Page Comparison

Signing

The OIDC Provider from BankID supports signing of the following data elements:

...

Keys used for signing are marked with 

"use":"sig"

Verification

The OIDC provider from BankID verifies the following data elements:

• request authorize parameter
• private_key_jwt client_assertion object

To support this validation, a jwks_uri must be registered for the given oidc client, such that BankID OIDC provider can retrieve validation keys. 

Encryption

We also support The OIDC provider from BankID supports decryption of the following element(s):

• login_hint 
• request authorize parameter 

This login_hint encryption is a BankID OIDC proprietary function. Encryption of the request parameter, which was introduced later, are sufficient. The login_hint encryption are therefore deprecated, but still working.

Statically configured asymmetric keys are used for encryption according to details described in Jwk. OIDC Clients may encrypt the value of the login hint to ensure that personal information is not leaking in the user agent history. 

Remark that the encryption keys for login_hint are published through the BankID OIDC specific jwks_uri_enc while encryption keys for the request parameter are publish through the OIDC standard jwks_uri.  

Keys used for encryption are all marked with

"use":"enc".

Encryption algorithms supported are:

The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.

The encrypted request parameter should be formatted as a JWE Compact Serialization. The ciphertext is the request parameter as a  signed JWT

Example

A typical login hint:

...