The BankID OIDC provider previously supported iframe mode, but this has been deprecated.

Read more here: https://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13

The BankID OIDC Provider supports web-based OIDC Client applications using browser re-direction to govern user-experience.

This includes support for app-based OIDC Client applications using web-views. The two supported user-experience alternatives are as follows:

Redirect: Redirect of the entire application page
Window: Re-direct of a pop-up (window) from the application (mother) page

By default, the user interface responsiveness is enough to fit on all kinds of devices and viewport sizes, however, we offer ways to further optimize the user interface using the display parameter:

Optimize the user interface to be more suited for integration in mobile apps using display=touch
Or, a user interface consistent with a popup (or framed) window using display=popup

Our testing tools allows you take a further look into these integration modes.

Using BankID OIDC in native applications

Web-views should not be used when integrating BankID in a native application.

Instead, the user should be redirected using an external user-agent or equivalent:

Android: Use Custom Tabs (https://developer.chrome.com/multidevice/android/customtabs) or fallback to open external browser on user's device
iOS: Use SFSafariViewController, SFAuthenticationSession, ASWebAuthenticationSession (support vary based on iOS version)

A secure backend server is still needed to initiate the request, store the client credentials, receive callback from BankID OIDC, session management and token exchange.
It is possible to initiate the request from the application/user-agent directly, but you probably want to build the request URL in your backend to store and generate variables like state and nonce. See getting started with OIDC for details.

How to migrate from iframe

Persisting metadata between request and callback

Create a unique, non-guessable identifier and use the value as the `state` query parameter in the authorization endpoint request, i.e. when initiating BankID OIDC.
Metadata can be stored in your backend application with a reference to the `state` value.
Callback: Read the state query parameter in the request to your redirect URI and retrieve the metadata.

Migrating from iframe mode to window mode

Initiating authentication: Open a new window, i.e. window.open() instead of embedding the request in an iframe.
Callback: Instead of referring to window.parent you could refer to window.opener on the callback to alert the main window.

Migrating from iframe mode to redirect mode

Initiating authentication: Redirect user to authorization endpoint instead of embedding the request in an iframe.
Callback: Instead of serving HTML that communicates with the iframe's parent, serve the page you want the end-user to see.

Browser not supported