Finnish Trust Network

Full Message-Level Encryption for FTN

3730 views May 9, 2019 June 5, 2019 5

The Finnish Trust Network (FTN) requires Full Message-Level Encryption (MLE) as well as Transport-Level Encryption (TLS). The following document details the steps required to perform an OpenID Connect (OIDC) flow for FTN with Full Message-Level Encryption.


  1. Generate a JWK RSA pair (2048 or 4096-bit). It is important that you create a JWK and not a PEM, CER, CRT, etc.
  2. Send the public part to Signicat. The public part can be sent through email as it does not contain sensitive information.

Please note, when we store your key in our system a new Key ID (“kid”) will be generated. We will provide you with this new Key ID. You have to use this Key ID, as we do not have the ability to change the Key ID in our keystore.

Customer implementation

  1. Begin crafting the OIDC Authorization Request. The parameters are standard OIDC parameters, but the payload has to be encrypted for security, to ensure the integrity of the signature. Examples of Authorization Request encryption in a number of common languages can be found at The requirements are as follows:
    • The HTTP request can be made using either GET or POST.
    • The payload must be a Request Object (per OIDC Core specifications, section 6.1). An example for a typical payload Request Object looks as follows:
          "login_hint": ["subject-210281-9988"],
          "ui_locales": "en",
          "scope": "openid profile signicat.national_id",
          "acr_values": "urn:signicat:oidc:method:ftn-nordea-auth",
          "response_type": "code",
          "redirect_uri": "",
          "state": "state123",
          "client_id": "CLIENTID",
      Value Type Required
      login_hint List of Strings No
      ui_locales String No
      scope String Yes
      acr_values String Yes
      response_type String Yes
      redirect_uri String Yes
      state String Yes
      client_id String Yes
    • The request must be an encrypted JWT, which contains the aforementioned Request Object (as specified at
    • The JWE token must be encrypted with the public key ("use":"enc") available at https://<ENV>
    • The protected header for the JWE token must contain the following claims:
      • "enc"="A256CBC-HS512"
      • "typ"="JWE"
      • "kid" and "alg" (the values for “kid” and “alg” are specified at https://<ENV>
  1. The ID token and the response from user info is a nested JWT which is encrypted and signed.
    1. Decrypt it with your private key from the RSA pair given to Signicat.
    2. Deserialize the resulting signed JWT and verify the signature.
  2. The ID token must, as always, be verified according OIDC specifications.

Note that <ENV> equals for pre-production and your Signicat subdomain for production.

A functional example implementation of full message-level encryption for FTN can be found at

Was this helpful?