Signing
The OIDC Provider from BankID supports signing of the following data elements:
...
This login_hint encryption is a BankID OIDC proprietary functionfunctionality. Encryption of the request parameter, which was introduced later, are is sufficient. The login_hint encryption are is therefore deprecated, but still working.
Statically configured asymmetric keys are used for encryption according to details described in Jwk. OIDC Clients may encrypt the value of the login hint to ensure that personal information is not leaking in the user agent history.
Remark that the encryption keys for login_hint are published through the BankID OIDC specific jwks_uri_enc while encryption keys for the request parameter are publish through the OIDC standard jwks_uri. .
| Warning |
|---|
Using an encrypted request parameter makes the initial authorize request to BankID OIDC confidential. Later in the internal redirect flow between BankID OIDC components, values from the request object may be shown in cleartext. See known issues (C12). |
Keys used for encryption are all marked with
...
| login_hint | request parameter | ||
| Alg | Enc | Alg | Enc |
|---|---|---|---|
| ECDH-ES | A128GCM | RSA1_5 | See openid-configuration document |
| RSA-OAEP | A128CBC-HS256 | RSA-OAEP | See openid-configuration document |
| RSA-OAEP-256 | A128CBC-HS256 | RSA-OAEP-256 | See openid-configuration document |
...