Versions Compared

Version Old Version 1 New Version Current
Changes made by

Frode Nilsen (Unlicensed)

Kristoffer Kristoffer (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version master

The OIDC Provider from BankID supports each of the flows (grant types) defined by the OIDC/OAuth2 standards:Authorization code flow

...

All of these flows concern  and Client credential flow.

The Authorization code flow concerns authentication of end-users followed by authorization of access to Value Added Services.

The following flow from the OAuth2 standard concerning The Client credential flow concerns authorization of access to Value Added Services directly from an OIDC Client without involving an end-user is also supported:

...

.

Note

Implicit flow and Hybrid flow was previously supported by the OIDC Provider from BankID. This support has been removed due to a recent security best practice recommendation from IETF.

Authorization code flow, as the only remaining option, covers all use cases, but requires a back-end integration for delivery of the tokens.

The below figure provides an elaborated understanding of the message flow by showing an example of an hybrid an Authorization code flow The following applies for this particular example:

...

  • Red corresponds to application-specific flows for the OIDC Client
  • Blue corresponds to standardized flows over the REST API according to OIDC/OAuth2 OAuth 2.0 standards.
  • Black corresponds to specific flows for the OIDC Provider from BankID allowing that in earlier allowed OIDC Clients to customize GUI experience (see note below).
  • Yellow corresponds to specific flows for the designated IDP.
  • Green corresponds to specific flows for the designated VAS service (eg. the VAS Service).

An OIDC Client does by-default only involves standardized flows (blue color) over the REST API with the OIDC Provider. The exception is if the OIDC Client wants to customize GUI handling. Any custom GUI component must integrate with another REST API (black color) specific for the OIDC Provider from BankID. A custom GUI component must take care of proper integration with each of the supported IDP options (yellow color) and also any involved VAS service (green color)

Note
titleCustomization of user experience

Extensive customization of the GUI was previously supported, but has been removed to ensure a more consistent user-experience when using BankID OIDC.

The BankID OIDC client does allows some customization by displaying the name and logo (150px x 30 px, png or gif) of the merchant in the client.


Note that the below figure does not reflect the use of any JavaScript Connector to assist the OIDC Client with integration with the OIDC Provider. Using a JS Connector will save the OIDC Client from handling most of the front-end logic (blue color) associated with the message flow, thus simplyfing integration work.

...