...
...
...
Signed Tokens
Following well established OpenID Connect standards, BankID signs all Tokens issued:
- ID Tokens
- Default Access Tokens
- Default Refresh Tokens
- Responses from the TINFO serviceUserinfo response
Asymmetric keys are used for signing according to details described in Jwk. OIDC Clients must validate signatures as part of token validation to is exposed in the JWKs endpoint. These keys may change, so make sure you keep them up-to-date (every 24 hours).
You must validate signatures and compare with the published root certificate as part of token validation to ensure that tokens are not tampered with after being issued by the OIDC Provider from BankID. The same applies for validation of responses for the TINFO resource server.
Keys used for signing are marked with
...
In addition, this way you can always guarantee that the origin of the Tokens are in fact BankID, and not a potential "man-in-the-middle" actor.
These steps are required to securely validate a JWS Token (like ID Token) from BankID:
- Retrieve all JWK entries with "use": "sig"
...
Verification
...
- that BankID exposes from the JWKs endpoint.
- Find the key used to sign the JWS Token by extracting the kid value of the JWS Header.
- Match the kid value with the JWK entries from step 1. and extract the public key value and certificate chain (x5c).
- Validate the origin of the key by verifying it's complete certificate chain (x5c) with our published root certificate.
- Validate the JWS token using the key.
- Using a secure and community provided library to validate JWS tokens is highly recommended.
Signed Authorization Requests
BankID OIDC can support signing incoming Authorization Requests:
- request authorize parameter
- private_key_jwt client_assertion object
To support this validation, a jwks_uri must be registered for the given oidc client, such that BankID OIDC provider merchant (OIDC Client), so BankID can retrieve validation keys.
...
Contact us for more information.
Encrypted Authorization Requests
| Warning |
|---|
Encryption of parameters containing personal information may be mandatory in the future. |
The OIDC provider from BankID supports decryption of the following element(s)encryption of incoming Authorization Requests through:
- login_hint encryption (deprecated)
- request authorize parameter
This login_hint encryption is a BankID OIDC proprietary functionality. Encryption of the request parameter, which was introduced later, is sufficient since the login_hint may be placed inside a request parameter. The login_hint encryption is therefore deprecated.
Asymmetric keys are used for encryption according to details described in Jwk. OIDC Clients may encrypt the value of the login_hint to ensure that personal information is not leaking in the user agent history.
Remark that the encryption keys for login_hint are published through the BankID OIDC specific jwks_uri_enc while encryption keys for the request parameter are publish through the OIDC standard jwks_uri.
| Warning |
|---|
Using an encrypted request parameter makes the initial authorize request to BankID OIDC confidential. Later in the internal redirect flow between BankID OIDC components, values from the request object may be shown in cleartext. See known issues (C12). |
Keys used for encryption are can be useful in order to ensure personal information (for example through login_hint) is not leaked in the browser history or URL.
The login_hint encryption is deprecated as it is being replaced by the standard encrypted request parameter.
Asymmetric Keys used for encryption in JWKs are all marked with
| Code Block |
|---|
"use":"enc". |
...
| login_hint | request parameter | ||
| Alg | Enc | Alg | Enc |
|---|---|---|---|
| ECDH-ES | A128GCM | RSA1_5 | See openid-configuration document |
| RSA-OAEP | A128CBC-HS256 | RSA-OAEP | See openid-configuration document |
| RSA-OAEP-256 | A128CBC-HS256 | RSA-OAEP-256 | See openid-configuration document |
...