MobileID

In-app authentication process

226 views September 7, 2018 December 5, 2018 0

In this process, a user which has already completed the MobileID app registration process can authenticate their identity. To support in-app authentication, you need to handle the whole authentication process from your app, all the way from initializing the authentication to receiving a response with the result of the authentication.

1) Initiate the authentication

Send a GET request to the in-app URL you have received from Signicat.  The deviceId returned in the registration process must be sent as a parameter in the following format: login_hint=deviceId-{deviceId}.

Request example

GET https://preprod.signicat.com/oidc/authorize?response_type=code&scope=openid+mobileid&client_id=demo-preprod&redirect_uri=https://example.com/redirect&state=123abc&acr_values=urn:signicat:oidc:method:mobileid-auth-inapp&login_hint=deviceId-UlzxrYaXmrvR2Njm7ydRf9FeDV7VLilX

Response example

{
  "links": [
    {
      "rel": "status",
      "href": "https://id01.signicat.com/std/poll/nbidmobile/a7fa80f52656487f9260c8514dced4f30ef761603c9011e78331000c299de349/"
    },
    {
      "rel": "complete",
      "href": "https://id01.signicat.com/std/method/nbidmobile/a7fa80f52656487f9260c8514dced4f30ef761603c9011e78331000c299de349/complete"
    },
    {
      "rel": "cancel",
      "href": "https://id01.signicat.com/std/method/nbidmobile/a7fa80f52656487f9260c8514dced4f30ef761603c9011e78331000c299de349/cancel"
    }
  ]
}

To be able to perform the subsequent requests, you must keep the cookies you receive and make these available for the following requests.

JSON responses

Name Type Description
Links Link object Links to status, complete, cancel endpoints
status string Status of the authentication process
complete string Confirmation that the authentication process is complete
cancel string Notification that the authentication process was canceled by the user

2) Authentication starts

The authentication process starts. Through a push notification, the MobileID app instructs the user to provide the PIN or fingerprint configured during the registration process. If push notifications are disabled or don’t work, it is also possible for the user to initiate the process by starting the MobileID app manually.

3) Get the status of the authentication process

Using the status link received in step 1, make a GET request for the status of the authentication.

Response example
{
  "finished": true,
  "error": false,
  "errorMessageKey": null
}

If “finished” is not true, you need to wait a short period before asking for status again.

You can continue to the next step when “finished” is true and “error” is false.

4) Get the result of the authentication process

Call the complete URL that you received in step 1. As a response, you will get the redirect URI to your endpoint with a “code” query parameter.

5) Send token request

Use the URI and the code received in step 4 to send a POST request towards the token endpoint. The request must contain the following URI-encoded parameters:

  • client_id: Your client ID
  • redirect_uri: Must equal the URI the flow started with
  • grant_type=authorization_code: We are using an authorization code for this flow, hence the value of this parameter
  • code: Must equal the code received in step 4

Request example

curl -XPOST "https://preprod.signicat.com/oidc/token" -H "Authorization: Basic ZGVtby1wcmVwcm9kOm1xWi1fNzUtZjJ3TnNpUVRPTmI3T240YUFaN3pjMjE4bXJSVmsxb3VmYTg=" -d "client_id=demo-preprod&redirect_uri=https://example.com/redirect&grant_type=authorization_code&code=CODE GOES HERE"

Response example

{"access_token":"eyJra...","token_type":"Bearer","refresh_token":"S4rkjLZ-13aXtuLhyHngFZGcC2mbmKcK","scope":"mobileid profile openid","expires_in":1800,"id_token":"eyJra..."}
Extract the access token from the response to use it in the next step.

6) Send userinfo request

Use the access token to fetch the deviceId with a GET request.

Request example

curl -XGET "https://preprod.signicat.com/oidc/userinfo" -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response example

{"sub":"uIFLTWW_xgxkWPImFo5JXtzhzZqK4mBf","deviceId":"UlzxrYaXmrvR2Njm7ydRf9FeDV7VLilX"}

Compare the deviceId with the deviceId that is registered with the user’s account.

Any further actions after receiving this response are your responsibility. Signicat does not have any responsibility for how the result of the authentication is used.

Was this helpful?