An ID Token is a JWT (JSON web token) - a cryptographically signed Base64-encoded JSON object. The ID Token contains user profile attributes represented in the form of claims. These claims are statements about the user, which can be trusted if the consumer of the token can verify its signature.
The ID Token is consumed by the application to get user information like the user's name, email, and so forth, typically used for UI display. You can get an ID Token for a user after they successfully authenticate. You must verify the ID Token's signature before storing and using it. You will need to decode this token to read the claims (or attributes) of the user.
The JWT.io website provides a list of libraries you can use to decrypt the ID Token. It was added to the OIDC specification as an optimization so the application can know the identity of the user, without having to make an additional network request.
The following table describes the standard claims returned in the ID Token for all users
Claim | Description | Example |
|---|---|---|
idp | Identity Provider | Visma Connect |
acr | Authentication Context Class Reference. Level of Authentication | 2 |
amr | Authentication Methods References. Array of Authentication methods used. See list further down in this article. | ["pwd"] |
auth_time | Time authentication last occured. Number of seconds since 01.01.1970 | 1498217219 |
sub | Visma Connect Unique User ID of authenticated user | 1072cd43-d99a-4d44-84a2-5f80720c1a19 |
sid | Visma Connect Session ID of users current active session | 11474d36-22a3-40d8-925d-21af17826e38 |
aud | Client ID of the client who requested the authentication | demoapp |
llt | Last Login Time in Unix Time Stamp (Epoch time) | 1501591804 |
If the application has the Developer Portal setting to "Include core identity claims in ID token", then we expose them as well.
The User Claims in the ID token are limited to:
email
email_verified
locale
name
given_name
family_name
picture
sub_external_id (if you request the scope sub_external_id and enable it as Identity claim you will receive your external user id set by Connect Public API method “Add ExternalID for an Application linked to User”). Note: The external user id is prepended with your specific "clientid:", resulting in the formatted string "clientid:123456".
Authentication Method References “amr”
amr | Description |
|---|---|
pwd | Password authentication |
pwdless | Passwordless authentication using FIDO2 devices |
remember2sv | Remember 2 Step Verification (30 days) was used |
Confirmation by email code | |
face_fpt | Passkey - Facial recognition or fingerprint |
hwk | Passkey or 2FA - Hardware key with FIDO2 security (e.g. Youbikey) |
otp | 2FA: Time-based One time password (TOTP) |
push | 2FA: Visma Authenticator Push Notification |
pop | 2FA: Proof of possession of a key with U2F security (e.g. Youbikey) |
sms | 2FA: Confirmation by SMS code |
magiclink-initial | Magiclink by API for initial login |
magiclink | Magiclink by email |
imp | |
nbid | BankID Norway - with or without ID-Porten |
nbid-biometric | BankID Norway - Biometric with or without ID-Porten |
sbid | BankID Sweden |
sbid-mobile | BankID Sweden - Mobile |
commfides | ID-Porten Norway - Commfides |
buypass | ID-Porten Norway - Buypass |
minid-pin | ID-Porten Norway - MinID (PIN) |
minid-otc | ID-Porten Norway - MinID (OTC) |
minid-app | ID-Porten Norway - MinID (app) |
testid | ID-Porten Norway - TestId (test environments only) |
mitid_password | MitID Denmark - Password authentication |
mitid_code_token | MitID Denmark - Token authentication |
mitid_code_reader | MitID Denmark - Reader authentication |
mitid_code_app | MitID Denmark - App authentication |
mitid_code_app_enhanced | MitID Denmark - Enhanced authentication |
mitid_u2f_token | MitID Denmark - U2F Token authentication |
fbid-mpki.telia.1 | Finnish BankID - Mobile ID |
fbid-oidc.aktia.1 | Finnish BankID - Aktia |
fbid-oidc.alandsbanken.1 | Finnish BankID - Ålandsbanken |
fbid-oidc.danskebank.1 | Finnish BankID - Danske Bank |
fbid-oidc.handelsbanken.1 | Finnish BankID - Handelsbanken |
fbid-oidc.nordea.1 | Finnish BankID - Nordea |
fbid-oidc.omasp.1 | Finnish BankID - Oma Säästöpankki |
fbid-saml.op.1 | Finnish BankID - Osuuspankki |
fbid-oidc.pop.1 | Finnish BankID - POP Pankki |
fbid-oidc.sp.1 | Finnish BankID - Säästöpankki |
fbid-oidc.spankki.1 | Finnish BankID - S-Pankki |