Versions Compared

Old Version 1

changes.mady.by.user Heikki Henriksen

Saved on

compared with

New Version Current

changes.mady.by.user Heikki Henriksen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version Paris_OIDC

...

Introduction

OIDC signing is an extention extension to the authorization flow in BankID OIDC.  Adding a scope, a signorder reference or a text to be signed in a query parameter and then calling the authorize endpoint, a BankID signing will be performed. The actual signing will be done using the ordinary BankID webClient WebClient or using BankID on mobile. The result of the signing will be available either as a claim in the id_token or as a json object requested from the SignDoc resource server.

Flows

Below [signdoc_endpoint-baseurl] means the endpoint baseurl as given by the .well-known/openid-configuration endpoint.

...

Merchant uploads a signing order

POST [signdoc_endpoint-baseurl]/signdoc

header: access-token with scope signdoc/read_write

...

Merchant downloads the signing result

DELETE [signdoc_endpoint-baseurl]/signdoc?sign_id=[sign_id from upload]

...

The Url to access the SignDoc resource server is found in .well-known/openid-configuration result as signdoc_endpointsigndoc-baseurl. The merchant should add /signdoc to the base-url.


How to get the access token to use in the Full flow, i.e. granting access to the SignDoc server

...

The BankID WebClient is by default selected when scope sign is given.

To In order to use BankID on Mobile Mobile, the login_hint=BIM[:[phoneNumber][:birthDate]] must be given in the authorize request. [...] means optional values. Phonenumber is 8 digits, birthDate is ddmmyy.

To preset nnin in the BankID WebClient set login_hint=[BID]:nnin where nnin is 11 digits. The BID may be dropped.

...

.

Full flow API description

The full flow starts by one request where the OIDC client uploads documents, signing properties and a wanted result specification to the SignDoc resource server. The return from this request is a sign_id which is used as a query parameter in the authorize request. When the user is has finished signing, the OIDC client queries the result from the SignDoc resource server.  

...

Bankid on mobile signs only text, the text must be at most maximum 118 characters long and has a restricted character set. Legal characters are for now 

...

Flags like show understanding and show confirmation does do not apply, and english locale on the mobile is not supported.

...