The BankID OpenID Connect platform supports digital signing as an extension of the authorization flow. Both SEID-SDO and PAdES signature envelopes are available.
Abbreviations
- SEID-SDO: Norwegian for “Samarbeidsprosjekt om eID og eSignatur Signert DataObjekt”
- PAdES: PDF Advanced Electronic Signatures
Feature overview
Three different integration flows are available for signing on the BankID OIDC platform. Each flow offers a subset of features summarized in the table below.
The two full flow alternatives gives support for the most advanced use cases through utilization of the SignDoc resource server. The simplified flow is an easier integration alternative, but is limited to text signing.
Simplified flow | Full flow: SEID-SDO | Full flow: PAdES | |
|---|---|---|---|
| Envelope | SEID-SDO | PAdES | |
| Signature types |
|
|
|
| Document types |
|
| |
| Number of documents | Single | Multiple | Multiple |
|
|
| |
Multiple end user signatures in same envelope | Serial signing (PAdES increments) | ||
| Customization |
|
| |
| Result content |
|
|
|
Technical overview
Simplified flow
The simple flow utilizes the authorize-endpoint and is triggered by using the additional scope sign. The request must also include a sign_txt attribute for providing the actual text to be signed. The result will be available as a claim in the ID token
For more details see Simple flow API and implementation guide.
Full flow
The two full flow alternatives makes use of the SignDoc resource server, enabling the merchant to manage and control a more complex sign order and its properties.
A brief overview of this flow:
- Merchant request an access token with the
signdoc/read_writescope to be used in request to the SignDoc resource server. - Merchant creates the sign order by sending a request to the SignDoc resource server and receives a reference, i.e.
sign_id. The signing transaction is initiated by adding the
signscope and thesign_idreference as query parameters to the authorization request.- End user performs the signing using the BankID web client (netcentric).
- Merchant downloads the signing result from the SignDoc resource server.
The general characteristics of this flow are the same for both the SEID-SDO and PAdES alternatives, but properties such as endpoints, request body and response data differs. The PAdES flow supports multiple end user signatures through serial signing where the output from one signing session is used as input for the next.
For more details see the relevant implementation guide for your choice of feature set:
BankID on mobile
BankID web client (netcentric) is the default identity provider used for signing. For text only signing (simplified flow or SEID-SDO full flow) it is possible to use BankID on mobile instead.
In order to use BankID on mobile, the authorization request must contain login_hint=BIM[:[phoneNumber][:birthDate]] as a query parameter.
BankID on mobile has the following limitations:
- Only supports text signing (simplified flow)
- The text can be maximum 118 characters long.
- Only the following character set is supported:
[0-9] [a-z] [æ] [ø] [å] [A-Z] [Æ] [Ø] [Å] [ ][CR] [LF] [#] [$] [%-&] [(-?] [@] [¡] [£] [¤] [¥] [§] [¿] [Ä] [Ç] [É] [Ñ] [Ö] [Ü] [ß] [à] [ä] [è] [é] [ì] [ñ] [ò] [ö] [ù] - Show understanding and show confirmation flags do not apply.
- English locale is not supported.