TelenorID+ User Login - Integration Example Step-by-step

User Login

The following example will walk through the common use case for logging in with TelenorID+ (IBIS). The examples show raw HTTP requests generated using the public debugger (available here: https://oidc-test.telenor.no/) and a public demo-client.

Thus this example uses a OpenID Connect Flow with PKCE even though most web clients will be confidential and should use the OpenID Connect Authorization Flow with client id and secret.

The debugger utilises the oidc-client-js client. As can be seen by the parameters in the example there are several parameters which must be securely generated and later validated; we once again stress that you should not try to “hand craft” oauth / oidc requests.

Debugger Start Page

Debugger start page

Step 1:: Start Authorization: /authorize

GET request
https://id-test.telenor.no/connect/authorize 
https://id-test.telenor.no/connect/authorize?client\_id=mainflow-client&
redirect\_uri=https%3A%2F%2Fidp.telenorid-staging.com%2Fui%2Fdebugger%2Fcallback&response\_type=code&scope=openid%20profile%20ial2&
state=ab1dbd3b963840b5b72a1bf76945053c&code\_challenge=qRD6s8ULvmiNvCcmnImCOhMRVH3Uwdm\_1YBAd78nc18&code\_challenge\_method=S256&
response\_mode=query&amr=&ui\_locales=no%20en&context=login
Parameter Type What / why
GET Http Verb The authorise request is done as an HTTP GET
https://id-test.telenor.no/connect/authorize URI The endpoint to start the authorise handshake
client_id=mainflow-client String Plain and simple, the client Id.
redirect_uri=https://oidc-test.telenor.no//callback URI Where should the user to redirected after the “authorise handshake” is completed, i.e. the user has successfully logged in. In this case the Debugger.
response_type=code String Indicates what response type you want from the authorisation server (IBIS), in this is instance we want an authorisation code.
scope=openid profile ial2 Space-separated strings Which scopes you are requesting on behalf of your client and user.
state=ab1dbd3b9638… String, Nonce A nonce to prevent replay-attacks (a state should only be seen once, and must match on both ends of the transaction).
code_challenge=qRD6s8ULvmiNvCcmnImCOhMRVH3Uwdm_1YBAd78nc18 String, PKCE Hash of a securely, randomly generated number on the client.
code_challenge_method=S256 String Indications which hashing algorithm was used for the code_challenge
login_hint= String Tells IBIS which MSISDN to login with
acr_values= String Tells IBIS which IDP to use, in this case TelenorID
response_mode=query String Tells IBIS that you want the response as query parameters (“?code=abc&foo=bar”)
lang=no en String Which language to use on IDP selection screen, options are “no” (Norsk bokmål) and “en” (English)
context=login String Tells IBIS which help text to show the user at the IDP selection screen
response 302 Found  
  In this step IBIS has verified that the ClientId is correct (found) and that the provided redirect URI is configured on the client.
  IBIS will also record the state and code_challenge parameters. 
Location:
https://id-test.telenor.no/Account/Login?returnUrl=/connect/authorize/callback?client\_id=mainflow-client&  
redirect\_uri=https%3A%2F%2Fidp.telenorid-staging.com%2Fui%2Fdebugger%2Fcallback&response\_type=code&scope=openid%20profile%20ial2&  
state=ab1dbd3b963840b5b72a1bf76945053c&code\_challenge=qRD6s8ULvmiNvCcmnImCOhMRVH3Uwdm\_1YBAd78nc18&  
code\_challenge\_method=S256&response\_mode=query&amr&ui\_locales=no%20en&context=login

/Account/login

IBIS finner utav hvilken IDP man har lov til å logge inn med. Elvis/TelenorID.

GET request
https://id-test.telenor.no/Account/Login 
https://id-test.telenor.no/Account/Login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient\_id%3Dmainflow-client%26  
redirect\_uri%3Dhttps%253A%252F%252Fidp.telenorid-staging.com%252Fui%252Fdebugger%252Fcallback%26response\_type%3Dcode%26scope%3Dopenid%2520profile%2520ial2%26  
state%3Dab1dbd3b963840b5b72a1bf76945053c%26code\_challenge%3DqRD6s8ULvmiNvCcmnImCOhMRVH3Uwdm\_1YBAd78nc18%26  
code\_challenge\_method%3DS256%26response\_mode%3Dquery%26amr%26ui\_locales%3Dno%2520en%26context%3Dlogin
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://id-test.telenor.no/Account/Login URI The endpoint to contact
ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback… String The URI to return to after login

.

response 302 Found  
  The user is redirected to the internal controller which filters which IDPs are to be shown on the next screen. 
Location: 
/External/Challenge?requestUrlEncoded=eyJhdXRoU2NoZW1lIjoibm8udGVsZW5vci5pZC5wcm94eS5kZW1vLWNsaWVudCIsInJld  
HVyblVybCI6Ii9jb25uZWN0L2F1dGhvcml6ZS9jYWxsYmFjaz9jbGllbnRfaWQ9bWFpbmZsb3ctY2xpZW50XHUwMDI2cmVkaXJlY3Rf  
dXJpPWh0dHBzJTNBJTJGJTJGaWRwLnRlbGVub3JpZC1zdGFnaW5nLmNvbSUyRnVpJTJGZGVidWdnZXIlMkZjYWxsYmFja1x1MDAy  
NnJlc3BvbnNlX3R5cGU9Y29kZVx1MDAyNnNjb3BlPW9wZW5pZCUyMHByb2ZpbGUlMjBpYWwyXHUwMDI2c3RhdGU9YWIxZGJk  
M2I5NjM4NDBiNWI3MmExYmY3Njk0NTA1M2NcdTAwMjZjb2RlX2NoYWxsZW5nZT1xUkQ2czhVTHZtaU52Q2NtbkltQ09oTVJWS  
DNVd2RtXzFZQkFkNzhuYzE4XHUwMDI2Y29kZV9jaGFsbGVuZ2VfbWV0aG9kPVMyNTZcdTAwMjZyZXNwb25zZV9tb2RlPXF1ZXJ5  
XHUwMDI2YW1yXHUwMDI2dWlfbG9jYWxlcz1ubyUyMGVuXHUwMDI2Y29udGV4dD1sb2dpbiIsInJlZGlyZWN0VXJpIjoiaHR0cHM  
6Ly9pZHAudGVsZW5vcmlkLXN0YWdpbmcuY29tL3VpL2RlYnVnZ2VyL2NhbGxiYWNrIiwibG9naW5IaW50IjoiOTk5NTcwMDkiLCJsY  
W5ndWFnZSI6Im5vIGVuIiwibG9naW5Db250ZXh0IjoibG9naW4iLCJjbGllbnRJZCI6Im1haW5mbG93LWNsaWVudCIsImluaXRpYXRl  
ZEF0IjoiMjAyMS0wNS0xMFQwOToyNjoyOC40MzAxNzg4WiIsImF1dGhvcml6ZVBhcmFtcyI6eyJhY3JWYWx1ZXMiOiJ1cm46dG5pZ  
HBsdXM6c3RkIiwiZXJyb3JDb2RlIjowfSwiZXJyb3JDb2RlIjowfQ

Step 2:: Redirect to TelenorID Login

IBIS will perform its own /authorize call (similar to Step 1:: Start Authorization: /authorize towards the selected IDP, in this case TelenorID.
This time however the ClientId will be IBIS and the redirect URI will point back to IBIS.

GET request
https://signin.telenorid-staging.com/oauth/authorize 
https://signin.telenorid-staging.com/oauth/authorize?client\_id=tnn-ibistesttwo-web&redirect\_uri=https%3A%2F%2Fid-test.telenor.no%2Fsignin-tnn-ibistesttwo-web&response\_type=code&  
scope=openid%20profile%20email%20phone&code\_challenge=v0wdcyZ-P3LgTP17vPmElgtBcIxW8Cbst6irXv1wfhA&code\_challenge\_method=S256&response\_mode=form\_post&  
nonce=637562355885178265.NGVkZWFmNTYtMjBkZi00NjlmLWIwN2EtMWUxNDM2MWM5MGRhMDk0NGE2MzItYmM5YS00OWQyLWJmMGMtNjJlZThmMDdkNDI2&acr\_values=2&  
ui\_locales=no%20en&claims=%7B%22id\_token%22%3A%7B%22phone\_number%22%3A%7B%22essential%22%3Atrue%7D%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&  
login\_hint=%2B4799957009&state=CfDJ8KA\_0MCpmkxDr6\_f25p5Z6N\_gpjS6K4IRqCn\_YuIDIDS58MNzIDZ\_pVGGTyCsHkQ3Yvpsm31mxuncz30vZHNHlqSTXXgIyUCIdfMUg7RBqQzCBvpSJVZ4zsRgIhk  
lKVqjcAiPsKfckF3NBM4BzeVVuqYDFPtbj-M1pFzOgpxg9g1GQuxh-zj2HW71ilU0ZLQZlorRFlwgf5QoX8hsQvC3xEPx8agey321PTaEbJHuusY9aNYldSPPkja-vn2JJy-qYrWv7bZcpVZWZf5qYyZVGuGO1bn  
DORqPjInu3oy3EqYArsprSmZqmCod87Zt2kC6\_rqWtwjavUS3ltuFLKSgfmX2vz3LxmvetYM004nr9S5SWzGxpSo6fgFBcA1RV8uhsGZqQsRQG8nIxFfoG3U-bkXjoSmIzrs4UH8A529ES4uARf1aOewgF3fRv  
43q2nKBcDNMopaTAqL2vv7ijeO5QSW84GrqWYoh0YV558iiWYs7Hs-3MJQ\_w9ZCplIxQ4HfnKiSvpjConMPqPjeeREychtwViChsUEva4Z-6ccJ0xL2gFkiJJaFm\_si0XdiUJjATRdrroeycrHRVtrjmXMzddBc7fUk  
J16iCVW0dIOL0w7AJMwpG2xTlwLh5iKTCTOwxi6dFvO2BoDvA-6pJNOcPOiqeoHRZiQwQvrnDmo\_tesY0U3Ripq4jyxKZZvmVO-Q0H5miBUTi6MsI0AKtnHd5qj\_\_1HWTcDydDEjj1k59w\_F7WhXjJxJv7Hz2  
vpp3knyPin9U7vdKd\_VrCZe1Q4TTvug9KoxP9wW8Gk0qTbjGOsWEjz4aujb1rJMqYVA5qiqEVwTSCXLdduQ3ggt\_wmMCTIAIuHUiZ2LtCCA7Hb44M4620d0i\_CbwUElkB2P8N-MFJvxB-UmENmSS1UsF3w  
kt08IDoBgmRaoKDJWh9G8ey1woyNVhd0GlAwVF45aWNgqjv1zFSjSw6vjQiYCANQvvhYjAI\_nknNM3fLu1cVZoQoaPi8AQELuBJBSrawgnBWwJNBhze1zLXAp\_HMp1KvNfB1fJ60NXGfhjBNguSng-Ml3hl  
U1okl\_mQSavPYedHi\_m0JZZcjXxVbmAgsQZPG1Sc
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://signin.telenorid-staging.com/oauth/authorize URI The endpoint to start Telenor ID authorize handshake
client_id=tnn-ibistesttwo-web String The IBIS client ID
redirect_uri=https%3A%2F%2Fid-test.telenor.no%2Fsignin-tnn-ibistesttwo-web URI Where should the user be redirected to after the “authorise handshake” is completed, i.e. the user has successfully logged in.
response_type=code String Indicates what response type IBIS want from the authorisation server (Telenor ID), in this is instance IBIS want an authorisation code.
scope=openid%20profile%20email%20phone Space-separated strings Which scopes IBIS are requesting on behalf of your client and user.
code_challenge=v0wdcyZ-P3LgTP17vPmElgtBcIxW8Cbst6irXv1wfhA String, PKCE Hash of a securely, randomly generated number in IBIS.
code_challenge_method=S256 String Indications which hashing algorithm was used for the code_challenge
response_mode=form_post String Tells Telenor ID that IBIS want the response as form_post
nonce=637562355885178265.NGVkZWFmNTYtMjBkZi00Njlm… String, Nonce  
login_hint=%2B4799957008 String Tells Telenor ID which MSISDN to prompt the user for at login
state=CfDJ8KA_0MCpmkxDr6_f25p5Z6N_gpjS6K4IRqCn_YuIDIDS58MN… String, Nonce A nonce to prevent replay-attacks (a state should only be seen once, and must match on both ends of the transaction).
response 303 See Other  
https://signin.telenorid-staging.com/v2/signin   
Location:
https://signin.telenorid-staging.com/v2/signin?authentication\_request=eyJraWQiOiIxIiwiYWxnIjoiUlMyNTYifQ.eyJsb2MiOiJubyIsImxzaSI6ImYxN2IxMzRjLWY1ZWYtNGUyZi1iZjUxLThiM2I5O  
DQzN2ZmYiIsImxvaCI6WyIrNDc5OTk1NzAwOSJdLCJzZHYiOm51bGwsInB1bCI6ZmFsc2UsInN1aSI6bnVsbCwiYWFoIjpudWxsLCJoZWUiOnRydWUsInN1biI6bnVsbCwicHV0IjoibXNpc2RuIiwiY  
WNyIjpbIjIiXSwiYnJkIjoidGVsZW5vcmlkIiwiaGV0IjpudWxsLCJzZW4iOm51bGwsInNhbSI6W10sInJlcyI6Inc3c3VVaVNzU0kwWnJkMkJ2aXk5MjJNVnZsMSIsInNhcCI6IndlYiIsImFwdCI6IndlYiIsInN  
hdCI6bnVsbCwic2xhIjpudWxsLCJ0YXUiOmZhbHNlLCJhdWMiOiJodHRwczpcL1wvc2lnbmluLnRlbGVub3JpZC1zdGFnaW5nLmNvbVwvb2F1dGhcL2F1dGhlbnRpY2F0aW9uX2NhbGxiYWNrIiwib  
HByIjpmYWxzZSwibnByIjpmYWxzZSwiZXNjIjpbImVtYWlsIiwicGhvbmVfbnVtYmVyIl0sIm5sciI6ZmFsc2UsInNscyI6dHJ1ZSwic2x1Ijp0cnVlLCJkaWQiOm51bGwsImNpZCI6InRubi1pYmlzdGVzdHR  
3by13ZWIifQ.E\_NEaIbLxnK02TbkTr-Ajl4Zwk3fT3pPCkwmrzOYOFKEprT49E7htbZKjQfqMn7IHF8TJKWcI2VI\_9HbU99dvHBjTVUGGzIg91\_5KHlwpty7Ntk9JrhNtZcseVAvHI05cr9vOaRWnoVxixztEE  
kqfY0-NasiMqsixW0ZW41widc

Step 3:: User Login: Telenor ID Sign-in

The user will log in at the selected IDP, here Telenor ID at Telenor Digital

GET request
https://signin.telenorid-staging.com/v2/signin 
https://signin.telenorid-staging.com/v2/signin?authentication\_request=eyJraWQiOiIxIiwiYWxnIjoiUlMyNTYifQ.eyJsb2MiOiJubyIsImxzaSI6ImYxN2IxMzRjLWY1ZWYtNGUyZi1iZjUxL  
ThiM2I5ODQzN2ZmYiIsImxvaCI6WyIrNDc5OTk1NzAwOSJdLCJzZHYiOm51bGwsInB1bCI6ZmFsc2UsInN1aSI6bnVsbCwiYWFoIjpudWxsLCJoZWUiOnRydWUsInN1biI6bnVsbCwicHV  
0IjoibXNpc2RuIiwiYWNyIjpbIjIiXSwiYnJkIjoidGVsZW5vcmlkIiwiaGV0IjpudWxsLCJzZW4iOm51bGwsInNhbSI6W10sInJlcyI6Inc3c3VVaVNzU0kwWnJkMkJ2aXk5MjJNVnZsMSIsInNhcC  
I6IndlYiIsImFwdCI6IndlYiIsInNhdCI6bnVsbCwic2xhIjpudWxsLCJ0YXUiOmZhbHNlLCJhdWMiOiJodHRwczpcL1wvc2lnbmluLnRlbGVub3JpZC1zdGFnaW5nLmNvbVwvb2F1dGhcL2F1  
dGhlbnRpY2F0aW9uX2NhbGxiYWNrIiwibHByIjpmYWxzZSwibnByIjpmYWxzZSwiZXNjIjpbImVtYWlsIiwicGhvbmVfbnVtYmVyIl0sIm5sciI6ZmFsc2UsInNscyI6dHJ1ZSwic2x1Ijp0cnVlLCJ  
kaWQiOm51bGwsImNpZCI6InRubi1pYmlzdGVzdHR3by13ZWIifQ.E\_NEaIbLxnK02TbkTr-Ajl4Zwk3fT3pPCkwmrzOYOFKEprT49E7htbZKjQfqMn7IHF8TJKWcI2VI\_9HbU99dvHBjTVUGG  
zIg91\_5KHlwpty7Ntk9JrhNtZcseVAvHI05cr9vOaRWnoVxixztEEkqfY0-NasiMqsixW0ZW41widc
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://connect.staging.telenordigital.com/id/signin URI The endpoint at Telenor Digital to contact
authentication_request=eyJraWQiOiIxIiwiYWxnIjoiUlMyNTYifQ.e…. String  

| response 200 OK | | | —————— | —– |

Login with TelenorID: mobile

Next Page

POST request
https://signin.telenorid-staging.com/v2/api/next
Parameter Type What / why
POST Http Verb The request is done as an HTTP POST
https://signin.telenorid-staging.com/v2/api/next URI The endpoint to contact
username=%2B47%20999%2057%20009 String  
nounce=03b066f3-d805-42d7-a7ea-592fd0634a91 String, nonce  
stay_signed_in=false    

| response 200 OK | | | —————— | —– |

Login with TelenorID: otp

Next Page

POST request
https://signin.telenorid-staging.com/v2/api/next
Parameter Type What / why
POST Http Verb The request is done as an HTTP POST
https://signin.telenorid-staging.com/v2/api/next URI The endpoint to contact
pin=**** String The PIN code entered by the End User
nounce=b3dd1f00-8318-46d1-9f15-6a96ef431ad6 String, nonce  

| response 200 OK | | | —————— | —– |

Step 4:: IBIS Callback: Redirect from TelenorID to IBIS

Once the user has logged in they will be redirected back to IBIS. In the callback is IBIS’s authentication code which IBIS will use to receive tokens (id_token, access_tokens) from the external IDP (here Telenor ID at Telenor Digital).
This whole process is transparent to the user; they will only see the browser “flash” (between redirects).

GET request
https://id-test.telenor.no/signin-tnn-ibistesttwo-web 
https://id-test.telenor.no/signin-tnn-ibistesttwo-web?code=tsWOTDhdHxM3XLrZqPbpLECqBRU&state=CfDJ8KA\_0MCpmkxDr6\_f25p5Z6N\_gpjS6K4IRqCn\_YuIDIDS58MNzIDZ\_pVG  
GTyCsHkQ3Yvpsm31mxuncz30vZHNHlqSTXXgIyUCIdfMUg7RBqQzCBvpSJVZ4zsRgIhklKVqjcAiPsKfckF3NBM4BzeVVuqYDFPtbj-M1pFzOgpxg9g1GQuxh-zj2HW71ilU0ZLQZlorRFlwgf  
5QoX8hsQvC3xEPx8agey321PTaEbJHuusY9aNYldSPPkja-vn2JJy-qYrWv7bZcpVZWZf5qYyZVGuGO1bnDORqPjInu3oy3EqYArsprSmZqmCod87Zt2kC6\_rqWtwjavUS3ltuFLKSgfmX2vz3Lx  
mvetYM004nr9S5SWzGxpSo6fgFBcA1RV8uhsGZqQsRQG8nIxFfoG3U-bkXjoSmIzrs4UH8A529ES4uARf1aOewgF3fRv43q2nKBcDNMopaTAqL2vv7ijeO5QSW84GrqWYoh0YV558iiWYs7H  
s-3MJQ\_w9ZCplIxQ4HfnKiSvpjConMPqPjeeREychtwViChsUEva4Z-6ccJ0xL2gFkiJJaFm\_si0XdiUJjATRdrroeycrHRVtrjmXMzddBc7fUkJ16iCVW0dIOL0w7AJMwpG2xTlwLh5iKTCTOwxi6dFv  
O2BoDvA-6pJNOcPOiqeoHRZiQwQvrnDmo\_tesY0U3Ripq4jyxKZZvmVO-Q0H5miBUTi6MsI0AKtnHd5qj\_\_1HWTcDydDEjj1k59w\_F7WhXjJxJv7Hz2vpp3knyPin9U7vdKd\_VrCZe1Q4TTvug  
9KoxP9wW8Gk0qTbjGOsWEjz4aujb1rJMqYVA5qiqEVwTSCXLdduQ3ggt\_wmMCTIAIuHUiZ2LtCCA7Hb44M4620d0i\_CbwUElkB2P8N-MFJvxB-UmENmSS1UsF3wkt08IDoBgmRaoKDJWh9  
G8ey1woyNVhd0GlAwVF45aWNgqjv1zFSjSw6vjQiYCANQvvhYjAI\_nknNM3fLu1cVZoQoaPi8AQELuBJBSrawgnBWwJNBhze1zLXAp\_HMp1KvNfB1fJ60NXGfhjBNguSng-Ml3hlU1okl\_mQS  
avPYedHi\_m0JZZcjXxVbmAgsQZPG1Sc
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://idp.telenorid-staging.com/signin-tnn-ibistesttwo-web URI The endpoint to contact
code=tsWOTDhdHxM3… String authentication code
state=CfDJ8KA_0MCp… String  
response 302 Found  
  The user is redirected to the internal controller which filters which IDPs are to be shown on the next screen. 
Location: 
/External/Callback

Step 5:: Client Callback: Redirect from IBIS to Client Application

After IBIS has exchanged tokens with the external IDP it is time to redirect the user back to the original client (i.e. your app) - here the demo debugger

GET request
https://oidc-test.telenor.no//callback 
https://oidc-test.telenor.no//callback?code=2E686206E5F07FF20338EC93F5C630A24E1BA4B2FE1F931ED206C88CED68DAD6&  
scope=openid%20profile%20ial2&state=7e4f397b7cc94717bd57ce65d1daa1e6&  
session\_state=ohX8CT0saGEyBpDWgtHPEqi1mio\_HxIWEeC5LVTap1g.28D0EA52A8BE49912DDE6437B8B1EC55
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://oidc-test.telenor.no//callback URI The address to redirect the user to, sent in as a parameter (redirect_uri) in Step 1:: Start Authorization: /authorize. In this case, the Debugger.
code=04E9BD43396A… String The Authentication Code. To be used in exchange for tokens. This is a very sensitive parameter.
scope=openid%20profile%20ial2   The scopes the client has been granted access to. Note: The accepted scopes may differ from those you requested; the user may not have given consent to all scopes
state=ab1dbd3b9638…   The same state parameter seen in Step 1:: Start Authorization: /authorize.
session_state=0fi9HY43J9W8HcnW…   The IBIS reference to the newly created user session

| response 200 OK | | | —————— | —– |

Step 6:: Fetch Tokens: /token

POST request
https://id-test.telenorid.no/connect/token
Parameter Type What / why
POST Http Verb The request is done as an HTTP POST
https://id-test.telenorid.no/connect/token URI The endpoint to contact
client_id=mainflow-client String The client ID, same as in Step 1:: Start Authorization: /authorize.
code=04E9BD43396A… String The Authentication Code. Received in Step 5:: Client Callback: Redirect from IBIS to Client Application.
redirect_uri=https%3A%2F%2Fidp.telenorid-staging.com%2Fui%2Fdebugger%2Fcallback URI The client’s redirect URI from Step 1:: Start Authorization: /authorize.
code_verifier=5d3c6ab1d5d346b38cf0223c4c1fb96f9f10a782956a40a885f9e19f277b6608955b3b0677f64eada2a0e86d56070213 String, PKCE The PKCE. Note that this time we send the actual code, not the hash. IBIS will not attempt to recreate the hash seen in Step 1:: Start Authorization: /authorize - they must match.
grant_type=authorization_code String How we request tokens, again we are using the authorization_code flow.
response 200 OK    
The response from Step 6:: Fetch Tokens: /token will be a JSON Object containing our tokens    
access_token: “eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ3ZmQ4MzE0LTZhOGEtNDcxNS1i…” String, JWT The Access Token
id_token: “eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ3ZmQ4MzE0LTZhOGEtNDcxNS1iNGJi…” String, JWT The ID Token
expires_in: 3600 Int, Seconds Convince property to aid the implementing developer to configure correct refresh window
scope: “openid profile ial2” Space-separated strings Convince property: Which scopes are found in the access_token
token_type: “Bearer” String How the access_token should be sent to consuming APIs.
    Eg. curl -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" https://{hostname}/api/myresource

Step 7:: Get User Info: /userinfo

GET request
https://id-test.telenor.no/connect/userinfo
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://id.telenor.no/connect/userinfo URI The endpoint to contact using The Access Token Received in Step 6:: Fetch Tokens: /token
    Eg. curl "https://id-test.telenor.no/connect/userinfo" -H "Authorization: Bearer ${TOKEN}"
response 200 OK
birthdate: “1971-01-23”
family_name: “Telenormobilno”
given_name: “Ulv”
ial: “telenor.identity.ial2”
kurtid: “6501333”
sub: “920a05cc-0a3f-48b9-8d7d-df978bd2cc9f”

Step 8:: Check Session: /Checksession

GET request
https://id-test.telenor.no/connect/checksession
Parameter Type What / why
GET Http Verb The request is done as an HTTP GET
https://id-test.telenor.no/connect/checksession URI The endpoint to contact
    Eg. curl "https://id-test.telenor.no/connect/userinfo" -H "Authorization: Bearer ${TOKEN}"

| response 200 OK | | —————- |

Debugger end page - successful login

{
    userinfo:{
        s_hash:"xgBOLuZLNi2vC_FkIHDQdw"
        sid:"B1109E72ADE59E49EA79CB610FF43C8F"
        sub:"920a05cc-0a3f-48b9-8d7d-df978bd2cc9f"
        auth_time:1620638797
        idp:"no.telenor.id.proxy.demo-client"
        given_name:"Ulv"
        family_name:"Telenormobilno"
        ial:"telenor.identity.ial2"
        amr:[
            "urn:tnidplus:std"
        ]
        kurtid:"6501333"
        birthdate:"1971-01-23"
    }
    jwt_access_token:{
        nbf:1620638798
        exp:1620642398
        iss:"https://idp.telenorid-staging.com"
        client_id:"mainflow-client"
        sub:"920a05cc-0a3f-48b9-8d7d-df978bd2cc9f"
        auth_time:1620638797
        idp:"no.telenor.id.proxy.demo-client"
        ibis.sid:"c9a06300-4781-4d23-a1e7-8276ba4280fc"
        jti:"11E9EFC0532F87D689A55F7BD3A23E0B"
        sid:"B1109E72ADE59E49EA79CB610FF43C8F"
        iat:1620638798
        scope:[
            "openid"
            "profile"
            "ial2"
        ]
        amr:[
            "urn:tnidplus:std"
        ]
    }
    jwt_id_token:{
        nbf:1620638798
        exp:1620639098
        iss:"https://idp.telenorid-staging.com"
        aud:"mainflow-client"
        iat:1620638798
        at_hash:"_s441y6TALsgsnvFX2kZ4w"
        s_hash:"xgBOLuZLNi2vC_FkIHDQdw"
        sid:"B1109E72ADE59E49EA79CB610FF43C8F"
        sub:"920a05cc-0a3f-48b9-8d7d-df978bd2cc9f"
        auth_time:1620638797
        idp:"no.telenor.id.proxy.demo-client"
        given_name:"Ulv"
        family_name:"Telenormobilno"
        ial:"telenor.identity.ial2"
        amr:[
            "urn:tnidplus:std"
        ]
    }
}
copy
{
    access_token:"eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ3ZmQ4MzE0LTZhOGEtNDcxNS1iNGJiLWM4NzRhMDc0ZTM4MCIsInR5cCI6ImF0K2p3dCJ9.eyJuYmYiOjE2MjA2Mzg3OTgsImV4cCI6MTYyMDY0MjM5OCwiaXNzIjoiaHR0cHM6Ly9pZHAudGVsZW5vcmlkLXN0YWdpbmcuY29tIiwiY2xpZW50X2lkIjoibWFpbmZsb3ctY2xpZW50Iiwic3ViIjoiOTIwYTA1Y2MtMGEzZi00OGI5LThkN2QtZGY5NzhiZDJjYzlmIiwiYXV0aF90aW1lIjoxNjIwNjM4Nzk3LCJpZHAiOiJuby50ZWxlbm9yLmlkLnByb3h5LmRlbW8tY2xpZW50IiwiaWJpcy5zaWQiOiJjOWEwNjMwMC00NzgxLTRkMjMtYTFlNy04Mjc2YmE0MjgwZmMiLCJqdGkiOiIxMUU5RUZDMDUzMkY4N0Q2ODlBNTVGN0JEM0EyM0UwQiIsInNpZCI6IkIxMTA5RTcyQURFNTlFNDlFQTc5Q0I2MTBGRjQzQzhGIiwiaWF0IjoxNjIwNjM4Nzk4LCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiaWFsMiJdLCJhbXIiOlsidXJuOnRuaWRwbHVzOnN0ZCJdfQ.cT0h5s8MKXPLfB\_5YsUMxcZdFdJXbM0WAbc1yc33lMarCveqqIG35vM82Its-fLZBSd8v2eWqSl8lkk\_VgFMCNp8nbwL0M1i9WtlrG9rD25KSOdezpGsF8FMBmPkhtVUFPh242-i0yJAJUChEMu4518zpyF6xzsJ4Gp5z78VUJ5KtFmjnENanEFG1b0RzcfvT27HWYwAuEZa0cI7zaPx3XtP7ZYjlcQ9yEjibxTXTkV4WkIX0Mbxq2bsOvhHlv\_EynlX0\_\_7wBfUk8EgqukjqbyTtywSt\_LrYK7XmxcN2Z8I9qCTQwLS-EMpbW5JoZV94nU8Ho6jsQnGBMCk-BDDPA"
}

TelenorID+ User Login Sequence Diagram

User Login Sequence Diagram