Skip to content

Implementing in native applications

BankID with biometrics supports being implemented in native applications. This enables smooth user experiences inside your native app.

Follow the documentation

Note that it is required to adhere to the approaches described for each platform as other approaches may have inadequate security models, or may lack support for the webauthn API used by BankID with biometrics, resulting in a poor or potentially broken user experience.

Android

When starting the BankID with biometrics authorization flow in an Android app, use a Custom Tab.

iOS

When starting the BankID with biometrics authorization flow in an iOS app, use either a ASWebAuthenticationSession or a SFSafariViewController.

We recommend using ASWebAuthenticationSession for the most seamless user experience.

Bringing the user back to your iOS app

You can use the app_callback_uri parameter to ensure that the user is redirected back to your app after the BankID with biometrics authentication is completed. Without this, the user will have to manually navigate back to your app.

A two-way association for universal links must be set up for the app_callback_uri to work. See the relevant platform documentation for more information.

Requires upfront permissions

Providing an app_callback_uri parameter requires using an upfront permission flow.

Not needed for Android apps

The app_callback_uri parameter is only relevant for iOS Apps, as Android users are normally able to authenticate in a Custom Tab directly inside your Android application.

If an Android user needs to open the Android Authenticating app directly during the authentication, the Authenticating app should automatically close when done, revealing your app without needing to set app_callback_uri.

Example flow using the app_callback_uri parameter:

sequenceDiagram
    autonumber
    participant MerchantApp as Merchant App
    participant MerchantBackend as Merchant Backend
    participant BankID_OIDC_Backend as BankID OIDC Backend
    participant Backend as BankID Biometrics Backend
    participant BankID_OIDC as Merchant Controlled browser (BankID OIDC)
    participant BAPP as Authenticating app

    MerchantApp ->> MerchantBackend: beginAuth 
    MerchantBackend ->> Backend: POST /permissions<br/>{ "app_callback_uri": "https://merchant.com/callback" }
    Backend ->> MerchantBackend: permissionToken
    MerchantBackend ->> MerchantApp: permissionToken 
    MerchantApp ->> BankID_OIDC: /authorize?permissionToken=X&callback_uri=Y
    BankID_OIDC ->> BAPP: app switch IN
    BAPP ->> BAPP: user authenticates
    BAPP ->> MerchantApp: app switch OUT w/ app_callback_uri
    MerchantApp ->> BankID_OIDC: merchant must open same browser session
    BankID_OIDC ->> MerchantApp: redirect to callback_uri w/ ?authCode=X
    MerchantApp ->> MerchantBackend: pass authCode to backend
    MerchantBackend->> BankID_OIDC_Backend: exchange authCode for token using /token
    BankID_OIDC_Backend ->> MerchantBackend: idToken + accessToken
    MerchantBackend ->> MerchantApp: idToken + accessToken

Going directly into the iOS app

If you require a direct app-to-app flow where the user directly jumps in and out of the BankID App without the merchant app opening an in-app browser, and you've already implemented a flow using the app_callback_uri parameter, you might consider implementing the App2App flow.

See the page on App2App support for further details.