You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 33 Next »

Endpoint
URLhttps://<baseurl>/oauth/authorize
Request

GET with URL query-parameters

POST with parameters as application/x-www-form-urlencoded data

AuthenticationBasic

Authorize is a standard endpoint  that triggers authentication of an enduser via one of the IDP options, followed by authorization in terms of consent handling. Authorization information is then returned in the reponse to the requesting OIDC Client. The content of the authorization response is different for each of the supported protocol flows. The Authorize endpoint does in any case trigger a series of re-directs, eventually returning to the requesting OIDC Client at a redirect_uri specified by the client. For security reasons only pre-registered redirect URIs are allowed. 

Request parameters

NameSupportDescription
scope(tick)List of scope values specifying what kind of resources (dataset) the OIDC Client requests access to. The value openid must always be included in the list.
response_type(tick)

Determines the protocol flow to be used, thus also governing the content and type of the response from the Authorize endpoint. The following combinations are supported:

  • "code" (Authorization Code flow)
  • "id_token" or "id_token token" (Implicit flow)
  • "code id_token", "code token", or "code id_token token" (Hybrid flow)
client_id(tick) Unique ID (arbitrary string) configured at the OIDC Provider for the OIDC Client in question
redirect_uri(tick)Redirect URI to which the response will be sent. This URI must exactly match one of the Redirect URI values for the OIDC Client pre-registered at the OpenID Provider
state(tick)(warning) Currently not supported. Opaque value used to maintain state between the request and the callback.
response_mode(tick)

The response mode to be used for returning parameters from the Authorization Endpoint. The following values are supported:

  • query
  • fragment
  • form_post

 

Note: The .NET/C# example GitHub uses the OWIN framework. OWIN only accepts form_post response mode

nonce(tick) String value used to associate a ODIC Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token
display(error)Not supported. The OIDC Provider from BankID does instead support GUI customization and JavaScript connectors to govern how IDP-dialogues are displayed.
prompt(tick)(warning) Currently not supported.. Specifies whether the Authorization Server prompts the enduser for re-authentication and consent.
max_age ??? 
ui_locales(tick)May be used to set a language preference for GUI handling. The default GUI experience supports nb (Norsk Bokmål) and en (English)
acr_values(tick)(warning)  
login_hint(tick)

This parameter may be used to set choice of authentication

(netcentric or mobile) and, if known to the Client, nnin, mobile phone no, or birthday of the user.

An emtpy login hint implies that the default (or customized) GUI takes care of all interaction with the end-user to determine necessary login details.

The discovery/metadata endpoint returns: "login_hint_supported":"[BIM|BID][:\\d{11}][:\\d{8}][:\\d{6}] for respectively client_type, nnin, phoneNo, birthday"

Here are some examples with explanation:

  1. Netcentric BankID with user-profile - login_hint=BID:07025312345 (Norwegian national ID number/fødselsnummer)
  2. Netcentric BankID no user-profile - login_hint=BID
  3. BankID on mobile no user-profile - login_hint=BIM
  4. BankID on mobile with user-profile - login_hint=BIM:48058567:070253 (phone no and birthday DDMMYY)
  5. Some user-profile no BankID choice - login_hint=:07025312345  (numbers start with colon!)

In example no 5 the user is prompted for choice of BankID version, but Norwegian national number is used for BID and birthday is used for BIM (first 6 digits).

id_token_hint(tick)(warning)  
xxx(error)Not supported since the OIDC clients must always authenticate

Response elements

Note: When response_type contains both id_token and code, the authorization_code is duplicated into bid_code claim in the id_token to avoid conflict with authorization_code issued by AzureAD B2C. AAD must copy the claims from BankID OIDC id_token to the one issued by AAD. The client must get an access_token from the token end-point of the BankID OIDC Service in order to use resources managed by this service. This includes the UserInfo end-point.

Below is an example id_token as returned from the OIDC Provider in its BankID pilot configuration in pre-production:

{
"kid":"bankid-oauth",
"typ":"JWT",
"alg":"RS256"
}.{
"preferred_username":"Testesen, Test",
"name":"Testesen, Test",
"given_name":"Test",
"family_name":"Testesen",
"sub":"9578-6000-4-127698",
"iat":1485863742,
"iss":"https://preprod.bankidapis.no",
"auth_time":1485863742,
"exp":1485867342,
"birthdate":"1980-03-09",
"nonce":"63621460527719310(abriviated for display)c0NDk1NDIz",
"amr":["BankID"],
"azp":"DotNetClient",
"aud":"DotNetClient",
"c_hash":"SVJo7O-d4cY8N4VgiVwETQ"
}


  • No labels