Skip to content

Simple signing

The simplified flow can be used for text signing and is initiated by parameters in the authorization request:

  • sign scope in the list of scopes in scope parameter
  • sign_txt with the text to be signed (less than 150 chars) as Base64 encoded UTF-8 string

Steps

  1. The user requests signing from your service.
  2. You redirect the user to the BankID authorize endpoint with the sign scope and the text to be signed in sign_txt.
  3. The user signs the text.
  4. The BankID OIDC Provider sends the signed text back to your service in the ID token.
  5. Your service verifies the token and extracts the signed text.

Sequence diagram

sequenceDiagram
    actor u as User
    participant Merchant as Your Web App
    participant BankID as BankID
    u ->> Merchant: Request signing
    Merchant->>BankID: GET /authorize?scope=sign&sign_txt=base64encoded(utf8-string)&client_id=...
    BankID-->> Merchant: Redirect to callback with code
    Merchant->>BankID: POST /token with code
    BankID-->>Merchant: ID token with `sign_result` claim
    Merchant->>u: Signing complete

API

Request

GET [authorize_endpoint]... &scope=sign&sign_txt=base64encoded(utf8-string)

Result

The results come in the ID token as a claim named sign_result:

{
  "typ": "ID",
  "sub" : "12c2b-...",
  ...
  "sign_result" : {
    "endUser" : "MIAGC...",
    "merchant" : "MIAGC...",
    "hash" : "4oK3g..."
  }
}

The result contains the basic signatures of the merchant and end user, as well as the hash over the received text.

Remember to verify the token signatures and signing keys.