Introduction

The OpenID Connect Provider from BankID (hereafter referred to as the OIDC Provider) consists of an industry-standard interface to various identity-related services. See the product litterature section for further information on the user-experience, features and functions of such services . See the technical documentation section on how to integrate with such services via the REST API of the OIDC Provider. See the Release Notes for specific information on services supported in this particular release of the OIDC Provider.

As suggested by the figure a technical distinction is made between Identity Provider (IDP) Services and Value-Added Service (VAS).  Identity Providers offer authentication of end-users whereas a Value-Added Services offer subsequent access to data on the end-user via an associated Resource Server.

A major benefit of the OIDC Provider is to simplify integration of the BankID service compared to the legacy integration option with BankID Server and its proprietary API. The xID service, being a companion to BankID, offers zero- and one-click user experiences for applications that do not require the high security level offered by BankID. The TINFO service provides profile data on the end-user in an industry-standard way, given that the end-user has consented. TINFO additionally supports some non-standard profile data that are specific for the OIDC Provider from BankID. The PSD2 service supports various AISP and PISP use-cases under PSD2, including support for end-user consent and dynamic linking. In contrast to the TINFO service, note that the PSD2 service does not implement any associated Resource Server. PSD2 resources are made availble to AISP/PISPs over an APIs decided by each ASPSP.

OIDC Intro

The term OIDC Client is used for any application that integrates with the OIDC Provider, corresponding to the following terms in related vocabularies:

  • OAuth2 clients in OAuth vocabulary
  • Relying Party in OIDC vocabulary
  • Merchant in BankID vocabulary
  • ASPSPs or TPPs in PSD2 vocabulary.

OIDC Clients must be provisioned (pre-configured) in the OIDC Provider in order to gain access. See the Release Notes for futher information on the provisioning process for this particular release of the OIDC Provider. 

OIDC Clients use Scopes and Claims to request access to eglibile services. Identity Providers return ID Tokens containing assertions about the end-user and (optionally) Access Tokens to gain subsequent access to Value-Added Services  concerning the end-yser. Consent handling is a key feature of the OIDC Provider that puts the end-user in control of delegating rights to an OIDC Client to access any Value-Added Service on behalf of the end-user. 

Live example clients are available to test and get familiar with the OIDC Provider and its supported services. Developers may visit GitHub for source code examples