Page Comparison

...

...

...

Signing

The OIDC Provider from BankID supports signing of the following data elements:

• ID Tokens
• Default Access Tokens
• Default Refresh Tokens
• Responses from the TINFO service

It supports decryption of the following element:

• login_hint

Statically configured assymmetric asymmetric keys are used for signing according to details described in  in Jwk. OIDC Clients must validate signatures as part of token validation to ensure that tokens are not tampered with after being issued by the OIDC Provider from BankID. The same applies for validation of responses for the TINFO resource server.

Keys used for signing are marked with with 

"use":"sig"

...

Encryption

We also support decryption of the following element(s):

• login_hint

Statically configured asymmetric keys are used for encryption according to details described in in Jwk. OIDC Clients may encrypt the value of the login hint to ensure that personal information is not leaking in the user agent history. Keys  

Keys used for encryption are marked with

"use":"enc".

...

Encryption algorithms supported are for now :

The encrypted login_hint should be an encrypted JWT Exampleformatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.

Example

A typical login hint:

login_hint=BID:14025800177

 will using the encryption key in the Jwk example example, be:

The header part of the encrypted JWT JWE object is in this case:

{
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "cJmWMkkqyVP6-lW2kxhHITdnh6Du2CsRIYg0ckyWuWA",
    "y": "Til4N0YF5aR6rIQjGF68qddCf_p2nVbB3TLce6l3qVY"
  },
  "kid": "encryptkey",
  "enc": "A128GCM",
  "alg": "ECDH-ES"
}

BankID OIDC provider will use the kid value to exctract extract the correct key for decryption. If the kid value is not set, the decryption will fail.

...

The message to be encrypted is not JSON, it is simply:

BID:14025800177