CriiptoDOCS
  1. e-IDs
  2. Norwegian BankID

JWT/Token example

{
  "identityscheme": "nobankid-oidc",
  "nameidentifier": "ee9b1bb905a6458e9f3b9d068f1a3765",
  "sub": "{ee9b1bb9-05a6-458e-9f3b-9d068f1a3765}",
  "uniqueuserid": "9578-6000-4-351726",
  "certissuer": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
  "certsubject": "CN=CriiptoTest\\, Mikkel,O=TestBank1 AS,C=NO,SERIALNUMBER=9578-6000-4-351726",
  "birthdate": "1946-03-27",
  "socialno": "27034698436",
  "family_name": "CriiptoTest",
  "given_name": "Mikkel",
  "name": "Mikkel CriiptoTest",
  "country": "NO"
}

The socialno field is the social security number. The uniqueUserId identifies the legal person corresponding to the login, and is not considered sensitive.

Test users

Two types of Norwegian BankID are available:

  1. Web based BankID with a hardware token. Also called Netcentric accounts, test users from this type of BankID may be created and used on the fly
  2. Mobile BankID. Norwegian mobile BankID is based on a socalled SIM card application which means you need a special SIM card issued by one of the Norwegian carriers.

Creating netcentric test users

Test users are created through the web page at https://ra-preprod.bankidnorge.no/#/search/endUser.

  1. Go to the "TEST NUMBER GENERATOR" to generate a random, valid SSN
  2. It now says "Could not find any bankIDs for ..."
  3. Fill out the first name, last name, and BankID friendly name.
  4. Click "Order" to initiate the process
  5. Once the process complete you now have a test user. User name is the generated SSN, one time password (OTP) is always "otp", and password is always "qwer1234"

You can test it out at our authentication demo site, which is a small sample hosted by Criipto.

Testing Mobile BankID

For testing you may order up to three test SIM cards through Criipto once you have signed up for Norwegian BankID.

Data and consent for Norwegian BankID

Available data / scopes

Basic user information, full name, and date of birth are always made available. Additional data may be requested and is released with explicit user consent only.

For applications configured to use a dynamic scope strategy, the following scope tokens can be supplied: address, email, phone and ssn.

Data typeReleasedVerifiedscopelogin_hint
Full nameAlwaysYes
Date of birthAlwaysYes
SSN ("fødselsnummer" in Norwegian)User consentYesssnscope:ssn
AddressWith user consentNoaddressscope:address
EmailWith user consentNoemailscope:email
Phone numberWith user consentNophonescope:phone

Example (partial) authorize request with scopes

https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?scope=openid email address&...

Alternatively, you can send them in the login_hint

https://YOUR_SUBDOMAIN.criipto.id/oauth2/authorize?...&login_hint=scope:email scope:address&...

which can be a useful if you are working with technology that does not let you control the scope value.

Access to the SSN is governed by Norwegian law, as described in the Ordering Norwegian BankID guide.

The unverified data are supplied by end-users and not verified by Vipps or the Norwegian banks.

Consent model

End-users must explicitly grant consent to releasing the data to you.

The consent model is enforced by Vipps (operator of BankID), and they also provide the consent and data collection dialogs.

Forced and optional consent

If you request SSN, it will be treated as a required value. End users will not be allowed to complete a login until they have explicitly given their consent to release SSN.

All other additional data are treated as optional values. A login may complete even if the user does not consent to release the requested data.

Configuration

You can use the Criipto management dashboard dashboard.criipto.com to configure access to the optional user data, in the Identity Sources -> NO BankID section.

Ordering Norwegian BankID

To start accepting real users with Norwegian BankID, you must first request your client credentials - a set of secret keys - from the Norwegian BankID organisation.

Prerequisites for ordering

In order to apply for the BankID client credentials for a company you must meet the basic requirements:

  • Your company must be a customer of a Norwegian Bank. Most banks in Norway are part of the BankID network.
  • The person that will sign the contract must be in possession of one of these personal e-IDs: Norwegian BankID, Swedish BankID, or Danish NemID
  • You must have completed step 5 in the Getting ready for production guide. You will need the production domain to complete the order for your client credentials.

Ordering the client credentials

To order the actual keys please send a request to

support@criipto.com

with answers to these questions:

  1. A short description of what your application does and why it needs BankID.
  2. Your company: Name, organisation number, and address
  3. General contact person at your company for BankID related communication: Name, mobile phone, and email
  4. Your company’s Norwegian bank: Name, organisation number, and address
  5. Contact person with authorization to block/revoke the use of BankID: Name, mobile phone, and email
  6. Person registered in the business registry with authorization to sign the agreement: Name and email
  7. If you need access to social security numbers (“fødselsnummer”) please provide brief explanation of why and reference the Norwegian law and paragraph that grant you the right
  8. Contact person with authorization to receive the secret keys: Name, mobile phone, and email
  9. The display name to appear in the login app. E.g. the name of your company or your specific service. (See the image below)
  10. Web address of your company
  11. The URL of your production domain as setup in step 5 of the Getting ready for production
  12. Finally - if you are not a Norwegian company - you must enclose a company certificate from the official business registry of the country of incoporation.

BankID login

Next steps

After Criipto has received the above information, we order the client credntials from your bank by filling out an online agreement, which is then sent to the appointed persons at your company for signing. Criipto will also sign the agreement

When all signatures are in place the signed agreement is sent to your bank for further processing and eventual issuance of your client credentials.

Once you have received credentials, they must be entered into the Criipto Verify management UI to configure your NO BankID integration.