An ID Token is a JWT (JSON web token) - a cryptographically signed Base64-encoded JSON object. The ID Token contains user profile attributes represented in the form of claims. These claims are statements about the user, which can be trusted if the consumer of the token can verify its signature.
The ID Token is consumed by the application to get user information like the user's name, email, and so forth, typically used for UI display. You can get an ID Token for a user after they successfully authenticate. You must verify the ID Token's signature before storing and using it. You will need to decode this token to read the claims (or attributes) of the user.
The JWT.io website provides a list of libraries you can use to decrypt the ID Token. It was added to the OIDC specification as an optimization so the application can know the identity of the user, without having to make an additional network request.
The following table describes the standard claims returned in the ID Token for all users
Claim | Description | Example |
|---|---|---|
idp | Identity Provider | Visma Connect |
acr | Authentication Context Class Reference. Level of Authentication | 2 |
amr | Authentication Methods References. Array of Authentication methods used. See list further down in this article. | ["pwd"] |
auth_time | Time authentication last occured. Number of seconds since 01.01.1970 | 1498217219 |
sub | Visma Connect Unique User ID of authenticated user | 1072cd43-d99a-4d44-84a2-5f80720c1a19 |
sid | Visma Connect Session ID of users current active session | 11474d36-22a3-40d8-925d-21af17826e38 |
aud | Client ID of the client who requested the authentication | demoapp |
llt | Last Login Time in Unix Time Stamp (Epoch time) | 1501591804 |
If the application has the Developer Portal setting to "Include core identity claims in ID token", then we expose them as well.
The User Claims in the ID token are limited to:
email
email_verified
locale
name
given_name
family_name
picture
sub_external_id (if you request the scope sub_external_id and enable it as Identity claim you will receive your external user id set by Connect Public API method “Add ExternalID for an Application linked to User”). Note: The external user id is prepended with your specific "clientid:", resulting in the formatted string "clientid:123456".
Authentication Method References “amr”
amr | Description |
|---|---|
pwd | Password authentication |
pwdless | Passwordless authentication using FIDO2 devices |
remember2sv | Remember 2 Step Verification (30 days) was used |
Confirmation by email code | |
face_fpt | Passkey - Facial recognition or fingerprint |
hwk | Passkey or 2FA - Hardware key with FIDO2 security (e.g. Youbikey) |
otp | 2FA: Time-based One time password (TOTP) |
push | 2FA: Visma Authenticator Push Notification |
pop | 2FA: Proof of possession of a key with U2F security (e.g. Youbikey) |
sms | 2FA: Confirmation by SMS code |
magiclink-initial | Magiclink by API for initial login |
magiclink | Magiclink by email |
imp | |
nbid | BankID Norway - with or without ID-Porten |
nbid-biometric | BankID Norway - Biometric with or without ID-Porten |
sbid | BankID Sweden |
sbid-mobile | BankID Sweden - Mobile |
commfides | ID-Porten Norway - Commfides |
buypass | ID-Porten Norway - Buypass |
minid-pin | ID-Porten Norway - MinID (PIN) |
minid-otc | ID-Porten Norway - MinID (OTC) |
minid-app | ID-Porten Norway - MinID (app) |
testid | ID-Porten Norway - TestId (test environments only) |
mitid_password | MitID Denmark - Password authentication |
mitid_code_token | MitID Denmark - Token authentication |
mitid_code_reader | MitID Denmark - Reader authentication |
mitid_code_app | MitID Denmark - App authentication |
mitid_code_app_enhanced | MitID Denmark - Enhanced authentication |
mitid_u2f_token | MitID Denmark - U2F Token authentication |
fbid-mpki.telia.1 | Finnish BankID - Mobile ID |
fbid-oidc.aktia.1 | Finnish BankID - Aktia |
fbid-oidc.alandsbanken.1 | Finnish BankID - Ålandsbanken |
fbid-oidc.danskebank.1 | Finnish BankID - Danske Bank |
fbid-oidc.handelsbanken.1 | Finnish BankID - Handelsbanken |
fbid-oidc.nordea.1 | Finnish BankID - Nordea |
fbid-oidc.omasp.1 | Finnish BankID - Oma Säästöpankki |
fbid-saml.op.1 | Finnish BankID - Osuuspankki |
fbid-oidc.pop.1 | Finnish BankID - POP Pankki |
fbid-oidc.sp.1 | Finnish BankID - Säästöpankki |
fbid-oidc.spankki.1 | Finnish BankID - S-Pankki |
ACR descriptions
List of supported acr_values:
acr_values | Description | Level |
urn:idp:vismaconnect | Any authentication method using Visma Connect | 2 or 3 |
urn:idp:vismaconnect:method:pwd | Password authentication method using Visma Connect | 2 or 3 |
urn:idp:vismaconnect:method:pwdless | Passwordless authentication method using Visma Connect | 3 |
urn:idp:vismaconnect:level:3 | Any Level 3 (or higher) authentication method using Visma Connect. Level 3 will always trigger Level 2 (pwd) before the Level 3 method in combination with max_age parameter. | 3 |
urn:idp:vismaconnect:mfa | Any 2fa method will be possible to use during sign in or step up. If user is not enrolled to 2fa he will be prompted for the wizard. Can be combine with max_age to trigger pwd re-authentication. amr will include only the method used for re-authentication or authentication Use case 1: User is signed in with pwd (level 2).
Use case 2: User is signed in with 2fa (level 3)
| 2 or 3 |
urn:idp:vismaconnect:method:push | TOTP authentication method using Visma Authenticator App | 3 |
urn:idp:vismaconnect:method:sms NOT IMPLEMENTED | Provide SMS security code using Visma Connect. A Level 3 method will always trigger Level 2 (pwd) before the Level 3 method in combination with max_age parameter. | 3 |
urn:idp:vismaconnect:method:otp | TOTP authentication method using Visma Connect when a user is signed in. Will be Level 2 (otp) because the user is only prompted for OTP and not a password. Level 3 is set only when use goes through TOTP setup wizard. | 2 or 3 |
urn:idp:my-<mydomain> | Authentication using a customers chosen External Identity Provider (e.g. EntraID, ADFS etc.). Each customer choose their own "MyDomain" specific for their OIDC or SAML setup. | 2 or 3 |
urn:idp:saml_oidc | Authentication using a customers SAML 2.0 or OpenID Connect Identity Provider (e.g. Azure AD, ADFS etc.) | 2 or 3 |
urn:idp:nbid | Authentication method using BankID Norway | 4 |
urn:idp:nbid-biometric | Authentication method using BankID Norway Biometric app | 3 |
urn:idp:id-porten | Any authentication method using ID-porten | 3 or 4 |
urn:idp:id-porten:level:4 | Only Level 4 authentication method using ID-porten | 4 |
urn:idp:feide | Authentication method using Feide | 2 |
urn:idp:feide:method:otp | Authentication method using Feide with Feide 2FA | 3 |
urn:idp:sbid | Authentication method using BankID Sweden | 3 |
urn:idp:sbid-mobile | Authentication method using BankID Sweden Mobile | 3 |
urn:idp:apple | Authentication method using social sign-in with Apple | 2 |
urn:idp:google | Authentication method using social sign-in with Google | 2 |
urn:idp:facebook | Authentication method using social sign-in with Facebook | 2 |
urn:idp:microsoft | Authentication method using social sign-in with Microsoft | 2 |
urn:idp:linkedin | Authentication method using social sign-in with LinkedIn | 2 |
urn:idp:mitid | Authentication method using Danish MitID for private individuals | 3 or 4 |
urn:idp:mitid:level:4 | Request level 4 using MitID provider | 4 |
urn:idp:mitid:method:mitid-erhverv | Authentication method using Danish MitID for business individuals (see idp_claims scope for instructions to retrieve CVR number) | 3 or 4 |
urn:idp:fbid | Authentication using Finnish BankID | 4 |
urn:idp:fbid:method:<AMR> | Authentication using Finnish BankID using a specific bank. See AMR values supported in AMR descriptions below. | 4 |