Always verify the "exp" claim to make sure the token hasn’t expired
Always verify the claim "nbf" to make sure the token actually is "active"
When verifying claims with timestamps, take into account that there may be some time skew between the token issuer and your internal systems.
Always verify the claim "iss" to make sure that the token issuer is someone you actually trust
Always verify the claim "aud" to make sure that the token is intended for you
Reject the request if the "aud" claim is missing
Consider rejecting tokens with multiple values in the “aud” claim.
If you use "scopes" for access control you must always make sure that the values in the “scope” claims are valid and correct.
Always validate and verify that the value in the claim "security_level" “helseid://claims/identity/assurance_level“, alternatively “helseid://claims/identity/security_level”, corresponds with the requirements for your API.
Always validate Consider validating and verify verifying the value in the claim "helseid://claims/identity/pid".Always validate
Consider validating and verify verifying the value in the claim "helseid://claims/hpr/hpr_nrnumber".Always validate
Consider validating and verify verifying the value in the claim "orgnr".claims containing organizational identitfiers, e.g. “helseid://claims/client/claims/orgnr_parent“ and “helseid://claims/client/claims/orgnr_child“