Skip to content

Encryption

Encryption, such as encrypted JWTs (JWE), are used to encrypt sensitive data when applicable. Cryptographic keys used for this purpose are published in the JWKs endpoint as JWKs.

Warning

We highly recommend encrypting sensitive data using encrypted request objects.

This may be mandatory in the future.

BankID supports encryption of incoming Authorization Requests through:

This can be useful in order to ensure personal information is not leaked in the browser history or URL (for example through login_hint).

The login_hint encryption is deprecated as it is being replaced by the encrypted request parameter.

Keys used for encryption in JWKs are all marked with:

{
  "use": "enc"
}

Encrypted request parameter

Supported key encryption algorithms Supported content encryption algorithms
RSA1_5
RSA-OAEP
RSA-OAEP-256
A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512

Steps to encrypt a request object

  1. Generate a random content encryption key.
  2. Encrypt the content encryption key using the appropriate public key from our JWKs endpoint.
  3. Encrypt the request object using the content encryption key.
  4. Create the JWT with the encrypted content and key.
  5. Send the encrypted JWT as value in the request parameter in the Authorization Request.

Note

Using a secure and community provided library for your chosen platform is highly recommended.

Encrypted login_hint (deprecated)

Supported key encryption algorithms Supported content encryption algorithms
ECDH-ES
RSA-OAEP
RSA-OAEP-256
A128GCM
A128CBC-HS256

The encrypted login_hint should be formatted as a JWE Compact Serialization. The ciphertext is the encrypted plaintext login_hint.

A typical login hint:

login_hint=BID:14025800177
will using the encryption key in the jwk example, be:

login_hint=eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJjSm1XTWtrcXlWUDYtb
Fcya3hoSElUZG5oNkR1MkNzUklZZzBja3lXdVdBIiwieSI6IlRpbDROMFlGNWFSNnJJUWpHRjY4cWRkQ
2ZfcDJuVmJCM1RMY2U2bDNxVlkifSwia2lkIjoiZW5jcnlwdGtleSIsImVuYyI6IkExMjhHQ00iLCJhb
GciOiJFQ0RILUVTIn0..DzbBsb5mQSl-S-zG.-hL1oyZNRrqkp4UJHxX_.Q0n47mXdkmAoDfSqu-vkEg

The header part of the JWE object is in this case:

{
  "epk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "cJmWMkkqyVP6-lW2kxhHITdnh6Du2CsRIYg0ckyWuWA",
    "y": "Til4N0YF5aR6rIQjGF68qddCf_p2nVbB3TLce6l3qVY"
  },
  "kid": "encryptkey",
  "enc": "A128GCM",
  "alg": "ECDH-ES"
}

BankID OIDC provider will use the kid value to extract the correct key for decryption. If the kid value is not set, the decryption will fail.

The message to be encrypted is not JSON, it is simply:

BID:14025800177