MobileID InApp Web integration: Authentication and payment authorization

23 views November 12, 2020 November 18, 2020 0

MobileID InApp Web integration: Authentication

1. Initiate operation on merchant server

In order to start authentication process, the user must provide his externalRef and the name of the device he wants to use for authentication.

Enter externalRef

When the user provides the externalRef, the first call toward the merchant backend is executed. The goal of this call is to fetch all available devices suitable for authentication for the supplied externalRef.

The list of devices is then presented to the user.

Select device
The user selects the device and initiates the authentication process by clicking the Authenticate button. A new request is sent to the merchant backend (the deviceName, together with the previously entered externalRef), and made available to the merchant backend.

Based on the supplied deviceName, the merchant backend obtains the deviceId (normally, it caches deviceName/deviceId pairs when fetching all available devices for the user).

2. Generate URL

The merchant backend constructs the authentication URL as shown in the MobileID InApp web integration guide URL construction guides.

For payment authorization, a consent text is added to the authorization call towards the MobileID solution, using an encrypted JSON Web Token (JWT), which is then used by MobileID to generate the PSD2 authentication code by means of cryptography and based on the context message containing at least the payee and amount. The URL construction guide includes sample requests and responses for payment authorization.

3. Initiate operation on Signicat’s server

The merchant backend executes an HTTP GET request with the URL constructed previously. See the normal response in the URL construction guides.

Note: To be able to perform the subsequent requests, you must keep the cookies you receive and make these available for subsequent requests.

Response error example

    "completeUrl": "",
    "status": "ERROR",
    "error": {
        "code": "urn:signicat:error:idp:ACCESS_DENIED",
        "message": "Access denied. Wrong credentials."

If an error occurs during initialization, you will receive a status indicating this, and an error object will be present. Upon error, if you choose to make a GET request towards the completeUrlyou will get

error_description=The Resource Owner did not complete the login. 
urn:signicat:error:idp:ACCESS_DENIED; Access denied. Wrong credentials.

4. Execute operation toward Encap

If the status was “OK”, the merchant app will receive a push notification with information about the required authentication.

The user switches to the Merchant App and starts the authentication process by entering the PIN.

The authentication process continues in the merchant app: This involves the regular startAuthentication() / finishAuthentication() calls towards the Encap Client API.

Immediately after the deviceName is displayed in the browser, the merchant backend starts polling toward Signicat, awaiting the status of the operation.

5. Check process status

The client (browser) may execute polling calls to the merchant backend using the status URL from steps 1-3, which executes a call to Signicat.

This can be executed (periodically at pre-configured intervals) until the received result is COMPLETED.

6. Get result of the process — Finalize operation

When the status from the previous call is COMPLETED, the client executes a finalizing call to the merchant backend that again uses the received completeUrl and executes a call to Signicat. Signicat then sends an authorization_code to the merchant backend which carries out the regular OIDC authorization_code sequence of steps to obtain the device information.

See the MobileID InApp integration guide – Finalize operation for details.

Was this helpful?