Page Comparison

...

...

Signed JWTs (JWS) are crucial to the OpenID Connect specification in order to ensure the authenticity and integrity of data exchanged between parties.

Encrypted JWTs (JWE) are also used to encrypt sensitive data when applicable. Cryptographic keys used for this purpose are published in the JWKs endpoint as JWKs. Note that these keys may change over time.

When integrating BankID over OpenID Connect you must always validate Tokens that are issued. You should also strongly consider encrypting sensitive data using encrypted request objects.

Validation of Signed Tokens

Following well established OpenID Connect standards, BankID signs all will sign all Tokens issued:

• ID Tokens
• Access Tokens
• Refresh Tokens
• Userinfo response

Asymmetric keys used for signing is exposed in the JWKs endpoint. These keys may change, so make sure you keep them up-to-date (every 24 hours).

• Token

You must validate JWT signatures and compare with the published root certificate as part of token validation to ensure that the signing key certificate was issued by the officially published root certificate.

...

...

These steps are Keys used for signing are all marked with "use": "sig".

Steps to validate a signed JWT Token

The steps required to securely validate a JWS Token (like ID Token) from BankID::

1. Extract the key information from the JWS Token header: kid, alg 
2. Retrieve all JWK entries with "use": "sig" that BankID exposes from the JWKs endpoint.
3. Keys used for signing can be filtered by the use attribute on each JWK. This value should be sig.
4. Find the key used to sign the JWS Token by extracting the kid value of the JWS Header.Match the kid value matching the kid, alg from (1) with the JWK entries from step 1. and extract .
5. Extract the public key value and certificate chain (x5c) from the JWK entry.
6. Validate the origin of the key by verifying it's complete certificate chain (x5c) with our published root certificate.
7. Validate the JWS token using the key.

Note: Using a secure and community provided library to validate JWS tokens is highly recommended.

Signed Authorization Requests

...

Contact us for more information.

Anchor
encrypted_auth_request encrypted_auth_request

Encrypted Authorization Requests 

BankID supports encryption of incoming Authorization Requests through:

• request authorize parameter 
• login_hint encryption (deprecated)
• request authorize parameter 

This can be useful in order to ensure personal information (for example through login_hint) is not leaked in the browser history or URL (for example through login_hint).

The login_hint encryption is deprecated as it is being replaced by the standard encrypted request parameter.

Asymmetric Keys used for encryption in JWKs are are all marked with

...

"use": "enc".

Encryption algorithms supported are:

...

Encrypted request parameter

...

(recommended)

Steps to encrypt a request object

1. Generate a random content encryption key.
2. Encrypt the content encryption key using the appropriate public key from our JWKs endpoint.
3. Encrypt the request object using the content encryption key.
4. Create the JWT with the encrypted content and key.
5. Send the encrypted JWT as value in the request parameter in the Authorization Request.

Note: Using a secure and community provided library for your chosen platform is highly recommended.

Encrypted login hint (deprecated)

The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.The encrypted request parameter should be formatted as a JWE Compact Serialization. The ciphertext is the request parameter as a  signed JWT

Example

A typical login hint:

login_hint=BID:14025800177

 will using the encryption key in the Jwk JWK example, be:

...