Versions Compared

Old Version 13

changes.mady.by.user Jan Åge Lavik

Saved on

compared with

New Version 14

changes.mady.by.user Jan Åge Lavik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version master

Signed JWTs (JWS) are crucial to the OpenID Connect specification in order to ensure to ensure the authenticity and integrity of data exchanged between parties.

Encrypted JWTs (JWE) are also used to encrypt sensitive data when applicable. Cryptographic keys used for this purpose are published in the JWKs endpoint as JWKs. Note that these keys may change over time.

When integrating BankID over OpenID Connect you must always validate Tokens that are issued.

...

You should also strongly consider encrypting sensitive data using encrypted request objects.

Topics

Table of Contents
excludeTopics

Validation of Signed Tokens

...

  1. Extract the key information from the JWS Token header: kid, alg 
  2. Retrieve all JWK entries that BankID exposes from the JWKs endpoint.
  3. Keys used for signing can be filtered by the use attribute on each JWK. This value should be sig.
  4. Find the key used to sign the JWS Token by matching the kid, alg from (1) with the JWK entries.
  5. Extract the public key and certificate chain (x5c) from the JWK entry.
  6. Validate the origin of the key by verifying it's complete certificate chain (x5c) with our published root certificate.
  7. Validate the JWS token using the key.

...

Supported key encryption algorithms Supported content encryption algorithms 

ECDH-ES

RSA-OAEP

RSA-OAEP-256

A128GCM

A128CBC-HS256

A128CBC-HS256

...