Skip to content

Authentication

Credentials

To authenticate with Id-Card in BankID-app API, you use a Token obtained from the BankID OIDC API by exchanging a client_id, client_secret and scope grant. This uses the OAuth client_credential flow and you can read more about it here.

You will be supplied with the API credentials separately.

API Authentication with OIDC Token

To succesfully get an OIDC Token to authenticate to our API, build the authorization endpoint URI by adding the following parameters:

  • grant_type:client_credentials
  • client_id: The Client ID for your BankID OIDC Token
  • client_secret: The Client Secret for your BankID OIDC Token
  • scope: Specifies the requested information about a user

Example of a valid OIDC token request 

POST https://auth.current.bankid.no/auth/realms/current/protocol/openid-connect/token
    ?grant_type=client_credentials
    &client_id=visleg-test-froggy-bankid-current
    &client_secret=7qO828HQvQBZ1lJnOHPMQ0TJSaWv4U28
    &scope=vis-leg/identity_basic

Example of a valid OIDC token response 

HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiS(...)",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "bearer",
"not-before-policy": 0,
"scope": "vis-leg/identity_full"
}

Cache the Authentication Token for use until it expires, at which point obtain a new token.

Usage

The authentication Token should be supplied in the Authorization header when making calls to ID-Card in BankID-app API.

Example of a valid request 

POST https://visleg-test-merchantservice-cnhvehb0cvdgggah.z01.azurefd.net/api/merchant/session
    ?Authorization=Bearer eyJhbGciOiJSUzI1NiIsInR5c(...)
    &Content-Type application/json

Body
    {
        "sessionId": "50f9cc4a-1354-4d57-88d8-e9a428e1016b"
    }