The OIDC Provider from BankID supports each of the /OAuth2 standard defines the following different flows (grant types) defined by the OIDC/OAuth2 standards:
The OIDC Provider from BankID only supports Authorization code flow
...
All of these flows concern and Client credential flow.
The Authorization code flow concerns authentication of end-users followed by authorization of access to Value Added Services.
The following flow from the OAuth2 standard concerning The Client credential flow concerns authorization of access to Value Added Services directly from an OIDC Client without involving an end-user is also supported:
...
.
| Note |
|---|
Implicit flow and Hybrid flow was previously supported by the OIDC Provider from BankID. This support has been removed due to a recent security best practice recommendation from IETF. Authorization code flow, as the only remaining option, covers all use cases, but requires a back-end integration for delivery of the tokens. |
The below figure provides an elaborated understanding of the message flow by showing an example of an hybrid an Authorization code flow . The following applies for this particular example:
...