CriiptoDOCS
  1. e-IDs
  2. Danish MitID

JWT/Token example

{
  "identityscheme": "dkmitid",
  "nameidentifier": "0f9960a0d28d4353a3e2ea07f8ffa185",
  "sub": "{0f9960a0-d28d-4353-a3e2-ea07f8ffa185}",
  "streetaddress": "Ny testvej 15 7\n2200 København N\nDenmark",
  "uuid": "74ffcd31-fbaf-4c33-bdac-169f25c1e416",
  "cprNumberIdentifier": "2101270087",
  "birthdate": "1927-01-21",
  "age": "93",
  "name": "Ditlev Von Testesen",
  "country": "DK"
}

The cprNumberIdentifier field is the social security number.

Test users

You create personal MitID test users at https://pp.mitid.dk/test-tool/frontend:

  1. Just use the autofill button and then change the details to you liking
  2. If you haven't done so already install the test app from https://pp.mitid.dk/mitid-app/index.html
  3. You can test your new users by using the "Flows" menu at the top of the screen.

MitID test tool

Collecting CPR numbers

You must enable the "Add CPR for MitID logins" toggle in the management dashboard. Criipto Verify will prompt the user for their CPR number and validate that it belongs to the MitID user that is logging in.

For applications configured to use a static scope strategy, the CPR will be added to the issued token.

For applications configured to use a dynamic scope strategy, supply scope=openid ssn in the authorize request.

Collecting user addresses

If you collect the users CPR number, the users current address can also be made available.

Data processor and dedicated billing agreements are needed, contact sales@criipto.com for the legal and financial arrangements.

For applications configured to use a static scope strategy, address data will automatically be added.

For applications configured to use a dynamic scope strategy, supply scope=openid address in the authorize request.

If you do not also request the ssn scope, Criipto Verify will query the user for the CPR number anyway, as this is needed to look up the users address.

The CPR number will not be issued in the JWT in this case, even if the user was prompted for it during login.

Example (partial) authorize request with scope

https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?scope=openid address&...

Alternatively, you can send it in the login_hint

https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?...&login_hint=scope:address&...

which can be a useful if you are working with technology that does not let you control the scope value.

MitID for business

You can request a login in business context by sending a login_hint=business query parameter in the authorize request. This will allow company signatories to log in to your site with their personal MitID.

You can read more about the login_hint here.

Order MitID for production

Prerequisites for ordering

In order to apply for MitID in production on behalf of a company you must meet the basic requirements:

  • Your company must be registered in the EU and have an EU VAT Id.
  • The person applying must have a NemID/MitID employee signature from the company in question, a socalled "medarbejdersignatur"
  • You must have completed step 5 in the Getting ready for production guide. You will need the production domain to complete the order for your client credentials.

MitID went live on October 6, 2021

All the holders of NemID are being migrated gradually to MitID until the summer of 2022, when NemID will be sunset altogether. During the transition, all users will keep their NemID and will be able to use both options.

MitID terms of service

In addition to the general Criipto terms of service you must also accept the MitID specific terms

UX requirements

With MitID you will be using a hosted MitID page at Criipto. The page may be styled to your liking, but some requirements must be observed.

Please see the UX reqirements to make sure you comply.

Apply for production access

Companies registered in Denmark

If your company is registered in Denmark please follow these steps:

  1. Go to the management dashboard and set the environment toggle at the top center to "PRODUCTION".
  2. In the "Identity sources" section, expand the "DK MitID" section
  3. A user with a NemID/MitID employee signature, a socalled "medarbejdersignatur" must click the button and sign in.
  4. Submit the details for your company. Note the following:
  • The name to show in the MitID login box is the name entered in the "Company alias" box
  • The "Domain prefix" is typically your company or brand name, e.g. acme-corp. Once this registration is completed this will be used to set up your MitID domain, in this case acme-corp.mitid.dk.
  1. The information is to Nets. Once your domain has been set up, it will appear in the "Domains" section.

Expect this process to take 5-7 workdays.

Companies not registered in Denmark

If you company is not registered in Denmark, menaing you don't have NemID/MitID employee signatures ("medarbejdersignatur"), please send a request for MitID onboarding to support@criipto.com.

Complete the onboarding process

Once you receive a confirmation from Criipto (via email), go back to the "Identity sources" section and open "DK MitID". Nets has now set up the mitid.dk domain, and the Complete button will be active for you to click.

  1. Click the Complete button in the MitID section to finish the registration process
  2. Configure the various options that appear after the onboarding completes.
    • If you use our service for NemID as well, select a NemID fallback domain. Note this is only relevant if you, for some reason, send requests directly to your mitid.dk domain.
    • If you need access to the end-user's CPR number, make sure the Add CPR for MitID logins toggle is enabled.
    • In contrast to NemID, not all MitID users have a CPR number. If your application can handle the case of a missing CPR, you may enable the CPR Optional toggle. This will let MitID users without a CPR number log in to your service.
    • If you want to use our side-by-side feature for showing both MitID and NemID login options, make sure the Also offer MitID login when NemID is requested-toggle is enabled.

Set up an application on your MitID domain

  1. Register your application, just as you would for all other integrations.
  2. IMPORTANT: If you want to use NemID and MitID side-by-side, you must create a "shadow" application with the same Client ID/Realm and Callback URLs as the application you currently use for NemID. This is necessary to make the switching back and forth between MitID and NemID function.

Validating token signatures for MitID

MitID comes with a new approach to storing and using token signing keys. There will be a distinct token signing key in use for MitID, in addition to the one you use for other types of e-ID, such as NemID. Criipto Verify announces all of these signing keys in the metadata documents for your domains (see work with metadata for a primer on this subject).

Most modern OIDC libraries have built-in support for dynamic metadata retrieval, so all this should be handled for you behind the scenes.

Dynamic metadata retrieval is also necessary to achieve minimal disruption for your applications in an ordinary key rollover as well as disaster recovery scenarios.

MitID user interface requirements

When supporting MitID in your application, you must adhere to a few style requirements, both in your application and on the MitID landing page hosted by Criipto.

As long as you follow the guidelines below, you should be in compliance with the UX requirements from MitID. However, please reach out to our support if you need assistance verifying that your buttons, pages, and screens comply.

Note that when moving to production with MitID you will be bound by the terms of service for MitID in which you - among other things - commit to the below UX requirements.

Also, Criipto may request that you submit a URL where we can verify that you are, in fact, in line with the requirements.

The MitID landing page

With MitID everything happens on a page hosted by Criipto. Specifically, MitID cannot be iframed, only shown in full page view.

You will therefore redirect the current page to Criipto (alternatively open a web view in a native app), or you may open up a popup window. The latter is only relevant on the desktop and is typically not recommended by Criipto.

Styling the landing page

In general, the landing page for MitID may styled by following the general guide on styling. In essence, you can modify the page any way you like using CSS.

As illustrated below, the default landing page has the MitID box - the red rectangle - at the center. It is essential that you do not, under any circumstances, change the styling or layout of anything inside the red rectangle.

MitID default landing page

MitiD branding in your application

When referring to MitID in your application, web or native alike, you must make sure your language and styling matches the requirements.

If you are building a native app a few additional requirements must be observed as described below.

Download the required assets, the MitID logo and fonts, directly from our web site.

Call to Action

When providing a call to action, for example, log in or sign, make sure you follow these requirements:

  • In web applications, always use a button or anchor tag, <a> or <button>, to make sure it is accessible for keyboard navigation and screen readers according to the WCAG 3.0 standard.
  • The button must be the right color of blue with the white text. See the detailed styling below.
  • The button text must be exactly one of the five allowed phrases as listed below.

The MitID button should be shown with lightly rounded corners:

Default MitID Button

The key elements of the default styling are shown below, but we suggest to simply inspect the buttons in the MitID applet and copy the corresponding styles.

{
    background: #0060e6;
    color: #ffffff;
    font-family: "IBM Plex Sans", Helvetica, Arial, sans-serif;
    border-radius: 4px;
    height: 48px;
    padding: .25rem .75rem .25rem 1rem;
}

The text inside the button must be from the set of approved texts:

  Danish  English
Log ind med MitIDLog on with MitID
Godkend med MitIDApprove with MitID
Bekræft med MitIDConfirm with MitID
Acceptér med MitIDAccept with MitID
Underskriv med MitIDSign with MitID

MitID branding in a native app

Just as illustrated above, your app must show a call to action which will open a webview hosting the MitID landing page:

MitID CTA in native app

Your app must use a platform-specific web view (Custom Tab on Android and Safari View Controller on iOS) which clearly reassures the user that they are on a legitimate mitid.dk domain with appropriate security (TLS and the padlock symbol):

MitID CTA in native app