Before you start
...
- Connect to the discovery endpoint to get the OpenID configuration.
Note: Make sure to keep the response updated every so often (at least daily).
For the public test environment (CURRENT) the Discovery endpoint is:
https://auth.current.bankid.no/auth/realms/current/.well-known/openid-configuration.
See all environments. - Use the
authorization_endpoint
found in the Discovery endpoint response.
Note: Do not hard code this value. Retrieve the config regularly from the OIDC discovery endpoint, as it may change. - Generate a random value for
state
and store it in your user session.- The value must be non-guessable (e.g. GUID) and unique for each request.
- This value will be used to mitigate cross-site request forgery, but it can also be used by your application to link the callback request to the end-user session alongside a cookie.
- Generate a random value for
nonce
and store it in your user session.- The value must be non-guessable, cryptographically random (your framework/language most likely have support for this) and unique for each request.
- This will be used to verify integrity of ID token and mitigate replay attacks.
- Generate
code_verifier
for PKCE flow and store this in your user session.- This is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
- This will be used to generate a code challenge (6) and during Token exchange later.
- Generate
code_challenge
from thecode_verifier
by generating a Base64-URL-encoded string of the SHA256 hash of the code verifier. - (Optional) Add any
login_hint
to the request to pre-select IDP or pre-fill user information. If user information is used we recommend using an encrypted request object. - Finally, we can build the authorization URL by adding the following query parameters (see Authorize for more options):
client_id
: Your assigned client ID with BankID OIDC.scope
: Comma separated list of scopes that indicate which information and resources you request access to. In the example below, we useopenid
andprofile
to get a regular ID token.redirect_uri
: URI to your server-side callback endpoint where you want to receive the callback response from the BankID OIDC service. This URL must be pre-registered with BankID OIDC.response_type
: Determines message flow. Only "code" is supported.state
: Your generated value forstate
.nonce
: Your generated value fornonce
.code_challenge
: Your generatedcode_challenge
.code_challenge_method=S256
- (optional)
login_hint
: Addlogin_hint
here if applicable
Finally redirectCode Block title Example Authorization Request GET authorization_endpoint ?client_id=your-client-id &scope=openid+profile &redirect_uri=https%3A%2F%2Fmywebapp.example.org%2Fcallback &response_type=code &state=01e3ac8e-4a26-4dfb-79ca-2631394c4144 &nonce=1fb72f68-1bea-2ba2-12d7-24df1c999d1b &code_challenge=ixDBJg7pc3yT2h65DRvhjIbGko7U-t3cYVJmdMF-hTU &code_challenge_method=S256
&login_hint=BID
- Redirect end-user to the built authorization URL to start BankID Authentication.
...