Encryption¶
Encryption, such as encrypted JWTs (JWE), are used to encrypt sensitive data when applicable. Cryptographic keys used for this purpose are published in the JWKs endpoint as JWKs.
Warning
We highly recommend encrypting sensitive data using encrypted request objects.
This may be mandatory in the future.
BankID supports encryption of incoming Authorization Requests through:
- request authorize parameter
- login_hint encryption (deprecated)
This can be useful in order to ensure personal information is not leaked in the browser history or URL (for example through login_hint).
The login_hint encryption is deprecated as it is being replaced by the encrypted request parameter.
Keys used for encryption in JWKs are all marked with:
Encrypted request parameter¶
| Supported key encryption algorithms | Supported content encryption algorithms |
|---|---|
| RSA1_5 RSA-OAEP RSA-OAEP-256 |
A256GCM A192GCM A128GCM A128CBC-HS256 A192CBC-HS384 A256CBC-HS512 |
Steps to encrypt a request object¶
- Generate a random content encryption key.
- Encrypt the content encryption key using the appropriate public key from our JWKs endpoint.
- Encrypt the request object using the content encryption key.
- Create the JWT with the encrypted content and key.
- Send the encrypted JWT as value in the
requestparameter in the Authorization Request.
Note
Using a secure and community provided library for your chosen platform is highly recommended.
Encrypted login_hint (deprecated)¶
| Supported key encryption algorithms | Supported content encryption algorithms |
|---|---|
| ECDH-ES RSA-OAEP RSA-OAEP-256 |
A128GCM A128CBC-HS256 |
The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.
A typical login hint:
will using the encryption key in the jwk example, be:login_hint=eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJjSm1XTWtrcXlWUDYtb
Fcya3hoSElUZG5oNkR1MkNzUklZZzBja3lXdVdBIiwieSI6IlRpbDROMFlGNWFSNnJJUWpHRjY4cWRkQ
2ZfcDJuVmJCM1RMY2U2bDNxVlkifSwia2lkIjoiZW5jcnlwdGtleSIsImVuYyI6IkExMjhHQ00iLCJhb
GciOiJFQ0RILUVTIn0..DzbBsb5mQSl-S-zG.-hL1oyZNRrqkp4UJHxX_.Q0n47mXdkmAoDfSqu-vkEg
The header part of the JWE object is in this case:
{
"epk": {
"kty": "EC",
"crv": "P-256",
"x": "cJmWMkkqyVP6-lW2kxhHITdnh6Du2CsRIYg0ckyWuWA",
"y": "Til4N0YF5aR6rIQjGF68qddCf_p2nVbB3TLce6l3qVY"
},
"kid": "encryptkey",
"enc": "A128GCM",
"alg": "ECDH-ES"
}
BankID OIDC provider will use the kid value to extract the correct key for decryption. If the kid value is not set, the decryption will fail.
The message to be encrypted is not JSON, it is simply: