...
...
...
The OIDC Provider from BankID supports signing of the following data elementsSigned JWTs (JWS) are crucial to the OpenID Connect specification in order to ensure the authenticity and integrity of data exchanged between parties.
Encrypted JWTs (JWE) are also used to encrypt sensitive data when applicable. Cryptographic keys used for this purpose are published in the JWKs endpoint as JWKs. Note that these keys may change over time.
When integrating BankID over OpenID Connect you must always validate Tokens that are issued. You should also strongly consider encrypting sensitive data using encrypted request objects.
Validation of Signed Tokens
Following well established OpenID Connect standards, BankID will sign all Tokens issued:
- ID Tokens
- Default Access Tokens
- Default Refresh Tokens
- Responses from the TINFO service
...
You must validate JWT signatures and ensure that the signing key certificate was issued by the officially published root certificate.
Note | ||
---|---|---|
| ||
This is important:
|
...
|
Keys used for signing are all marked with
...
with "use": "sig"
...
Verification
The OIDC provider from BankID verifies the following data elements.
Steps to validate a signed JWT Token
The steps required to securely validate a JWS Token (like ID Token):
- Extract the key information from the JWS Token header:
kid
,alg
- Retrieve all JWK entries that BankID exposes from the JWKs endpoint.
- Keys used for signing can be filtered by the
use
attribute on each JWK. This value should besig
. - Find the key used to sign the JWS Token by matching the
kid
,alg
from (1) with the JWK entries. - Extract the public key and certificate chain (x5c) from the JWK entry.
- Validate the origin of the key by verifying it's complete certificate chain (x5c) with our published root certificate.
- Validate the JWS token using the key.
Note: Using a secure and community provided library to validate JWS tokens is highly recommended.
Signed Authorization Requests
BankID OIDC can support signing incoming Authorization Requests:
- request authorize parameter
- private_key_jwt client_assertion object
To support this validation, a jwks_uri must be registered for the given oidc client, such that BankID OIDC provider merchant (OIDC Client), so BankID can retrieve validation keys.
Encryption
...
Contact us for more information.
Anchor | ||||
---|---|---|---|---|
|
Note | ||
---|---|---|
| ||
Encryption of parameters containing personal information may be become mandatory in the near future. |
The OIDC provider from BankID supports decryption of the following element(s):
...
encryption of incoming Authorization Requests through:
- request authorize parameter
...
- login_hint encryption
...
- (deprecated)
This can be useful in order to ensure personal information is not leaking leaked in the user agent history. Remark that the encryption keys for login_hint are published through the BankID OIDC specific jwks_uri_enc while encryption keys for the request parameter are publish through the OIDC standard jwks_uri. browser history or URL (for example through login_hint).
The login_hint encryption is deprecated as it is being replaced by the encrypted request parameter.
Keys used for encryption in JWKs are all marked with
...
"use": "enc"
.
Encryption algorithms supported are:
...
Encrypted request parameter
...
(recommended)
Supported key encryption algorithms | Supported content encryption algorithms |
---|---|
RSA1_5 |
RSA- |
OAEP RSA-OAEP-256 | A256GCM A192GCM A128GCM A128CBC-HS256 A192CBC-HS384 A256CBC-HS512 |
Steps to encrypt a request object
- Generate a random content encryption key.
- Encrypt the content encryption key using the appropriate public key from our JWKs endpoint.
- Encrypt the request object using the content encryption key.
- Create the JWT with the encrypted content and key.
- Send the encrypted JWT as value in the
request
parameter in the Authorization Request.
Note: Using a secure and community provided library for your chosen platform is highly recommended.
Encrypted login hint (deprecated)
Supported key encryption algorithms | Supported content encryption algorithms |
---|---|
ECDH-ES RSA-OAEP |
RSA-OAEP-256 | A128GCM A128CBC-HS256 |
A128CBC- |
HS256 |
The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.
The encrypted request parameter should be formatted as a JWE Compact Serialization. The ciphertext is the request parameter as a signed JWT
Example
A typical login hint:
Code Block |
---|
login_hint=BID:14025800177 |
will using the encryption key in the Jwk JWK example, be:
Info |
---|
login_hint=eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJjSm1XTWtrcXlWUDYtbFcya3hoSElUZG5oNkR1MkNzUklZZzBja3lXdVdBIiwieSI6IlRpbDROMFlGNWFSNnJJUWpHRjY4cWRkQ2ZfcDJuVmJCM1RMY2U2bDNxVlkifSwia2lkIjoiZW5jcnlwdGtleSIsImVuYyI6IkExMjhHQ00iLCJhbGciOiJFQ0RILUVTIn0..DzbBsb5mQSl-S-zG.-hL1oyZNRrqkp4UJHxX_.Q0n47mXdkmAoDfSqu-vkEg |
...