Versions Compared

Old Version 8

changes.mady.by.user Jan Åge Lavik

Saved on

compared with

New Version Current

changes.mady.by.user Jan Åge Lavik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version master

Before you start

...

  1. Connect to the discovery endpoint to get the OpenID configuration.
    Note: Make sure to keep the response updated every so often (at least daily).

    For the public test environment (CURRENT) the Discovery endpoint is:
    https://auth.current.bankid.no/auth/realms/current/.well-known/openid-configuration.

    See all environments.

  2. Use the authorization_endpoint found in the Discovery endpoint response.
    Note: Do not hard code this value. Retrieve the config regularly from the OIDC discovery endpoint, as it may change.

  3. Generate a random value for state and store it in your user session.
    1. The value must be non-guessable (e.g. GUID) and unique for each request.
    2. This value will be used to mitigate cross-site request forgery, but it can also be used by your application to link the callback request to the end-user session alongside a cookie.

  4. Generate a random value for nonce and store it in your user session.
    1. The value must be non-guessable, cryptographically random (your framework/language most likely have support for this) and unique for each request.
    2. This will be used to verify integrity of ID token and mitigate replay attacks.

  5. Generate code_verifier for PKCE flow and store this in your user session.
    1. This is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
    2. This will be used to generate a code challenge (6) and during Token exchange later.

  6. Generate code_challenge from the code_verifier by generating a Base64-URL-encoded string of the SHA256 hash of the code verifier.

  7. (Optional) Add any login_hint to the request to pre-select IDP or pre-fill user information. If user information is used we recommend using an encrypted request object

  8. Finally, we can build the authorization URL by adding the following query parameters (see Authorize for more options):
    • client_id: Your assigned client ID with BankID OIDC.
    • scope: Comma separated list of scopes that indicate which information and resources you request access to. In the example below, we use openid and profile to get a regular ID token.
    • redirect_uri: URI to your server-side callback endpoint where you want to receive the callback response from the BankID OIDC service. This URL must be pre-registered with BankID OIDC.
    • response_type: Determines message flow. Only "code" is supported.
    • state: Your generated value for state.
    • nonce: Your generated value for nonce.
    • code_challenge: Your generated code_challenge.
    • code_challenge_method=S256
    • (optional) login_hint: Add login_hint here if applicable
    Code Block
    titleExample Authorization Request
    GET authorization_endpoint
 ?client_id=your-client-id
 &scope=openid+profile
 &redirect_uri=https%3A%2F%2Fmywebapp.example.org%2Fcallback
 &response_type=code
 &state=01e3ac8e-4a26-4dfb-79ca-2631394c4144
 &nonce=1fb72f68-1bea-2ba2-12d7-24df1c999d1b
 &code_challenge=ixDBJg7pc3yT2h65DRvhjIbGko7U-t3cYVJmdMF-hTU
 &code_challenge_method=S256
    Finally redirect 
    
 &login_hint=BID
  9. Redirect end-user to the built authorization URL to start BankID Authentication.

...