Signing and encryption

Signing

The OIDC Provider from BankID supports signing of the following data elements:

• ID Tokens
• Default Access Tokens
• Default Refresh Tokens
• Responses from the TINFO service

Statically configured asymmetric keys are used for signing according to details described in Jwk. OIDC Clients must validate signatures as part of token validation to ensure that tokens are not tampered with after being issued by the OIDC Provider from BankID. The same applies for validation of responses for the TINFO resource server.

Keys used for signing are marked with 

"use":"sig"

Encryption

We also support decryption of the following element(s):

• login_hint

Statically configured asymmetric keys are used for encryption according to details described in Jwk. OIDC Clients may encrypt the value of the login hint to ensure that personal information is not leaking in the user agent history. 

Keys used for encryption are marked with

"use":"enc".

Encryption algorithms supported are:

The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.

Example

A typical login hint:

login_hint=BID:14025800177

 will using the encryption key in the Jwk example, be:

The header part of the JWE object is in this case:

{
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "cJmWMkkqyVP6-lW2kxhHITdnh6Du2CsRIYg0ckyWuWA",
    "y": "Til4N0YF5aR6rIQjGF68qddCf_p2nVbB3TLce6l3qVY"
  },
  "kid": "encryptkey",
  "enc": "A128GCM",
  "alg": "ECDH-ES"
}

BankID OIDC provider will use the kid value to extract the correct key for decryption. If the kid value is not set, the decryption will fail.

The message to be encrypted is not JSON, it is simply:

BID:14025800177