Criipto
  1. eIDs
  2. Swedish BankID

JWT/Token example

{
"identityscheme": "sebankid",
Overall eID used to authenticate
"nameidentifier": "1373c272b61a4cb588b29c44883fe62f",
Legacy format of 'sub'
"sub": "{1373c272-b61a-4cb5-88b2-9c44883fe62f}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"ssn": "196802020575",
Social security number
"name": "Terne Paulsen",
"given_name": "Terne",
An OpenID Connect standard claim
"family_name": "Paulsen",
An OpenID Connect standard claim
"ipaddress": "77.241.128.160",
"country": "SE"
}

Optional claims for native BankID signature verification

If your use case requires verifying the signature (which is not required, but possible), you have an option to request the evidence data as returned by the underlying e-ID provider. This can be done by adding scope=openid evidence (or login_hint=scope:evidence) to your authorize request.

With this configuration, the issued JWT will contain two additional claims: evidence and ocspResponse:

{
"identityscheme": "sebankid",
Overall eID used to authenticate
"nameidentifier": "1373c272b61a4cb588b29c44883fe62f",
Legacy format of 'sub'
"sub": "{1373c272-b61a-4cb5-88b2-9c44883fe62f}",
Persistent pseudonym. Uniquely identifies an eID user (per Criipto Verify tenant)
"ssn": "196802020575",
Social security number
"name": "Terne Paulsen",
"given_name": "Terne",
An OpenID Connect standard claim
"family_name": "Paulsen",
An OpenID Connect standard claim
"ipaddress": "77.241.128.160",
"country": "SE",
"evidence": "PD94bWwgdmVyc2lvbj0i...5hdHVyZT4=",
"ocspResponse": "MIIHdgoBAKCCB28wggdrBgk...uSbCquVT1J"
}

The full content of evidence and ocspResponse is omitted for brevity.

Avoiding excessively large JWT payload

When included in the payload, evidence and ocspResponse claims will significantly increase the size of the JWT token, potentially causing it to exceed the size limitations of an HTTP header. The bloated JWTs would thus become unusable as Bearer tokens for accessing APIs.

To address this concern, consider changing the response type in your authorization request to response_type=code id_token.

In this case, a more compact ID Token with only essential claims will be issued from the Token endpoint. The client can subsequently fetch all data about the user from the Userinfo endpoint.

With code id_token response type, the ID Token from the token endpoint will always be the same (and have nothing but a sub that is user-specific). In contrast, when using the response_type=code, the full ID Token is returned immediately in exchange for code.

Test users

Swedish BankID test users are created at the demo web site.

For more information on how to configure your device for test and setup test users: Get a test BankID

Note that, as is also described on the website, using test BankID users does require a reconfiguration of the BankID application. This means it cannot be used for real BankID. So if you are Swedish and already have BankID on your phone, you may want to use a spare phone for testing.

Ordering Swedish BankID

To start accepting real users with Swedish BankID, you must first request a certificate to identify your organization.

Criipto acts as a reseller for Swedbank, which means that you will have to go through a simple approval process with Swedbank. The process is managed by Criipto.

To order the actual certificate simply download this form and return a filled out copy to support@criipto.com

Next steps

After Criipto has received the filled out form, we send it to Swedbank where it will be reviewed and typically approved within a few business days.

Once your organization and your intended use of BankID has been approved we will create and install the actual certificate in your Criipto tenant. and you will be ready to continue the process in the getting ready for production guide.