Full flow PAdES API and implementation guide
- Jan Åge Lavik
- Markdown Macros for Confluence
Full flow PAdES API and implementation guide.
Sign order expiration time
The sign order will expire in 90 seconds after it is created if user signing is not initiated (i.e. request to authorization endpoint).
The timeout for the sign order when user is signing is determined by the timeoutSeconds (default 1800 seconds) specified when the order was uploaded.
After the user has signed the order, the sign order will be valid for another 90 seconds before it expires.
API
See signdocpades documentation.
Claims
The following table shows the supported claims in response from the sign service after a PAdES sign session is completed.
| Claim | Example | Result specifier | Description |
|---|---|---|---|
unsignedDocumentSha256 | "unsignedDocumentSha256": "ZfesfmamB+ADft4A0DVMAbHQ7mEeg24v3PXBsXDKf5k=" | documentHash | Hash over the original document |
signedDocumentSha256 | "signedDocumentSha256": "ApPACd0HXMzuSB/Zt1HU9oJLAxpWvRX2/gRpu63Vs1k=" | documentHash | Hash over the signed document |
padesSignedPdf | "padesSignedPdf": "JVBERi0xLjQNJeLjz9MNCjEwIDAgb2JqDTw8L0xpbmVhcml6... | padesSignedPdf | The signed pdf as a base64 encoded text string |
padesAppendix | "padesAppendix": "DQoxMSAwIG9iago8PAovTWV0YWRhdGEgMiAwIFIKL09wZW5BY... | padesAppendix | The signature data added to the original PDF represented as base64 |
description | "description": "some_document.pdf" | Description of the document | |
signId | "signId": "058d8691-6f2d-40c0-b6fb-f120a868cf48" | The sign_id reference | |
orderState | "SIGN_COMPLETED" | The current order state | |
orderName | "Overlay-example" | Name of the order |
Step-by-step
| Step | What you do | Endpoint | Method | Considerations | Remarks |
|---|---|---|---|---|---|
| 1 | Get the key properties of the OIDC provider | openid-configuration | GET | ||
| 2 | Request an Access token | token | POST | Grant type client_credentials. Must include the signdoc/read_write scope. | The access token is retreived with client credentials grant, i.e. without the involvement of the end user |
| 3 | Create and upload sign order to the SignDoc resource server | signdocpades | POST | Include Access token (2) as Bearer token | You'll receive a reference sign_id |
| 4 | Initiate the signing transaction by redirecting the user to the authorization endpoint | authorize | GET | Include the In the callback, make sure to check for error and matching states | Traditional authorization code flow starts. End user performs the signing process with netcentric BankID. Results are stored in the resource server. |
| 5 | Exchange authorization code for tokens | Token | POST | Check matching nonce | |
| 6 | Fetch our public keys and use these to validate token signatures | jwk | GET | ||
| 7* | Check the status of sign order | signdocpades | GET | Include Access token (2) as Bearer token. Include sign_id as query parameter. | *Can be skipped if The merchant should poll this endpoint for the active signing session and update the status in their backend. This should be done until For more details, see Check Status for sign order in the PAdES documentation. |
| 8 | Download sign order results and delete sign order | signdocpades | DELETE | Include Access token (2) as Bearer token. Include sign_id as query parameter. | Should be called when end-user is redirect back to the merchant or if polling returns the
For more details, see
in the PAdES documentation |
Note that the sign order is deleted regardless of the state of the sign order.