eHerkenning attributes in OIDC
This page contains information about the user attributes that you can request and retrieve from eHerkenning when using OpenID Connect (OIDC) as an authentication protocol.
To learn more about the properties of the data available through eHerkenning, visit the Attribute glossary page.
Attributes table
eHerkenning provides the following data:
* Pseudonym example: ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890@ABCDEF1234567890ABCDEF1234567890
Examples
When connecting with OIDC, you specify the scopes in the authorisation request.
After the end-user verifies their identity, consents to sharing their data and the flow is complete, you can retrieve the claims in the ID Token or through the UserInfo endpoint.
Below, you find examples of requests and responses to gain insight into the exchange of user information that occurs during an authentication process with OIDC.
Request example
To trigger an authentication, you build an OIDC request like:
https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
&client_id=<OIDC_CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&state=1599045135410-jFe
&scope=openid%20profile%20idp-id%20email%20phone%20nin%20nationality%20eherkenning-extra
&acr_values=idp:eherkenning
&prompt=login
&nonce=1599046102647-dv4
Note the following request parameters shown in the example above:
scope: The scope specifies the set of claims that the client application is requesting from eHerkenning.acr_values: The Authentication Context Class Reference (ACR) values determine the type or level of authentication required. The example above is requesting to use only eHerkenning as Identity Provider (IdP) for authentication.
Response example
Below, you find an example of a response obtained from an identity verification flow with eHerkenning.
Scopes in request: openid, profile, idp-id, email, phone, nationality, nin, eherkenning-extra
Example of ID token in response:
{
"iss":"https://<ACCOUNT_DOMAIN>/auth/open",
"nbf":1726046529,
"iat":1726046529,
"exp":1726047129,
"aud":"<OIDC_CLIENT_ID>",
"amr":[
"external"
],
"at_hash":"_T539pqKJTOovx1xVyMnKA",
"sid":"783EFB56CEE40C1FA95F0543535B6E4E",
"sub":"X-FUmG7SkaAb8fA-7IU0ZrpTIJ37fnaV-c5SbXAoOqw=",
"auth_time":1726046523,
"idp":"eherkenning",
"idp_id":"E0DA125456E34014919EC26C5B1E6D9A8A5F7F2663A14C4D98BB6ADB3426FF09","serviceID":"urn:etoegang:DV:<ORGANISATION_IDENTIFICATION_NUMBER>:services:1010","serviceUUID":"47b842fd-0d0e-4385-88a4-06eb462fdf3b","idp_issuer":"urn:etoegang:HM:<ORGANISATION_IDENTIFICATION_NUMBER>:entities:9713","transaction_id":"1bb891ff-4420-fb4b-99f5-bdf2817a7725",
"sandbox":true
}
The ID Token is configured by default to return only the claims defined in the OIDC standard (standard scopes).
To control the data returned in the ID Token, edit the ID Token User data field in the Advanced > Security tab of your OIDC client configuration in the Signicat Dashboard.
Example of a response from the UserInfo endpoint:
{
"sub": "1234567890",
"idp_issuer": "urn:etoegang:HM:<ORGANISATION_IDENTIFICATION_NUMBER>:entities:9713",
"idp_id": "ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890@ABCDEF1234567890ABCDEF1234567890",
"given_name": "Jane",
"initials": "J.",
"family_name": "Doe",
"family_name_infix": "van",
"birthdate": "1980-01-15",
"gender": "F",
"phone_number": "tel:+31612345678",
"email": "jane.doe@example.com",
"place_of_birth": "Amsterdam",
"nin": "123456789",
"nin_type": "BSN",
"nin_issuing_country": "NL",
"eighteen_or_older": true,
"sixteen_or_older": true,
"twelve_or_older": true,
"sixty_five_or_older": false,
"chamber_of_commerce": "12345678",
"eherkenning_intermediate_kvknr": "87654321",
"eherkenning_vestigingsnr": "123400567890",
"eherkenning_rsin": "987654321",
"eherkenning_probasnr": "PROBAS-00123",
"eherkenning_pseudo": "pseudo-org-12345",
"eherkenning_pseudo_id": "pseudo-id-67890",
"eherkenning_service_id": "urn:etoegang:DV:<ORGANISATION_IDENTIFICATION_NUMBER>:services:1010",
"eherkenning_service_uuid": "d8f71022-789b-456c-abc1-2f1234567890",
"organisation": "Example BV",
"eherkenning_intermediate_organisation": "Intermediate Services BV"
}