Versions Compared

Old Version 34

changes.mady.by.user Frode Beckmann Nilsen

Saved on

compared with

New Version 35

changes.mady.by.user Frode Beckmann Nilsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The OIDC Provider from BankID supports each of the protocol the flows (grant types) defined by the OIDC/OAuth2 standards:

...

The below figure provides an elaborated understanding of the protocol message flow by showing an example of an hybrid flowThe following applies for this particular example:

...

  • Red corresponds to application-specific flows for the OIDC Client
  • Blue corresponds to standardized flows over the REST API according to OIDC/OAuth2 standards.
  • Black corresponds to specific flows for the OIDC Provider from BankID allowing OIDC Clients to customize GUI experience
  • Yellow corresponds to specific flows for the designated IDP.
  • Green corresponds to specific flows for the TINFO Service in this particular example.

 The flow for access to other Resources Servers than TINFO, eg. PSD2 

 

An OIDC Client does by-default only involves standardized flows (blue color) over the REST API with the OIDC Provider. The exception is if the OIDC Client wants to customize GUI handling. Any custom GUI component must integrate with another REST API (black color) specific for the OIDC Provider from BankID. A custom GUI component must take care of proper integration with each of the supported IDP options (yellow color) and also any involved Resource Server.

Note that the below figure does not reflect the use of any JavaScript Connector to assist the OIDC Client with integration with the OIDC Provider. Using a JS Connector will save the OIDC Client from handling most of the front-end logic associated with the protocol-message flow, thus simplyfing integration work.

...

The following actors are involved in the protocol flow message flow for the shown example:

  • End-user - The user owns resources that the OIDC Client requests access to. Some resources may require an explicit consent from the user before the OIDC Client is granted access.
  • User-Agent  - A browser, or a browser window in an application, allowing the user to navigate the OIDC Client and interact with the other parties involved via re-direction of requests through the User-Agent.
  • OIDC Client - The application that needs to assure the identity of the end-user and request access to various resources. 
  • OIDC Provider - The platform from BankID that provides an OpenID Connect / OAuth2 interface in front of a range of Identity Providers (IDPs)  and Protected Resources.
  • OIDC GUI - A service that is responsible for all GUI handling associated with OIDC Provider. The OIDC Provider comes with a default GUI service that is used unless it is overridden by the OIDC Client.
  • IDP Service - A designated IDP selected by the end-user among all IDP options supported by the OIDC Provider (in other cases the OIDC Client may select the designated IDP option).
  • TINFO Service -  A service that returns additional info on the end-user beyond what is returned directly in the ID Token by the OIDC Provider itself. The service performs consent handling before actual data is retrieved subsequently.

...