Implementing in native applications

BankID with biometrics supports being implemented in native applications. This allows for a smooth user experience inside your native app.

Warning

Note that it is required to adhere to the approaches described for each platform, as other approaches may have inadequate security models, or may lack support for the webauthn API used by BankID with biometrics, resulting in a poor or even broken user experience.

Android

When starting the BankID with biometrics authorization flow in an Android app, use a Custom Tab.

iOS

When starting the BankID with biometrics authorization flow in an iOS app, use either:

• ASWebAuthenticationSession
• SFSafariViewController

Tip

We recommend using ASWebAuthenticationSession for the most seamless user experience.

Bringing the user back to your iOS app

When using an upfront permission flow, you can use the app_callback_uri parameter to ensure that the user is redirected back to your app after the BankID with biometrics authentication is completed. Without this the user will have to manually navigate back to your app.

Info

app_callback_uri support is currently in public preview.

This is only relevant for iOS Apps, as Android users are normally able to authenticate directly in a Custom Tab inside your Android application. If an Android user needs to open the Android Authenticating app directly during the authentication, the Authenticating app will automatically close when done, revealing your app, and without needing this URI set.

A two-way association for universal links must be set up for the app_callback_uri to work. See the relevant platform documentation for more information.

Example flow using app_callback_uri

sequenceDiagram
    autonumber
    participant MerchantApp as Merchant App
    participant MerchantBackend as Merchant Backend
    participant BankID_OIDC_Backend as BankID OIDC Backend
    participant Backend as BankID Biometrics Backend
    participant BankID_OIDC as Merchant Controlled browser (BankID OIDC)
    participant BAPP as Authenticating app

    MerchantApp ->> MerchantBackend: beginAuth 
    MerchantBackend ->> Backend: POST /permissions<br/>{ "app_callback_uri": "https://merchant.com/callback" }
    Backend ->> MerchantBackend: permissionToken
    MerchantBackend ->> MerchantApp: permissionToken 
    MerchantApp ->> BankID_OIDC: /authorize?permissionToken=X&callback_uri=Y
    BankID_OIDC ->> BAPP: app switch IN
    BAPP ->> BAPP: user authenticates
    BAPP ->> MerchantApp: app switch OUT w/ app_callback_uri
    MerchantApp ->> BankID_OIDC: merchant must open same browser session
    BankID_OIDC ->> MerchantApp: redirect to callback_uri w/ ?authCode=X
    MerchantApp ->> MerchantBackend: pass authCode to backend
    MerchantBackend->> BankID_OIDC_Backend: exchange authCode for token using /token
    BankID_OIDC_Backend ->> MerchantBackend: idToken + accessToken
    MerchantBackend ->> MerchantApp: idToken + accessToken