Auth0

This tutorial demonstrates how to integrate Criipto Verify with Auth0. Following steps are required to complete your first login:

Register your Auth0 tenant in Criipto Verify
Configure your OAuth2 flow
Create Auth0 connections
Integrate your application with Auth0

In the following you will be configuring first Criipto Verify, then Auth0, and finally finishing the Criipto Verify configuration with the information you get from Auth0. Once configured you may test that everything works from Auth0.

Register your Auth0 tenant in Criipto Verify

First, you must register your Auth0 tenant as an application in Criipto Verify.

Once you register your Auth0 tenant, you will also need some of the information for configuring Auth0 to communicate with Criipto Verify. You get these details from the settings of the application in the dashboard.

Specifically you need the following information to integrate with Auth0:

Client ID to identify your Auth0 tenant to Criipto Verify. In the case below we chose urn:criipto:samples:no1
Domain on which you will be communicating with Criipto Verify. Could be for example samples.criipto.id
Client secret is needed if you choose the Back Channel approach - which we do recommend. The secret is generated and copied as describe further down.

Configure the OAuth2 code flow

If you are registering a new application, you must first save the configuration.

Once you have a saved application registration you may configure the OAuth2 code flow.

Open the application registration and configure it for the right OAuth2 flow:

Enable OAuth2 code flow
Copy the generated client secret.
Set the user info response strategy to plainJson to enable retrieval of plain JSON user information from the /oauth2/userinfo endpoint.

OAuth2 code flow

Note that this is the only time you will be shown the actual value of the client secret. Criipto only stores this as a hashed value, which means you cannot retrieve the value once it has been generated and stored.

OAuth2 code flow

Some libraries do not support the final userinfo request. In those cases you will need to fetch the user data directly from the token endpoint as opposed to the userinfo endpoint. Do this by choosing the appropriate option as shown below.

You may configure Criipto Verify to retrieve the user information from either the userinfo endpoint - the default option - or you may explicitly choose the fromTokenEndpoint in the user info response strategy instead: OAuth2 code flow

Create Auth0 connections

To integrate Criipto Verify with Auth0, you create an Auth0 OpenID Connect connection to communicate with Criipto Verify. Because Auth0 will not pass the acr_values to Criipto Verify, you will have to create a new connection for every e-ID option that you intend to use. (acr_values is a parameter in the /authorize request to Criipto Verify needed to specify which kind of e-ID is requested)

For those cases, you can leverage our login-method specific metadata endpoints. Each of these contain an embedded and base64-encoded variant of the ‘raw’ value normally supplied in the acr_values.

Syntax:

https://yourdomain.criipto.id/BASE64(acr_values)/.well-known/openid-configuration

For example, the acr_values of Norwegian BankID login method is urn:grn:authn:no:bankid. This translates to dXJuOmdybjphdXRobjpubzpiYW5raWQ= in base64 (UTF-8 charset), so the metadata endpoint will be:

https://yourdomain.criipto.id/dXJuOmdybjphdXRobjpubzpiYW5raWQ=/.well-known/openid-configuration

Below is a list of supported login methods with corresponding base64 encoded acr_values. Choose the once you intend to use.

Login method	acr_values	base64 encoded
Norwegian BankID
Mobile or Web (user choice):	`urn:grn:authn:no:bankid`	`dXJuOmdybjphdXRobjpubzpiYW5raWQ=`
Norwegian Vipps Login
Login with Vipps app:	`urn:grn:authn:no:vipps`	`dXJuOmdybjphdXRobjpubzp2aXBwcw==`
Swedish BankID
All options (user chooses):	`urn:grn:authn:se:bankid`	`dXJuOmdybjphdXRobjpzZTpiYW5raWQ=`
Same device:	`urn:grn:authn:se:bankid:same-device`	`dXJuOmdybjphdXRobjpzZTpiYW5raWQ6c2FtZS1kZXZpY2U=`
Another device (aka mobile):	`urn:grn:authn:se:bankid:another-device`	`dXJuOmdybjphdXRobjpzZTpiYW5raWQ6YW5vdGhlci1kZXZpY2U=`
QR code:	`urn:grn:authn:se:bankid:another-device:qr`	`dXJuOmdybjphdXRobjpzZTpiYW5raWQ6YW5vdGhlci1kZXZpY2U6cXI=`
Danish NemID
Personal with code card:	`urn:grn:authn:dk:nemid:poces`	`dXJuOmdybjphdXRobjpkazpuZW1pZDpwb2Nlcw==`
Employee with code card:	`urn:grn:authn:dk:nemid:moces`	`dXJuOmdybjphdXRobjpkazpuZW1pZDptb2Nlcw==`
Employee with code file:	`urn:grn:authn:dk:nemid:moces:codefile`	`dXJuOmdybjphdXRobjpkazpuZW1pZDptb2Nlczpjb2RlZmlsZQ==`
Danish MitID
Level low:	`urn:grn:authn:dk:mitid:low`	`dXJuOmdybjphdXRobjpkazptaXRpZDpsb3c=`
Level substantial:	`urn:grn:authn:dk:mitid:substantial`	`dXJuOmdybjphdXRobjpkazptaXRpZDpzdWJzdGFudGlhbA==`
Finish e-ID
BankID:	`urn:grn:authn:fi:bankid`	`dXJuOmdybjphdXRobjpmaTpiYW5raWQ=`
Mobile certificate (Mobiilivarmenne):	`urn:grn:authn:fi:mobile-id`	`dXJuOmdybjphdXRobjpmaTptb2JpbGUtaWQ=`
Both of the above:	`urn:grn:authn:fi:all`	`dXJuOmdybjphdXRobjpmaTphbGw=`
Itsme
Basic:	`urn:grn:authn:itsme:basic`	`dXJuOmdybjphdXRobjppdHNtZTpiYXNpYw==`
Advanced:	`urn:grn:authn:itsme:advanced`	`dXJuOmdybjphdXRobjppdHNtZTphZHZhbmNlZA==`
Belgium
Verified e-ID:	`urn:grn:authn:be:eid:verified`	`dXJuOmdybjphdXRobjpiZTplaWQ6dmVyaWZpZWQ=`
Germany
Sofort (with Schufa check):	`urn:grn:authn:de:sofort`	`dXJuOmdybjphdXRobjpkZTpzb2ZvcnQ=`

Create the OIDC connection(s)

You create an OIDC connection for every login method you intend to use.

Go to Auth0 dashboard for your tenant and under Connections chose Enterprise.
Select OpenID Connect and create a new connection.
Enter Connection name and Display name.
Under Issuer URL enter the login-method specific URL, as described above.
Choose Front Channel or Back Channel as a Type, depending on how you intend to integrate it with you application.
- you should choose Front Channel only if you are developing pure SPA application. In that case, make sure to enable Callback on location hash in Criipto application management, instead of OAuth2 Code Flow. Otherwise choose Back Channel.
Under Client ID enter Client ID/Realm from your Criipto Verify application.
If you chose Back Channel as a Type, enter Client Secret generated by Criipto Verify when you enabled the OAuth2 Code Flow.
Copy the Callback URL generated by Auth0 and enter it under Callback URLs in Criipto Verify application management.
Select Save changes.
Make sure to enable created connection for your Auth0 application.

After you save a connection, you may get an error: “Error! Something happened while trying to save your connection: Issuer metadata missing the following attributes: token_endpoint”.

This is due to a bug in Auth0’s frontend, nothing to worry about. In this case, under the Issuer URL select Show Issuer Details and under Token Endpoint enter https://<YOUR COMPANY>.criipto.id/oauth2/token

If you are creating multiple connections, you have to enter Callback URL only once. It will be the same for every OpenID Connect connection.

Test the connection

To test your OpenID Connect connection, go back to the list of all OpenID Connect connections and select Try button on the right side of the connection you want to test.

Test users

Almost all e-ID types have a notion of test users and real users.

Real users are real people logging in to a web site, thus voluntering their real name and typically also a social security number, SSN.

Test users are either created by you for the occasion, or we provide you with access to already created test users.

You may ready more in the section on test users

Integrate your application with Auth0

How to integrate your application with Auth0 depends on the technology you are working with. Refer to the Auth0 quickstart guide for more details.

Articles