You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Next »

The OpenID Connect Provider from BankID (hereafter referred to as the OIDC Provider) is illustrated below. It consists of a industry-standard REST API (left side) in front of various Identity Providers (IDP) and Protected Resources. The REST API implements a set of standard endpoints defined by the OpenID Connect 1.0 authentication standard and the OAuth 2.0 authorization framework. Consent handling is a key feature of the OIDC Provider.  

The preferred way to integrate with the OIDC Provider is to use a set of JavaScript connectors being front-end wrappers of the API.

A major benefit of the OIDC Provider is to allow merchants start using the BankID Services with minimum integration effort compared to the legacy integration option (ie. install BankID Server, add a BankID merchant certificate and integrate towards the proprietary API of BankID server). For the xID Service  the OIDC Provider is the only integration option available to merchants. 

The term OIDC Client is used for any application that integrates with the OIDC Provider, corresponding to the following terms in related vocabularies:

  • OAUth2 clients in OAuth vocabulary
  • Relying Party in OIDC vocabulary
  • Merchant in BankID vocabulary
  • Third Party Provider in PSD2 vocabulary.

OIDC Clients may integrate directly with the OIDC Provider or indirectly via an intermediate party as described in a separate section. OIDC Clients (directly connected or intermediate parties) must authenticate with the OIDC Provider.

The set of Scopes and Claims supported by the OIDC Provider is what brings value to OIDC Clients. The content of the ID Token that is returned in response to a successful autentication is governed by a basic set of scopes and claims. Scopes and claims beyond this basic set are used to request Access Tokens of the right kind for subsequent access to various Protected Resources. Such resources are available at corresponding Resources Servers (right side) behind protected endpoints.

The TINFO service implements a Resource Server providing end-user profile data over the standard Userinfo endpoint. Access to resources behind this protected endpoint is governed by a standard Access Token and a set of standard Scopes and Claims. Some non-standard Scopes and Claims are also supported for profile data that are not standardized.

The PSD2 service consist of a range of specific (currently non-standard) Scopes, Claims and Access Tokens tailored for various use-cases under PSD2. The PSD2 service does in contrast not implement any corresponding Resource Servers. PSD2 resources are made availble to AISP/PISPs over an APIs decided by each ASPSP.

The OIDC Provider comes with a default component responsible for all GUI handling.  An OIDC Client may override the default GUI and provide its own customized GUI handling hosted at any URL.

Note

A good way to start exploring the OIDC Provider from BankID and its capabilities is to try out live test clients and also consult GitHub for various source code examples.

Some background reading is recommended for readers that are unfamiliar with OpenID Connect and OAuth2

 

 

 

 

  • No labels