Identity Providers
The following sub-sections contain information on the Identity Provider (IDP) options supportedby this release of the OpenID Connect Provider from BankID. See the Compatiblity Matrix for the relation between these IDP options and Value Added Serivices (VAS). See general information on user experience and customization that applies for any IDP.
Each IDP option is associated with a Name and Level of Assurance (LoA) codified via attributes called amr
(Authentication Method Reference) and acr
(Authentication Context Class Reference), respectively. These attributes can be included in the request from an ODIC Client to the Authorize endpoint at the OIDC Provider to request either a particular IDP (amr
) or any IDP at a particular LoA (acr
). A standard and designated request parameter exists for the acr
attribute. Since there is no corresponding request parameter for the amr
attribute, the OIDC Provider from BankID supports amr
values codified as part of the login_hint
parameter.
Sucessful authentication via one of the supported IDPs results in an ID Token being returned to the reqesting OIDC Client.
Note that an ID Token also contain values for the amr
and acr
attributes, corresponding to the IDP actually being used. These values may be different from corresponding values provided in the request from the OIDC Client to the Authorize endpoint. One example is if more IDP options meet the amr
/acr
criteria of the Authorize request. In this case an IDP selector dialog is presented for the user to resolve which IDP to use. Another example is if the selected IDP involves step-up to another IDP.
The OIDC Provider also includes a JavaScript Connector supporting all IDPs. The JS Connector is a wrapper for the REST API that simplifies integration for front-end applications and ensures that the REST API is used in the intended way.