/security-authentication-samples

Samples for our Identity Provider Server

Primary LanguageC#MIT LicenseMIT

Collector Identity Provider (IdP)

  1. Overview
  2. Prerequisites
    1. Authentication methods
    2. Redirect URIs
  3. Customization
    1. OAuth OpenID Connect code flow custom parameter values
    2. Authentication method details
    3. UI locales and authentication methods
  4. Try It Out
    1. To test OAuth OpenID Connect code flow
    2. Test User
  5. Samples

Overview

The Collector IdP supports OAuth OpenID Connect code flow. Details can be found at connect2id.

There are two environments

The metadata address for each environments are located at

Authentication methods supported:

  • Swedish BankID
  • Swedish Mobile BankID
  • Swedish Mobile BankID QR
  • Norwegian BankID
  • Norwegian Mobile BankID
  • Norwegian BankID HIGH
  • Finnish Trust Network
  • Danish NemID

Prerequisites

In order to use Collector IdP you need to preregister by contacting Collector. Provide information regarding

  • Authentication methods
  • Redirect URIs

Authentication methods

Specify which authentication methods you want to use, supported methods are listed above.

Redirect URIs

For OAuth OpenID Connect code flow you need to specify redirect URIs that should be available to use in an authentication request.

The redirect URIs must have https schema. When you are registered you will get a Client Id.

When the client is setup, you are able to call the authorize endpoint using OAuth OpenID Connect code flow (i.e. response_type=code and scope=openid)


Customization

Collector IdP specific parameter values that can be set when making authentication request.

OAuth OpenID Connect code flow custom parameter values

OAuth Parameter Values Description
ui_locales sv, nb, fi, en One or more ui locales separated by space. See Authentication method details for more info.

For other parameters see the specification:

Authentication method details

Authentication method Code SSN UI locale Default UI locale
Swedish BankID & Swedish BankID Mobile urn:collectorbank:ac:method:sbid yyyyMMddNNNC sv, en sv
Swedish BankID Mobile urn:collectorbank:ac:method:sbid-mobil yyyyMMddNNNC sv, en sv
Swedish BankID Mobile QR urn:collectorbank:ac:method:sbid-qr yyyyMMddNNNC sv, en sv
Norwegian BankID urn:collectorbank:ac:method:nbid ddMMyyZZZQQ nb, en nb
Norwegian Mobile BankID urn:collectorbank:ac:method:nbid-mobil ddMMyyZZZQQ nb, en nb
Norwegian BankID HIGH urn:collectorbank:ac:method:nbid_idp:BID ddMMyyZZZQQ nb, en nb
Finnish Trust Network urn:collectorbank:ac:method:ftn ddMMyyCzzzQ fi, sv, en fi
Danish NemID urn:collectorbank:ac:method:nemid ddMMyy-ssss da, en da

where d = day, M = month, y = year, C = century sign (+ or - or A), z = serial number, Q = control digit, s = sequence number

Authentication method to use for authentication is selected by parameter acr_values.

acr_values is a space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing the Authentication Requested. The format is urn:collectorbank:ac:method:method:.

Multiple Authentication methods (for the same country) is allowed.

UI locales and authentication methods

The UI locale used is based on the UI locales specified in authentication request and the UI locales that the authentication method supports.

If UI locales is specified in the authentication request then the first locale in the list that are supported by the authentication method will be used.

If no UI locales is supported, the end user will see a screen where they can choose the locale they want to use.

If UI locales is not specified in the authentication, the default UI locale for the authentication request will be used.

Authentication method (acr value) | Supporeted UI locales | Default UI locales


Try It Out

To test OAuth OpenID Connect code flow

You can use the following settings to try out OAuth OpenID Connect code flow in the test environment.
Server https://idp-uat.collectorbank.se/
client_id: MZxDS_9hY64cva_-V9eV
response_type: code
Redirect Uris that you can use are:
https://localhost:45000/signin-oidc
https://localhost:45000/signin
https://localhost:45100/signin-oidc
https://localhost:45100/signin
https://localhost:44300/signin-oidc

You can also specify ui_locales, Authentication method details

⚠️ IMPORTANT

Please note that you MUST validate that the id token contains the subject's national_id. It is not enough to assume that the id token is issued for the subject noted in the login_hint of the request.

Test User

For PROD you will need to have real account when authenticating.

For Test and UAT you need to have test user when authenticating.


Samples

All samples are written in C# using ASP.NET.

Sample Protocol Description
------ ------- -----------
OpenIDConnectWebClientCore OpenID Connect code flow ASP.NET Core using .NETCore 2.2 framework