal_number.type |
string | no-fnr (fødselsnummer) or no-dnr (d-nummer) |
record.personal_number.value |
string | 11-digit Norwegian National ID |
record.created_at |
string | ISO 8601 timestamp of the record lookup |
check_details |
array | Verification check details |
check_details[].check_method |
string | Always data |
check_details[].organization |
string | Always Skatteetaten |
check_details[].time |
string | ISO 8601 timestamp of the check |
Note: The
electronic_recordevidence is only included if a unique match was found in Folkeregisteret using the document data from the ID check. If no match or multiple matches are found, the evidence is omitted.
Verified Identity Claims¶
The claims object contains the verified identity data.
{
"claims": {
"name": "AASAMUND SPECIMEN OESTENBYEN",
"given_name": "AASAMUND SPECIMEN",
"family_name": "OESTENBYEN",
"picture": "data:image/jpeg;base64,/9j/4AAQSkZJRg...",
"birthdate": "1990-01-15",
"gender": "male",
"nationalities": ["NOR"]
}
}
Available Claims¶
| Claim | Type | Description |
|---|---|---|
name |
string | Full name |
given_name |
string | First name(s) |
family_name |
string | Last name(s) |
picture |
string | Portrait photo from identity document (data URI: data:image/jpeg;base64,...) |
birthdate |
string | Date of birth (ISO 8601: YYYY-MM-DD) |
gender |
string | Gender |
nationalities |
string[] | List of nationalities |
Gender Values¶
| Value | Description |
|---|---|
male |
Male |
female |
Female |
unknown |
Unknown gender |
unspecified |
Gender not specified |
Nationality Format¶
Nationalities are returned as ISO 3166-1 alpha-3 country codes:
| Code | Country |
|---|---|
NOR |
Norway |
SWE |
Sweden |
DNK |
Denmark |
DEU |
Germany |
| etc. |
Conditional Claims¶
Claims are only included if:
- Requested in PAR: The claim was marked as
essential: truein the claims request - Available from source: The ID Check service provided the data
- Consent given: User consent was provided (if required)
If a requested claim is not available, it will be omitted from the response.
Trust Framework Requirements¶
stoe (Standard)¶
- All available claims are included
- Issuer check may be any value
stoe_etsi (ETSI)¶
- Stricter validation requirements
given_nameandfamily_namemust be requested as claims- Issuer check must be
VALID - If issuer check fails, an error is returned
- Important: Since issuer check is only available for Norwegian documents, the
stoe_etsitrust framework can only be used with Norwegian passports and ID cards
Token Validation¶
Required Validations¶
- Decrypt the JWE using your private key
- Verify the JWT signature using DIP's public key from
/jwks - Validate standard claims:
| Claim | Validation |
|---|---|
iss |
Must match DIP issuer URL |
aud |
Must match your client_id |
exp |
Must not be expired |
iat |
Must not be in the future |
nonce |
Must match your PAR request nonce |
Optional Validations¶
| Claim | Validation |
|---|---|
acr |
Should be urn:bankid:idcheck |
amr |
Should contain expected methods |
auth_time |
Should be within acceptable timeframe |
Complete Example¶
Request (PAR claims parameter)¶
{
"id_token": {
"verified_claims": {
"verification": {
"trust_framework": "stoe_etsi",
"evidence": [
{
"type": { "value": "document" },
"document_details": {
"type": null,
"document_number": null,
"date_of_expiry": null,
"issuer": { "country_code": null, "name": null },
"personal_number": null
}
}
]
},
"claims": {
"given_name": { "essential": true },
"family_name": { "essential": true },
"picture": { "essential": true },
"birthdate": { "essential": true }
}
}
}
}
Response (ID Token verified_claims)¶
{
"verified_claims": {
"verification": {
"trust_framework": "stoe",
"evidence": [
{
"type": "document",
"document_details": {
"type": "passport",
"document_number": "AB1234567",
"date_of_expiry": "2030-01-15",
"issuer": {
"country_code": "NOR",
"name": "INNLANDET POLITIDISTRIKT"
},
"personal_number": {
"type": "no-fnr",
"value": "12345678901"
}
}
}
]
},
"claims": {
"given_name": "AASAMUND SPECIMEN",
"family_name": "OESTENBYEN",
"picture": "data:image/jpeg;base64,/9j/4AAQSkZJRg...",
"birthdate": "1990-01-15"
}
}
}
Note: Only requested fields are included in the response.
Complete Example with Folkeregisteret¶
This example shows a response with both document and electronic_record evidence.
Request (PAR claims parameter)¶
{
"id_token": {
"verified_claims": {
"verification": {
"trust_framework": { "value": "stoe_etsi" },
"evidence": [
{
"type": { "value": "document" },
"document_details": {
"type": null,
"document_number": null,
"date_of_expiry": null,
"issuer": { "country_code": null, "name": null },
"active_authentication_result": null,
"issuer_check": null
}
},
{
"type": { "value": "electronic_record" },
"record": {
"type": { "value": "population_register" },
"source": {
"name": "Folkeregisteret",
"country_code": null
},
"personal_number": null,
"created_at": null
},
"check_details": null
}
]
},
"claims": {
"given_name": { "essential": true },
"family_name": { "essential": true },
"birthdate": { "essential": true },
"nationalities": { "essential": false }
}
}
}
}
Response (ID Token verified_claims)¶
{
"verified_claims": {
"verification": {
"trust_framework": "stoe",
"evidence": [
{
"type": "document",
"document_details": {
"type": "passport",
"document_number": "AB1234567",
"date_of_expiry": "2030-01-15",
"issuer": {
"country_code": "SWE",
"name": "POLISMYNDIGHETEN"
},
"active_authentication_result": "passed",
"issuer_check": {
"valid": "VALID"
}
}
},
{
"type": "electronic_record",
"record": {
"type": "population_register",
"source": {
"name": "Folkeregisteret",
"country_code": "NOR"
},
"personal_number": {
"type": "no-fnr",
"value": "12345678901"
},
"created_at": "2024-01-15T10:30:00Z"
},
"check_details": [
{
"check_method": "data",
"organization": "Skatteetaten",
"time": "2024-01-15T10:30:00Z"
}
]
}
]
},
"claims": {
"given_name": "ERIK",
"family_name": "NORDMANN",
"birthdate": "1985-06-15",
"nationalities": ["NOR"]
}
}
}
Note: The identity claims (given_name, family_name, birthdate, nationalities) are always sourced from the identity document. The electronic_record evidence provides additional verification that the person exists in the Norwegian Population Register and includes their national identification number.
Next Steps¶
- PAR Request - How to request specific claims
- Token Request - Token exchange endpoint
- Authentication - JWT requirements