Signing of documents and text with merchant and user-certificates with both BankID and BankID on Mobile is now supported through the OIDC platform.
| Info |
|---|
| Read more about the introduction of PAdES in BankID. |
Two different flows exist for these signing processes. For a full implementation guide, please see the Signing Implementation Guide.
Simplified flow
Can be used for signing of a text with both BankID (BID) and BankID on Mobile (BIM). The BankID OpenID Connect platform supports digital signing as an extension of the authorization flow. Both SEID-SDO and PAdES signature envelopes are available.
| Info | ||
|---|---|---|
| ||
|
Feature overview
Three different integration flows are available for signing on the BankID OIDC platform. Each flow offers a subset of features summarized in the table below.
The two full flow alternatives gives support for the most advanced use cases through utilization of the SignDoc resource server. The simplified flow is an easier integration alternative, but is limited to text signing.
Simplified flow | Full flow: SEID-SDO | Full flow: PAdES | |
|---|---|---|---|
| Envelope | SEID-SDO | PAdES | |
| Signature types |
|
|
|
| Document types |
|
| |
| Number of documents | Single | Multiple | Multiple |
|
|
| |
Multiple end user signatures in same envelope | Serial signing (PAdES increments) | ||
| Customization |
|
| |
| Result content |
|
|
|
| Note | ||
|---|---|---|
| ||
A different subset of the signing functionality is available directly through BankID Server implementations. See Signing compatibility matrix for comparison. |
Technical overview
Simplified flow
The simple flow utilizes the authorize-endpoint and adds a new scope called "sign". When the sign-scope is selected, the merchant can add a "sign_txt"-attribute which must be a base64-encoded string.
Full flow
Can be used for signing text, xml-files and pdf-files.
The full flow introduces a new resource-server at "{signdoc-baseurl}/signdoc". This flow can only be used with BankID (BID), and not with BankID on Mobile (BIM).
The merchant needs to start a signing process by retrieving a bearer token with a client-credential-grant.
A request must then be sent by POST to the "{signdoc-baseurl}/signdoc" containing a header with the bearer token, and one or more documents attached in the body. The response from this endpoint will then contain a sign_id which will be used later.
Next, the merchant can start a flow at the authorize-endpoint with scope=sign&sign_id=[sign_id from upload].
The status of the sign_id must be checked in the background with a GET to the "{signdoc-baseurl}/signdoc" .
When the signing is completed, the signing-results can be downloaded and the session cleaned up with a DELETE to the "{signdoc-baseurl}/signdoc" .
For further information, please refer to the following:
childrenis triggered by using the additional scope sign. The request must also include a sign_txt attribute for providing the actual text to be signed. The result will be available as a claim in the ID token
For more details see Simple flow API and implementation guide.
Full flow
The two full flow alternatives makes use of the SignDoc resource server, enabling the merchant to manage and control a more complex sign order and its properties.
A brief overview of this flow:
- Merchant request an access token with the
signdoc/read_writescope to be used in request to the SignDoc resource server. - Merchant creates the sign order by sending a request to the SignDoc resource server and receives a reference, i.e.
sign_id. The signing transaction is initiated by adding the
signscope and thesign_idreference as query parameters to the authorization request.- End user performs the signing using the BankID web client (netcentric).
- Merchant downloads the signing result from the SignDoc resource server.
The general characteristics of this flow are the same for both the SEID-SDO and PAdES alternatives, but properties such as endpoints, request body and response data differs. The PAdES flow supports multiple end user signatures through serial signing where the output from one signing session is used as input for the next.
For more details see the relevant implementation guide for your choice of feature set:
BankID on mobile
BankID web client (netcentric) is the default identity provider used for signing. For text only signing (simplified flow or SEID-SDO full flow) it is possible to use BankID on mobile instead.
In order to use BankID on mobile, the authorization request must contain login_hint=BIM[:[phoneNumber][:birthDate]] as a query parameter.
BankID on mobile has the following limitations:
- Only supports text signing (simplified flow)
- The text can be maximum 118 characters long.
- Only the following character set is supported:
[0-9] [a-z] [æ] [ø] [å] [A-Z] [Æ] [Ø] [Å] [ ][CR] [LF] [#] [$] [%-&] [(-?] [@] [¡] [£] [¤] [¥] [§] [¿] [Ä] [Ç] [É] [Ñ] [Ö] [Ü] [ß] [à] [ä] [è] [é] [ì] [ñ] [ò] [ö] [ù] - Show understanding and show confirmation flags do not apply.
- English locale is not supported.
Further reading
| Child pages (Children Display) | ||
|---|---|---|
|