/
Back-end implementation
Document toolboxDocument toolbox

Back-end implementation

Owned by Frode Nilsen (Unlicensed)
31 Jan 2018

Back-end implementation of the JS Connector consists of Xsteps as described below:

Implementing redirect_uri when using method window or inline

Since the JS Connector can open an iframe or a window for you, the handling of the post-authentication step is also important. This section will explain how you can take advantage of cross-domain messaging (XDM) to send the received code / tokens from the active window or iframe to the parent page (your site).

The redirect_uri needs to handle the authorization response in order to receive authorization code and tokens on behalf of the user. This information is either delivered as part of the URL, or as a FORM POST if this response_mode is specified.

Then, if you follow the callback page example for redirect_uri, you will see that special XDM calls are made to pass the information from the window/iframe to the listening JS Connector instance and finally to your callback - as the data retrived in the authentication response is sent to the callback provided with the BID.doConnect() call.

With specific token_url and/or userinfo_url (experimental)

You can have the JS Connector call token_url and userinfo_url endpoints with the received data from the authentication response.

Token endpoint (token_url)

URLAs specified in configuration parameter token_endpoint
Request modePOST with parameters as application/x-www-form-urlencoded data
Request parameters


grant_typeGrant type is always authorization_code
codeValue from response of the foregoing Authorize  request
redirect_uriRedirect URI used in the foregoing Authorize request
client_idNot supported since the OIDC clients must always authenticate
OIDC Response /oauth/token

JSON

{
    access_token: "654fe6f11ad61ceb1697d643b5fc59", 
    token_type: "Bearer", 
    expires_in: 3600, 
    scope: "openid phone address", 
    id_token: "...."  // JWT
}


For documentation on the corresponding response to the OIDC platform, see Token

Userinfo endpoint (userinfo_url)

Using the access token (which also could be stored on the server) to access user information OIDC.

URLAs specified in configuration parameter userinfo_endpoint
Request modePOST with parameters as application/x-www-form-urlencoded data
Request parameters


access_tokenAccess token to be used as authorization to access OIDC IDP endpoint
token_typeHow access token shall be passed to OIDC OIDC endpoint (
OIDC response /oauth/userinfo

JSON

{
 "sub": "9578-6000-4-127698",
 "iss": "https://oidc-preprod.bankidapis.no",
 "iat": 1485866449,
 "exp": 1485870048,
 "preferred_username": "Testesen, Test",
 "name": "Testesen, Test",
 "given_name": "Test",
 "family_name": "Testesen",
 "birthdate": "1980-03-09",
 "nnin": "09038000010"
}

For documentation on the corresponding response to the OIDC platform, see Userinfo