Use the discovery endpoint to find the URL for the token endpoint.
[E-Consent host]/e-consent/.well-known/openid-configuration
The response from the endpoint is a JSON structure with standard OIDC fields access_token, token_type, refresh_token, expires_in. In addition there is a field with the same name as the token name used in custom_claims section of the request. The value for this field is a signed JWT. The payload of the JWT contains the following fields:
| sub | Subject identifier, the ID of the signer. If possible, E-Consent extracts the SSN (social security number) during the signing or identification. |
| iss | The url of the issuer. The base of the redirect_url to the authorization endpoint is used. |
| exp | When the token expires as UNIX stamp. |
| iat | When the token was issued as UNIX stamp. |
| aud | Space separated list of audience/who can use the token. For now, only the ID of the requesting client_id is added. |
| auth_time | Time of when the user authenticated as UNIX stamp. |
| amr | Authentication methods used (e.g. "E-signing", "BankID mobile" ..). |
| scope | The operation that the token can be used for. Same as the input scope to the authorization endpoint. |
| ... rest of claims | The custom claims as passed to the authorization endpoint. |
