Signing of documents and text with merchant and user-certificates with both BankID and BankID on Mobile is now supported through the OIDC platform.
Two different flows exist for these signing processes. For a full implementation guide, please see the Signing Implementation Guide. A brief explanation of these flows follows:
- Simplified flow:
Can be used for signing of a text with both BankID (BID) and BankID on Mobile (BIM).
The simple flow utilizes the authorize-endpoint and adds a new scope called "sign". When the sign-scope is selected, the merchant can add a "sign_txt"-attribute which must be a base64-encoded string. - Full flow:
Can be used for signing text, xml-files and pdf-files.
The full flow introduces a new resource-server at "{signdoc-baseurl}/signdoc". This flow can only be used with BankID (BID), and not with BankID on Mobile (BIM).
The merchant needs to start a signing process by retrieving a bearer token with a client-credential-grant.
A request must then be sent by POST to the "{signdoc-baseurl}/signdoc" containing a header with the bearer token, and one or more documents attached in the body. The response from this endpoint will then contain a sign_id which will be used later.
Next, the merchant can start a flow at the authorize-endpoint with scope=sign&sign_id=[sign_id from upload].
The status of the sign_id must be checked in the background with a GET to the "{signdoc-baseurl}/signdoc" .
When the signing is completed, the signing-results can be downloaded and the session cleaned up with a DELETE to the "{signdoc-baseurl}/signdoc" .
For further information, please refer to the following: