Known issues in this release of the OpenID Connect Provider from BankID are further described below in terms of:
Restrictions
The following table summarizes restrictions in this release of OIDC Provider from BankID :
| No | Restrictions in 2018-01-31 London (OIDC) |
| R1 | No Value Added Sevices are supported. Future releases will support additional VAS-services |
| R2 | Signing with the BankID IDP is currently not supported over OpenID Connect. Such support is planned for a future release. |
| R3 | The BankID anti-fraud service is currently not supported over OpenID Connect. Such support is planned for a future release. |
| R4 | Indirectly connected clients of the known-type via Intermediate Services are currently not supported. Such support is planned for a future release. |
| R5 | OIDC |
| R6 | Pure app-based applications using a completely embedded (API-based) user-experience is currently not supported. Such support is planned for a future release. |
| R7 | POST method is not supported by Authorize endpoint |
| R8 | Using the OIDC with iframes does not work out-of-the box on Safari v11.0.1 and later. The reason is Safari's recent policy to disallow setting of cookies from iframed 3rd-party javascript |
Caveats
The following table summarizes caveats in this release of the OIDC Provider from BankID
| No | Caveats in 2018-01-31 London (OIDC) |
| C1 | Access Tokens for the TINFO-service is returned from the Token endpoint even if the TINFO-service as such is not supported in this release |
| C2 | The nnin_altsub claim is never part of an Access Token even if the OIDC Client in question receives this claim in the ID Token. Resource Servers that are entitled to receive nnin_altsub must be configred to for such access and retrieve this claim via introspection |
| C3 | OIDC clients that are not entitled to nnin_altsub may still make request to Resources Servers that depend on this claim. Resource Servers that are entitled to receive nnin_altsub must be configred to for such access and retrieve this claim via introspection |
| C4 | The module name for the JS Connector has changed, thus breaking backwards compatibility with its pre-decessor releases (2017-12-06 Luxembourg (OIDC) and 2017-09-19 xID Demo (OIDC)) |
| C5 | JS Connector login window may not close on Internet Explorer / Edge browsers when Cross-domain messaging is used. If you follow the methods demonstrated in the example using cross-domain messaging from the redirect_uri to the JS Connector instance on the parent page, and you use window method, then you will most likely experience that Internet Explorer blocks the communication between the window and the parent. This can happen when the window being opened is on a different domain than the parent site. To work around this problem, you need to setup an endpoint on your domain as the doInit oauth_url parameter which then redirects to the proper Authorize endpoint. This way the window is opened on your own domain and cross domain messaging should work. |
| C6 | Missing or empty query parameteres when calling JS Connector |
Bugs
The following table summarizes known bugs in this release of the OIDC Provider from BankID
| No | Bugs in 2018-01-31 London (OIDC) |
| B1 | Refresh Token contains info on resource access |
| B2 | Refresh Token has auth_time = 0. |
| B3 | Error message on time-out must be improved |
| B4 | Language is sometimes not set according to the locale parameter |
| B5 | The update_at claim in ID Tokens for xID does not correspond to enrollment time for the xID Service |