Signing
The OIDC Provider from BankID supports signing of the following data elements:
- ID Tokens
- Default Access Tokens
- Default Refresh Tokens
- Responses from the TINFO service
Statically configured asymmetric Asymmetric keys are used for signing according to details described in Jwk. OIDC Clients must validate signatures as part of token validation to ensure that tokens are not tampered with after being issued by the OIDC Provider from BankID. The same applies for validation of responses for the TINFO resource server.
...
The OIDC provider from BankID supports decryption of the following element(s):
- login_hint
- request authorize parameter
This login_hint encryption is a BankID OIDC proprietary functionality. Encryption of the request parameter, which was introduced later, is sufficient since the login_hint may be placed inside a request parameter. The login_hint encryption is therefore deprecated, but still working.
Statically configured asymmetric Asymmetric keys are used for encryption according to details described in Jwk. OIDC Clients may encrypt encrypt the value of the login hint to _hint to ensure that personal information is not leaking in the user agent history.
...
| Warning |
|---|
Using an encrypted request parameter makes the initial authorize request to BankID OIDC confidential. Later in the internal redirect flow between BankID OIDC components, values from the request object may be shown in cleartext. See known issues (C12). |
Keys used for encryption are all marked with
...
| login_hint | request parameter | ||
| Alg | Enc | Alg | Enc |
|---|---|---|---|
| ECDH-ES | A128GCM | RSA1_5 | See openid-configuration document |
| RSA-OAEP | A128CBC-HS256 | RSA-OAEP | See openid-configuration document |
| RSA-OAEP-256 | A128CBC-HS256 | RSA-OAEP-256 | See openid-configuration document |
...