<baseurl>/oauth/authorize
ID Tokens er signert
This is a browser redirect end-point that is thoroughly described in the OIDC/OAUTH2 standards. The following query parameters pertaining to the OIDC Provider can be used:
- Send an authorization request to OIDC Provider and wait for response on the redirectURL address. A scope parameter supplied with the request should contain "openid" and response type should contain "id_token", The id_token is as JSON structure containing user info from the authentication. The request may optionally include a login_hint to request as specific type of IDP, (e.g. netcentric or mobile for BankID) and/or to pre-feed any user-id that the end used would otherwise need to type in (eg. National Identity Numer and/or Mobile Number in the case of BankID).
- The OIDC Provider returns with a response back to the Client after the autentication of the end user. The response body should contain the id_token.
The OIDC Client now has the identity and other selected properties of the current user. The property/claim named "sub" contains a unique GUID of the current user (also referred to as BankID PID or SERIAL)
Note: Id_tokens should be validated for security reasons. There are several frameworks for working with OIDC. Some fameworks have automatic support for validating the id_token before getting access to it, and some publish example code for doing so. The published examples may be used as a template.
Parameter | Comment |
---|---|
client_id | This is a unique ID provided by BankID Norge for the calling OIDC Client. |
scope | The discovery endpoint (see example above) returns "scopes_supported":[ profile and email are part of the standard scopes, but are currently not supported by OIDC Provider address and phone is supported if the Client is configured to allow for such information. nnin - the Norwegian National Identiy Number (fødselsnummer) is supported as additional info if the Client is configured to allow for this information. A standard_bankid scope is used for clients with default scope of nnin, but currently don’t want nnin to be added in the UserInfo response. |
response_type | Three combinations (associated with OAuth2 hybrid grant flows) are currently supported. Other combinations associated with other OAuth2 flows will be added as future options.
|
response_mode | This is how the response redirect is done. These alternatives are supported: query, fragment, form_post. Note: The .NET/C# example GitHub uses the OWIN framework. OWIN only accepts form_post response mode. |
login_hint | This parameter may be used to set choice of authentication (netcentric or mobile) and, if known to the Client, nnin, mobile phone no, or birthday of the user. An emtpy login hint implies that the default (or customized) GUI takes care of all interaction with the end-user to determine necessary login details. The discovery/metadata endpoint returns: "login_hint_supported":"[BIM|BID][:\\d{11}][:\\d{8}][:\\d{6}] for respectively client_type, nnin, phoneNo, birthday" Here are some examples with explanation:
In example no 5 the user is prompted for choice of BankID version, but Norwegian national number is used for BID and birthday is used for BIM (first 6 digits). |
ui_locales | May be used to set a language preference for GUI handling. The default GUI experience supports nb (Norsk Bokmål) and en (English) |
TODO: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Note: When response_type contains both id_token and code, the authorization_code is duplicated into bid_code claim in the id_token to avoid conflict with authorization_code issued by AzureAD B2C. AAD must copy the claims from BankID OIDC id_token to the one issued by AAD. The client must get an access_token from the token end-point of the BankID OIDC Service in order to use resources managed by this service. This includes the UserInfo end-point.
Below is an example id_token as returned from the OIDC Provider in its current BankID Configuration in pre-production:
{
"kid":"bankid-oauth",
"typ":"JWT",
"alg":"RS256"
}.{
"preferred_username":"Testesen, Test",
"name":"Testesen, Test",
"given_name":"Test",
"family_name":"Testesen",
"sub":"9578-6000-4-127698",
"iat":1485863742,
"iss":"https://preprod.bankidapis.no",
"auth_time":1485863742,
"exp":1485867342,
"birthdate":"1980-03-09",
"nonce":"63621460527719310(abriviated for display)c0NDk1NDIz",
"amr":["BankID"],
"azp":"DotNetClient",
"aud":"DotNetClient",
"c_hash":"SVJo7O-d4cY8N4VgiVwETQ"
}