Signing of documents and text with merchant and user-certificates with both BankID and BankID on Mobile is now supported through the OIDC platform.

Two different flows exist for these signing processes. For a full implementation guide, please see the Signing Implementation Guide.

Simplified flow

Can be used for signing of a text with either BankID (BID) and BankID on Mobile (BIM). The BankID OpenID Connect platform supports digital signing as an extension of the authorization flow. Both SEID-SDO and PAdES signature envelopes are available. 

Feature overview

Three different integration flows are available for signing on the BankID OIDC platform. Each flow offers a subset of features summarized in the table below.
The two full flow alternatives gives support for the most advanced use cases through utilization of the SignDoc resource server. The simplified flow is an easier integration alternative, but is limited to text signing.

Technical overview

Simplified flow

The simple flow utilizes the authorize-endpoint and is triggered by using the additional scope sign. When the sign-scope is selected, the The request must also include a sign_txt attribute containing for providing the actual text to be signed.

Full flow

The Full flow alternative offers support for more advanced use cases.  

• Can be used for signing text, XML-files and PDF-documents.
• Signing multiple documents in same session.
• Customization of signing process.

• This flow can only be used with BankID (BID), and not with BankID on Mobile (BIM).

The full flow makes use a separate resource server, the SignDoc RS, and consists of three steps:

1. Place the sign order on the SignDoc RS server
2. Start the end user sign session
3. Download the result from the SignDoc RS server

For further information, please refer to the following:

childrenThe result will be available as a claim in the ID token

For more details see Simple flow API and implementation guide.

Full flow

The two full flow alternatives makes use of the SignDoc resource server, enabling the merchant to manage and control a more complex sign order and its properties.

A brief overview of this flow:

1. Merchant request an access token with the signdoc/read_write scope to be used in request to the SignDoc resource server.
2. Merchant creates the sign order by sending a request to the SignDoc resource server and receives a reference, i.e. sign_id.

3. The signing transaction is initiated by adding the sign scope and the sign_id reference as query parameters to the authorization request.

4. End user performs the signing using the BankID web client (netcentric).
5. Merchant downloads the signing result from the SignDoc resource server.

The general characteristics of this flow are the same for both the SEID-SDO and PAdES alternatives, but properties such as endpoints, request body and response data differs. The PAdES flow supports multiple end user signatures through serial signing where the output from one signing session is used as input for the next.

For more details see the relevant implementation guide for your choice of feature set:

• SEID-SDO API and implementation guide
• PAdES API and implementation guide

BankID on mobile

BankID web client (netcentric) is the default identity provider used for signing. For text only signing (simplified flow or SEID-SDO full flow) it is possible to use BankID on mobile instead.

In order to use BankID on mobile, the authorization request must contain login_hint=BIM[:[phoneNumber][:birthDate]] as a query parameter.

BankID on mobile has the following limitations:

• Only supports text signing (simplified flow)
• The text can be maximum 118 characters long.
• Only the following character set is supported:
  [0-9] [a-z] [æ] [ø] [å] [A-Z] [Æ] [Ø] [Å] [ ][CR] [LF] [#] [$] [%-&] [(-?] [@] [¡] [£] [¤] [¥] [§] [¿] [Ä] [Ç] [É] [Ñ] [Ö] [Ü] [ß] [à] [ä] [è] [é] [ì] [ñ] [ò] [ö] [ù]
• Show understanding and show confirmation flags do not apply.
• English locale is not supported.

Further reading