MobileID

Operation verification guide

39 views November 14, 2019 November 14, 2019 0

OIDC

click to enlarge

Requests Responses Notes
GET <COMPLETE_URL> AUTHORIZATION_CODE Signicat’s server sends an authorization code (including other information) by redirecting the customer’s app to the CUSTOMER_CALLBACK_URL.

The customer’s backend then needs to verify that it was the client who initiated the authentication process, by using the data it received from Signicat’s server (especially comparing the state information)

POST <SIGNICAT_TOKEN_ENDPOINT> HTTP/1.1

Content-Type: application/json

Authorization: Basic <CUSTOMER_BASIC_AUTH_HEADER>

#body

client_id=<CUSTOMER_CLIENT_ID>&

redirect_uri=<CUSTOMER_CALLBACK_URL>&

grant_type=authorization_code&

code=<AUTHORIZATION_CODE>

{
"access_token": "<ACCESS_TOKEN>",
"token_type": "Bearer",
...
}
Authorization code is exchanged for access token
GET <SIGNICAT_USERINFO_ENDPOINT> HTTP/1.1

Content-Type: application/json

Authorization: Bearer <ACCESS_TOKEN>

{
"deviceId": "<DEVICE_ID>"
...
}
deviceId is retrieved from Signicat
SAML
Requests Responses Notes
GET <COMPLETE_URL> {
"SAMLResponse": "PFJlc3BvbnNlIHh....",
"target": "https://www.signicat.com"
}
The customer’s server (as specified in the CUSTOMER_REDIRECT_URL) receives a SAML response from Signicat.

Note that the SAML response contains only attributes about the device. The most important attribute is the deviceId that can be found as signicat.unique-id. An example deviceId is saml.attribute.signicat.unique-id = e7dcff4bf4544c9f9e387d507c3630a5

The SAML response will need to be verified.

Was this helpful?