Czech Bank iD attributes in OIDC
This page contains information about the user attributes that you can request and retrieve from Czech Bank iD when using OpenID Connect (OIDC) as an authentication protocol.
Attributes table
Czech Bank iD provides the following data:
If you set profile.verification to Required when configuring your app in the Czech Bank iD Dashboard, then you must specify bankid-cz-aml in your authentication request.
Examples
When connecting with OIDC, you specify the scopes in the authentication request.
After the end-user verifies their identity, consents to sharing their data and the flow is complete, you can retrieve the claims in the ID Token or through the UserInfo endpoint.
Below, you find examples of requests and responses to gain insight into the exchange of user information that occurs during an authentication process with OIDC.
Request example
To trigger an authentication, you build an OIDC request like:
https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
&client_id=<OIDC_CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&state=xyz123
&scope=openid%20profile%20nin%20address%20email%20phone%20gender%20date-of-birth%20eighteen-or-older%20nationality%20marital-status%20idp-id%20name%20bankid-cz-extra%20bankid-cz-idcards%20bankid-cz-title%20bankid-cz-bank%20bankid-cz-aml
&acr_values=idp:bankid-cz
&prompt=login
&nonce=abc456
Note the following request parameters shown in the example above:
scope: The scope specifies the set of claims that the client application is requesting from Czech Bank iD.acr_values: The Authentication Context Class Reference (ACR) values determine the type or level of authentication required. To show only Czech Bank iD, as a provider for authentication, passidp:bankid-cz.
- The user is redirected to CZ Bank iD for authentication.
- If successful, the authorization code is sent to the
redirect_uri. - You exchange the authorization code for an ID token and access token.
Response example
Below, you find an example of a response obtained from an identity verification flow with Czech Bank iD.
Scopes in request: openid, profile, idp-id, email, phone, nationality, nin, bankid-cz-extra, bankid-cz-idcards, bankid-cz-title, bankid-cz-bank, bankid-cz-aml
Example of ID token in response:
{
"iss":"https://<ACCOUNT_DOMAIN>/auth/open",
"nbf":1726046529,
"iat":1726046529,
"exp":1726047129,
"aud":"<OIDC_CLIENT_ID>",
"amr":[
"external"
],
"at_hash":"_T539pqKJTOovx1xVyMnKA",
"sid":"783EFB56CEE40C1FA95F0543535B6E4E",
"sub":"X-FUmG7SkaAb8fA-7IU0ZrpTIJ37fnaV-c5SbXAoOqw=",
"auth_time":1726046523,
"idp":"bankid-cz",
"idp_id":"fed17912-aa8b-4f88-8c0f-9eb2b909d07f",
"sandbox":true
}
The ID Token is configured by default to return only the claims defined in the OIDC standard (standard scopes).
To control the data returned in the ID Token, edit the ID Token User data field in the Advanced > Security tab of your OIDC client configuration in the Signicat Dashboard.
Example of a response from the UserInfo endpoint:
{
"sub": "987654321",
"idp_id": "bankid-cz",
"name": "Josef Dvořák",
"given_name": "Josef",
"family_name": "Dvořák",
"middle_name": "Karel",
"birthdate": "1990-05-20",
"gender": "male",
"place_of_birth": "Brno",
"country_of_birth": "CZ",
"nationality": "CZ",
"address": {
"street_address": "Náměstí Republiky 5",
"postal_code": "11000",
"locality": "Praha",
"country": "CZ"
},
"nin": {
"value": "8505051234",
"issuingCountry": "CZ",
"type": "PERSON"
},
"phone_number": "+420601234567",
"email": "josef.dvorak@example.cz",
"eighteen_or_older": true,
"marital_status": "married",
"bankid_cz_title_prefix": "Ing.",
"bankid_cz_title_suffix": "Ph.D.",
"bankid_cz_pep": false,
"bankid_cz_limited_legal_capacity": false,
"bankid_cz_payment_accounts": "CZ9530300000000999999998, CZ4830300000000999999971",
"bankid_cz_updated_at": "1622543116",
"bankid_cz_id_card": "123456789",
"bankid_cz_verification_trust_framework": "cz_aml",
"bankid_cz_verification_process": "45244782"
}