Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version master

...

...

...

The OIDC Provider from BankID supports signing of the following data elementsSigned JWTs (JWS) are crucial to the OpenID Connect specification in order to ensure the authenticity and integrity of data exchanged between parties.

Encrypted JWTs (JWE) are also used to encrypt sensitive data when applicable. Cryptographic keys used for this purpose are published in the JWKs endpoint as JWKs. Note that these keys may change over time.

When integrating BankID over OpenID Connect you must always validate Tokens that are issued. You should also strongly consider encrypting sensitive data using encrypted request objects.

Validation of Signed Tokens

Following well established OpenID Connect standards, BankID will sign all Tokens issued:

...

You must validate JWT signatures and ensure that the signing key certificate was issued by the officially published root certificate.

Note
iconfalse

This is important:

  • to ensure that tokens are not tampered with after being issued by the OIDC Provider from BankID.

...

  • to guarantee that the origin of the Tokens are in fact BankID, and not a potential "man-in-the-middle" actor.

Keys used for signing are all marked with 

...

with "use": "sig"

...

Verification

The OIDC provider from BankID verifies the following data elements.

Steps to validate a signed JWT Token

The steps required to securely validate a JWS Token (like ID Token):

  1. Extract the key information from the JWS Token header: kid, alg 
  2. Retrieve all JWK entries that BankID exposes from the JWKs endpoint.
  3. Keys used for signing can be filtered by the use attribute on each JWK. This value should be sig.
  4. Find the key used to sign the JWS Token by matching the kid, alg from (1) with the JWK entries.
  5. Extract the public key and certificate chain (x5c) from the JWK entry.
  6. Validate the origin of the key by verifying it's complete certificate chain (x5c) with our published root certificate.
  7. Validate the JWS token using the key.

Note: Using a secure and community provided library to validate JWS tokens is highly recommended.

Signed Authorization Requests

BankID OIDC can support signing incoming Authorization Requests:

  • request authorize parameter
  • private_key_jwt client_assertion object

To support this validation, a jwks_uri must be registered for the given oidc client, such that BankID OIDC provider merchant (OIDC Client), so BankID can retrieve validation keys. 

Encryption

...

Contact us for more information.

Anchor
encrypted_auth_request
encrypted_auth_request
Encrypted Authorization Requests 

Note
iconfalse

Encryption of parameters containing personal information may be become mandatory in the near future.

The OIDC provider from BankID supports decryption of the following element(s):

...

encryption of incoming Authorization Requests through:

...

...

  • (deprecated)

This can be useful in order to ensure personal information is not leaking leaked in the user agent history. Remark that the encryption keys for login_hint are published through the BankID OIDC specific jwks_uri_enc while encryption keys for the request parameter are publish through the OIDC standard jwks_uri.  browser history or URL (for example through login_hint).

The login_hint encryption is deprecated as it is being replaced by the encrypted request parameter.

Keys used for encryption in JWKs are all marked with

...

"use": "enc".

Encryption algorithms supported are:

...

Encrypted request parameter

...

(recommended)

Supported key encryption algorithms Supported content encryption algorithms 

RSA1_5

See openid

RSA-

configuration document

OAEP

RSA-OAEP-256

A256GCM

A192GCM

A128GCM

A128CBC-HS256

A192CBC-HS384

A256CBC-HS512

Steps to encrypt a request object

  1. Generate a random content encryption key.
  2. Encrypt the content encryption key using the appropriate public key from our JWKs endpoint.
  3. Encrypt the request object using the content encryption key.
  4. Create the JWT with the encrypted content and key.
  5. Send the encrypted JWT as value in the request parameter in the Authorization Request.

Note: Using a secure and community provided library for your chosen platform is highly recommended.

Encrypted login hint (deprecated)

Supported key encryption algorithms Supported content encryption algorithms 

ECDH-ES

RSA-OAEP

See openid-configuration document

RSA-OAEP-256

A128GCM

A128CBC-HS256

RSA

A128CBC-

OAEP-256See openid-configuration document

HS256

The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.

The encrypted request parameter should be formatted as a JWE Compact Serialization. The ciphertext is the request parameter as a  signed JWT

Example

A typical login hint:

Code Block
login_hint=BID:14025800177

 will using the encryption key in the Jwk JWK example, be:

Info

login_hint=eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJjSm1XTWtrcXlWUDYtbFcya3hoSElUZG5oNkR1MkNzUklZZzBja3lXdVdBIiwieSI6IlRpbDROMFlGNWFSNnJJUWpHRjY4cWRkQ2ZfcDJuVmJCM1RMY2U2bDNxVlkifSwia2lkIjoiZW5jcnlwdGtleSIsImVuYyI6IkExMjhHQ00iLCJhbGciOiJFQ0RILUVTIn0..DzbBsb5mQSl-S-zG.-hL1oyZNRrqkp4UJHxX_.Q0n47mXdkmAoDfSqu-vkEg

...