eIDs
Learn more about Danish MitID token contents, how to create test users and how to gain access to production.
Address lookups is available as an add-on for MitID.
The sub
, nameidentifier
and uuid
values here will not be the same as for a corresponding citizen-MitID login, even if the user chose to use their personal MitID for login.
You create personal MitID test users at https://pp.mitid.dk/test-tool/frontend:
You must enable the "Add CPR for MitID logins" toggle in the management dashboard. Criipto Verify will prompt the user for their CPR number and validate that it belongs to the MitID user that is logging in.
For applications configured to use a static
scope
strategy, the CPR will be added to the issued token.
For applications configured to use a dynamic
scope
strategy, supply scope=openid ssn
in the authorize request.
Criipto provides users with the option to store their CPR number for 1 year, after which the user must provide explicit CPR consent again.
Criipto stores CPR numbers in encrypted format. The consent is per-tenant only.
You can add a "forget-me" link on your website if you want to let users revoke the consent again. Use a normal authorize request as target, but add a prompt=consent_revoke query parameter to the request. Criipto will then run a login flow (to be able to recognize the end user), and delete the granted consent.
You can learn more about authorize requests in our authorize URL builder.
If you collect the users CPR number, the users current address can also be made available.
Data processor and dedicated billing agreements are needed, contact sales@criipto.com for the legal and financial arrangements.
For applications configured to use a static
scope
strategy, address data will automatically be added.
For applications configured to use a dynamic
scope
strategy, supply scope=openid address
in the authorize request.
If you do not also request the ssn
scope, Criipto Verify will query the user for the CPR number anyway, as this is needed to look up the users address.
The CPR number will not be issued in the JWT in this case, even if the user was prompted for it during login.
https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?scope=openid address&...
Alternatively, you can send it in the login_hint
https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?...&login_hint=scope:address&...
which can be a useful if you are working with technology that does not let you control the scope
value.
MitID supports a "ReAuthentication" flow where the username input step can be skipped if you know the users uuid ahead of time.
login_hint=uuid:<uuid>
to trigger re-authentication when UUID is known.
MitID via Criipto offers all three levels of assurance via the acr_values urn:grn:authn:dk:mitid:low
+ urn:grn:authn:dk:mitid:substantial
+ urn:grn:authn:dk:mitid:high
.
If in doubt, our recommendation would generally be to go with Substantial (urn:grn:authn:dk:mitid:substantial
).
Read more about eIDAS Levels of Assurance
urn:grn:authn:dk:mitid:high
allows users to login with username and either of
high
high
+ MitID Chipurn:grn:authn:dk:mitid:substantial
allows users to login with username and either of
high
.urn:grn:authn:dk:mitid:low
allows users to login with username and either of
high
and substantial
You can request a login in business context by sending a login_hint=business
query parameter in the authorize request.
This will allow company signatories to log in to your site with their personal MitID.
In the very near future, this will also allow employees to log in, either with their personal MitID or with a dedicated MitID.
You can read more about the login_hint
here.
Prerequisites for ordering
In order to apply for MitID in production on behalf of a company you must meet the basic requirements:
MitID went live on October 6, 2021
All the holders of NemID are being migrated gradually to MitID until the summer of 2022, when NemID will be sunset altogether. During the transition, all users will keep their NemID and will be able to use both options.
In addition to the general Criipto terms of service you must also accept the MitID specific terms
With MitID you will be using a hosted MitID page at Criipto. The page may be styled to your liking, but some requirements must be observed.
Please see the UX requirements to make sure you comply.
If your company is registered in Denmark please follow these steps:
acme-corp
. Once this registration is completed this will be used to set up your MitID domain, in this case acme-corp.mitid.dk
.If you company is not registered in Denmark, meaning you don't have NemID/MitID employee signatures ("medarbejdersignatur"), please send a request for MitID onboarding to support@criipto.com.
Once you receive a confirmation from Criipto (via email), go back to the "Identity sources" section and open "DK MitID". Nets has now set up the mitid.dk
domain, and the Complete button will be active for you to click.
NemID fallback domain
. Note this is only relevant if you, for some reason, send requests directly to your mitid.dk
domain. Add CPR for MitID logins
toggle is enabled.CPR Optional
toggle. This will let MitID users without a CPR number log in to your service.Also offer MitID login when NemID is requested
-toggle is enabled.Client ID/Realm
and Callback URLs
as the application you currently use for NemID. This is necessary to make the switching back and forth between MitID and NemID function.MitID comes with a new approach to storing and using token signing keys. There will be a distinct token signing key in use for MitID, in addition to the one you use for other types of eID, such as NemID. Criipto Verify announces all of these signing keys in the metadata documents for your domains (see work with metadata for a primer on this subject).
Most modern OIDC libraries have built-in support for dynamic metadata retrieval, so all this should be handled for you behind the scenes.
Dynamic metadata retrieval is also necessary to achieve minimal disruption for your applications in an ordinary key rollover as well as disaster recovery scenarios.
When supporting MitID in your application, you must adhere to a few style requirements, both in your application and on the MitID landing page hosted by Criipto.
As long as you follow the guidelines below, you should be in compliance with the UX requirements from MitID. However, please reach out to our support if you need assistance verifying that your buttons, pages, and screens comply.
Note that when moving to production with MitID you will be bound by the terms of service for MitID in which you - among other things - commit to the below UX requirements.
Also, Criipto may request that you submit a URL where we can verify that you are, in fact, in line with the requirements.
With MitID everything happens on a page hosted by Criipto. Specifically, MitID cannot be iframed, only shown in full page view.
You will therefore redirect the current page to Criipto (alternatively open a browsing component in a native app), or you may open up a popup window. The latter is only relevant on the desktop and is typically not recommended by Criipto.
In the test environment, the MitID landing page will be hosted on a Criipto provided domain: criipto.pp.mitid.dk
. In production, you will apply for your own domain.
In general, the landing page for MitID may styled by following the general guide on styling. In essence, you can modify the page any way you like using CSS.
As illustrated below, the default landing page has the MitID box - the red rectangle - at the center. It is essential that you do not, under any circumstances, change the styling or layout of anything inside the red rectangle. The required minimum height of the red rectangle is 588 pixels, and it is strongly recommended that you always allow the MitID UI elements to fill out the entire viewport width on mobile devices.
When referring to MitID in your application, web or native alike, you must make sure your language and styling matches the requirements.
If you are building a native app a few additional requirements must be observed as described below.
Download the required assets, the MitID logo and fonts, directly from our web site.
When providing a call to action, for example, log in or sign, make sure you follow these requirements:
<a>
or <button>
, to make sure it is accessible for keyboard
navigation and screen readers according to the WCAG 3.0 standard. The MitID button should be shown with lightly rounded corners:
The key elements of the default styling are shown below, but we suggest to simply inspect the buttons in the MitID applet and copy the corresponding styles.
{
background: #0060e6;
color: #ffffff;
font-family: "IBM Plex Sans", Helvetica, Arial, sans-serif;
border-radius: 4px;
height: 48px;
padding: .25rem .75rem .25rem 1rem;
}
The text inside the button must be from the set of approved texts:
Danish | English |
---|---|
Log ind med MitID | Log on with MitID |
Godkend med MitID | Approve with MitID |
Bekræft med MitID | Confirm with MitID |
Acceptér med MitID | Accept with MitID |
Underskriv med MitID | Sign with MitID |
Just as illustrated above, your app must show a call to action which must open a MitID-compatible browsing component to host the MitID landing page:
Your app must use a platform-specific, MitID-compatible browsing component which clearly reassures the user that they are on a legitimate mitid.dk domain with appropriate security (TLS and the padlock symbol):
You can read more about the details of MitID-compatible browsing components here.
You must take a few steps if you wish to stop offering NemID alongside MitID logins.
urn:grn:authn:dk:nemid:*
acr_values from any of your authorize requests.If you are currently starting your authorize request on a non-MitID domain you can also consider swapping to use the MitID domain directly.