The BankID OIDC Provider supports web-based OIDC Client applications using browser re-direction to govern user-experience.
This includes support for app-based OIDC Client applications using web-views. The two supported user-experience alternatives are as follows:
- Redirect: Redirect of the entire application page
- Window: Re-direct of a pop-up (window) from the application (mother) page
By default, the user interface responsiveness is enough to fit on all kinds of devices and viewport sizes, however, we offer ways to further optimize the user interface using the
- Optimize the user interface to be more suited for integration in mobile apps using
- Or, a user interface consistent with a popup (or framed) window using
Our testing tools allows you take a further look into these integration modes.
Using BankID OIDC in native applications
Instead, the user should be redirected using an external user-agent or equivalent:
- Android: Use Custom Tabs (https://developer.chrome.com/multidevice/android/customtabs) or fallback to open external browser on user's device
- iOS: Use SFSafariViewController, SFAuthenticationSession, ASWebAuthenticationSession (support vary based on iOS version)
It is possible to initiate the request from the application/user-agent directly, but you probably want to build the request URL in your backend to store and generate variables like state and nonce. See getting started with OIDC for details.
How to migrate from iframe
Persisting metadata between request and callback
- Create a unique, non-guessable identifier and use the value as the `state` query parameter in the authorization endpoint request, i.e. when initiating BankID OIDC.
- Metadata can be stored in your backend application with a reference to the `state` value.
- Callback: Read the state query parameter in the request to your redirect URI and retrieve the metadata.
Migrating from iframe mode to window mode
- Initiating authentication: Open a new window, i.e. window.open() instead of embedding the request in an iframe.
- Callback: Instead of referring to window.parent you could refer to window.opener on the callback to alert the main window.
Migrating from iframe mode to redirect mode
- Initiating authentication: Redirect user to authorization endpoint instead of embedding the request in an iframe.
- Callback: Instead of serving HTML that communicates with the iframe's parent, serve the page you want the end-user to see.