Tokens used in Feide#

This page describes the types of tokens used by Feide, their format and use. The key used to sign our JWT tokens may be obtained here:

Feide access token#

An opaque ASCII string. Example:


Used to access APIs provided by Feide and third party data sources using the legacy API gatekeeper.

Feide JWT access token#

An ASCII string. Example (shortened):


It is intended for use with third party data sources. It consists of a header, a payload and a signature, with a . between them. Each are base64url encoded. See RFC 7519 - JSON Web Token (JWT). The payload is a json object containing claims.

Here is an example of what the payload may look like after decoding:

    "aud": "",
    "iss": "",
    "exp": 1610448035,
    "iat": 1610447735,
    "nbf": 1610447735,
    "client_id": "208335d4-e8c1-4910-8928-05b2e5b14127",
    "sub": "208335d4-e8c1-4910-8928-05b2e5b14127",
    "scope": "read append",
    "act": {
        "sub": "208335d4-e8c1-4910-8928-05b2e5b14127"
    "name": "Bekymret Sky",
    "": "",
    "": "05840399895"

If the token was issued in the context of an authenticated user, it may contain claims about the user. A claim is only included if the service that requested the token and the data source both are authorized to access the claim.

The following claims are always included in the token:


Audience. The data source should only accept the token if it is the intended audience.


Issuer. Value is if token was issued by Feide.


Time of issue. This and other time attributes are given in seconds since 1970-01-01T0:0:0 UTC.


Expiration time.


Not valid before time. Protects against clock skew.


ID of the application that requested the token.


Subject - the identity which the token authenticates. Can be a dataporten user ID or a client ID.


The scopes that were granted.


Actor. It represents a chain of delegation. E.g., an application could authorize a data source to access another on its behalf. We do not currently support delegation in JWT tokens, so the chain is only one level deep. It is a json object with a single attribute: sub, with the same value as client_id in the token.

User claims in JWT access tokens#

The following user claims may be included:


Name of user who the token authenticates.


Picture of user.


Described above

Secondary user ID of user.

eduPersonPrincipalName of user. Only for users who authenticated to the Feide IDP.

Norwegian national identity number of user.

ID token#

The ID token is a signed information object representing the authenticated identity of the user. It is specified in the OpenID Connect standard. The ID token is encoded as a JWT, and signed using the JWS standard.

The information included - the claims - depends on the scopes / attribute groups enabled for the application. Claims are namespaced, so that claims which are specific to Feide are prefixed with Claims without this prefix are specified in the OIDC standard or in RFC 7519 - JSON Web Token (JWT).

ID token example:


Here is a decoded example of a minimal ID token:

    "iss": "",
    "aud": "5ac8753f-8296-41bf-b985-59d89769005e",
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "iat": 1449065432,
    "exp": 1449069032,
    "auth_time": 1449065364

The example above shows what the ID token includes when only the openid scope is enabled. All times are in seconds since 1970-01-01 00:00:00 UTC.




Audience - the client ID


Subject - The internal ID of the authenticated user. This ID is stable but opaque, not releasing any additional information about the user.


Issued at - Time issued (in seconds since 1970-01-01T0:0:0 UTC)


Expiration time (in seconds since 1970-01-01T0:0:0 UTC)


Time when the end-user authentication occurred

The attributes acr, at_hash, c_hash and nonce may also be present. See the OIDC standard for info about these.

Here is an example of a decoded ID token which includes all supported claims:

    "iss": "",
    "jti": "f95ed523-b9b2-42e7-b193-a08143d9f342",
    "aud": "5ac8753f-8296-41bf-b985-59d89769005e",
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "iat": 1635509702,
    "exp": 1635513302,
    "auth_time": 1635505713,
    "nonce": "PLt3i3bT2~xTw7m",
    "email": "",
    "name": "Jon Kåre Hellan",
    "picture": "",
    "": [
    "": "",
    "at_hash": "DiafctHGah2reptMDjEqUg"

User claims in ID tokens#


The user’s email. Requires the email attribute group


The user’s name. Requires the userinfo-name attribute group


A picture of the user. Requires the userinfo-photo attribute group

An array of secondary user IDs, with a prefix to indicate the source.

If the application has the userid-feide attribute group, and the user logged in with Feide, it will contain feide: followed by the eduPersonPrincipalName of the user. Example:

If the application has the userid-nin attribute group, and the user logged in with ID-porten, it will contain nin: followed by the national identity number of the user. Example: nin:10108012345

The user’s eduPersonPrincipalName. Requires the userid-feide attribute group. Only available if the user logged in with Feide.

The user’s national identity number. Requires the userid-nin attribute group.