Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

The BankID OIDC provider previously supported iframe mode, but this has been deprecated.

Read more here: https://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13

Iframe mode has been blocked in CURRENT from 03.12.20.

Iframe mode will be blocked in PRODUCTION in January 2021, at earliest 04.01.20.

The BankID OIDC Provider supports web-based OIDC Client applications using browser re-direction to govern user-experience.

This includes support for app-based OIDC Client applications using web-views. The OIDC Client is in either case in control on how and where each of the involved dialoges is integrated with the OIDC Client application. The two supported user-experience alternatives are as follows: 

  • Redirect: Redirect of the entire application page
  • Window: Re-direct of a pop-up (window) from the application (mother) page

The logic governing integration modes is managed by your website. Please refer to the example libraries table on our getting started with OIDC page for more details.

A couple of notes:

  • Our testing tools allows you take a further look into these integration modes.
  • The JS Connector may simplify the frontend integration with the OIDC Provider when using window mode. Note that iframe/inline should not be used.

Using BankID OIDC in native applications

Web-views should not be used when using BankID OIDC in a native application. Instead, the user should be redirected using an external user-agent.

A secure backend server is still needed to initiate the request, store the client credentials, receive callback from BankID OIDC, session management and token exchange.
It is possible to initiate the request from the application/user-agent directly, but you probably want to build the request URL in your backend to store and generate variables like state and nonce. See getting started with OIDC for details.

How to migrate from iframe

Persisting metadata between request and callback

  • Create a unique, non-guessable identifier and use the value as the `state` query parameter in the authorization endpoint request, i.e. when initiating BankID OIDC.
  • Metadata can be stored in your backend application with a reference to the `state` value.
  • Callback: Read the state query parameter in the request to your redirect URI and retrieve the metadata.

Migrating from iframe mode to window mode

  • Initiating authentication: Open a new window, i.e. window.open() instead of embedding the request in an iframe.
  • Callback: Instead of referring to window.parent you could refer to window.opener on the callback to alert the main window.

Migrating from iframe mode to redirect mode

  • Initiating authentication: Redirect user to authorization endpoint instead of embedding the request in an iframe.
  • Callback: Instead of serving HTML that communicates with the iframe's parent, serve the page you want the end-user to see.


  • No labels