Skip to main content

Attributes reference

You use BankID to verify the end-user's identity and obtain relevant personal details about them. This page summarises user information you can request and receive for the OIDC and the Authentication REST API protocols. We also support SAML 2.0, but this is not documented yet.

OIDC scopes and claims

You can use the following scopes to request user information from an end-user using BankID.

Include user data claims in Id token

By default, all claims listed in this table are returned in the UserInfo endpoint. In addition, you can configure user data claims to be returned in the Id token. You can set this up in the Dashboard > OIDC client under Advanced Security > Id Token User data. The right column shows the values required to include each claim in the Id token.

ScopeClaimExample value in responseDescriptionId Token User data values
profilefamily_nameSvenssonThe surname of the end-user.Standard Scopes or All
given_nameSvenThe first name of the end-user.Standard Scopes or All
birthdate1990-02-17The date of birth of the end-user (ISO 8601 format).Standard Scopes or All
idp-ididp_id199002171234Personal identifier set by the identity provider.StandardScopes or All
ninnin199002171234The national identity number (“fødselsnummer”) of the end-user. See also login_hint.All
nin_typePERSONThe type of national identity number. Always PERSON for BankID (Sweden).All
nin_issuing_countrySEThe issuing country of the national identity. Always SE for BankID (Sweden).All
sbid-extrasbid_device_ip3.127.53.67The IP address of the end-user's device where the BankID app was run during the authentication.All
sbid_certificate_not_before2022-10-18T22:00:00.000ZThe time from when the certificate is valid.All
sbid_certificate_not_after2023-10-19T21:59:59.000ZThe time the certificate expires.All
sbid_ocsp_responder_idC=SE,O=Testbank A AB (publ),SERIALNUMBER=111111111111,CN=Testbank A Customer CA1 v1 for BankID Test OCSP SigningThe responder ID of the certificate used to sign the OCSP response (extracted from sbidOcspResponse).All
sbidMrtdtrueRequired in the MRTD check when sbid_require_mrtd is set to true (see acr_values). Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter.All
sbid-evidencesbid_ocsp_responseMIIHfgoBAKCCB3cwggdzBgkrBgEFBQcwAQ...Base64 encoded OCSP response for end user's BankID certificateAll
sbid_xml_signaturePD94bWwgdmVyc2lvbj0iMS4wIiBlbmNv...Base64 encoded XML signature returned by BankID as proof of authenticationAll
Related information

For information about how to adjust the BankID flow using acr_values and login_hint, see Select and configure ID method.

OIDC response examples

This section shows response examples for the ID token and the UserInfo endpoints.

Authentication token response example

In the following examples, the ID token user data is set to the "standard scopes", openid, profile nin.

{
"id_token": "eyJhbGc...",
"access_token": "eyJhbGc...",
"expires_in": 600,
"token_type": "Bearer",
"scope": "openid profile nin"
}

JWT id_token decoded example

Header (Algorithm and token type)
{
"alg": "RS256",
"kid": "signing-key-7e5ec5cfa428a64b8e4e990d1aba6bf6",
"typ": "JWT"
}
Payload (Data)
{
"nbf": 1657278414,
"exp": 1657279014,
"iss": "https://testdomain.sandbox.signicat.dev/auth/open",
"aud": "dev-silly-carriage-435",
"iat": 1657278414,
"at_hash": "AmHqoGoXr1tWVZlbjrR6aQ",
"sid": "1670A333DEA5FAE66072ECDAC88AE4C6",
"sub": "0I3nYK5-NdoLqN1ps8tIWk7WRLOL-BEoU3erWBK28e4=",
"auth_time": 1657278399,
"idp": "sbid",
"family_name": "Svensson",
"given_name": "Sven",
"birthdate": "1990-02-17",
"amr": [
"external"
]
}

UserInfo response example

Scope: openid profile nin

{
"family_name":"Svensson",
"given_name":"Sven",
"birthdate":"1990-02-17",
"nin":"199002171234",
"nin_type":"PERSON",
"nin_issuing_country":"SE",
"sub":"KuJm0Zfr6JvRZ3PwC1IktAVSMPDtGTD-HEB6Uu0z-mA="
}

The following example also includes the sbid-extra and sbid-evidence scopes, with extra information about the certificate validity (for more descriptions, see the table below).

Scope: openid profile nin sbid-extra sbid-evidence

{
"idp_id": "199004181234",
"family_name": "Svensson",
"given_name": "Pernilla",
"birthdate": "1990-04-18",
"nin": "199004181234",
"nin_type": "PERSON",
"nin_issuing_country": "SE",
"sbid_device_ip": "3.127.53.67",
"sbid_certificate_not_before": "2022-10-18T22:00:00.000Z",
"sbid_certificate_not_after": "2023-10-19T21:59:59.000Z",
"sbid_ocsp_responder_id": "C=SE,O=Testbank A AB (publ),SERIALNUMBER=111111111111,CN=Testbank A Customer CA1 v1 for BankID Test OCSP Signing",
"sbid_ocsp_response": "MIIHfgoBAKCCB3cwggdzBgkrBgEFBQcwAQEEggdkMIIHYDCCASyhgYgwgYUxCzAJBgNVBAY...",
"sbid_xml_signature": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PFNpZ25hdHVyZ...",
"sub": "1W8CUMabaa57aHufl-Z3h26EUsTSOMjsEXB--tGH5OE=",
}

Authentication REST API attributes

The Signicat Authentication REST API supports the following request and response attributes for Swedish BankID:

Attributesub-fieldExample value in responseDescription
nameSven SvenssonThe full name of the end-user
firstNameSvenThe first name of the end-user.
lastNameSvenssonThe surname of the end-user.
dateOfBirth1990-02-17The date of birth of the end-user (ISO 8601 format).
idpId199002171234Personal identifier set by the identity provider.
ninvalue199002171234The national identity number (“fødselsnummer”) of the end-user.
typePERSONThe type of national identity number. Always PERSON for Swedish BankID.
issuingCountrySEThe issuing country of the national identity. Always SE for Swedish BankID.
sbidDeviceIp3.127.53.67The IP address of the end-user's device where the BankID app was run during the authentication.
sbidCertificateNotBefore2022-10-18T22:00:00.000ZThe time from when the certificate is valid.
sbidCertificateNotAfter2023-10-19T21:59:59.000ZThe time the certificate expires.
sbidOcspResponderIdC=SE,O=Testbank A AB (publ),SERIALNUMBER=111111111111,CN=Testbank A Customer CA1 v1 for BankID Test OCSP SigningThe responder ID of the certificate used to sign the OCSP response (extracted from sbidOcspResponse).
sbidOcspResponseMIIHfgoBAKCCB3cwggdzBgkrBgEFBQcwAQ...Base64 encoded OCSP response for end user's BankID certificate
sbidXmlSignaturePD94bWwgdmVyc2lvbj0iMS4wIiBlbmNv...Base64 encoded XML signature returned by BankID as proof of authentication
sbidMrtdtrueRequired in the MRTD check when the sbid_require_mrtd additional parameter is set to true. Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter.

Authentication REST API response example

Here is a full response example. You can find the user information inside the subject object:

{
"id": "217f8661-0eca-...",
"accountId": "a-sdge-...",
"authenticationUrl": "https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/external-service/login?messageId=21b064c3-28b...",
"status": "SUCCESS",
"provider": "sbid",
"subject": {
"id": "Gbhk5imsLMs2MEVirGY4-NE3EK-WQ-aYDE9FpbSAPpk=",
"idpId": "199002171234",
"name": "Sven Svensson",
"firstName": "Sven",
"lastName": "Svensson",
"dateOfBirth": "1990-02-17",
"nin": {
"value": "199002171234",
"issuingCountry": "SE",
"type": "PERSON"
},
"sbidMrtd": "false"
},
"callbackUrls": {
"success": "https://example.com/success",
"abort": "https://example.com/abort",
"error": "https://example.com/error"
},
"environment": {
"ipAddress": "...",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
},
"allowedProviders": [
"sbid"
],
"flow": "redirect",
"requestedAttributes": [
"dateOfBirth",
"firstName",
"lastName",
"name",
"nin",
"sbidMrtd",
"idpId"
],
"sessionLifetime": 1200,
"expiresAt": "2024-06-25T07:05:15.8442885+00:00"
}