This documentation is now deprecated.
We are migrating our documentation to a new platform. Please navigate to our new documentation:
# Mobile app-initiated operations: Finalise operation
Page contents
# Sequence diagram
The diagram below illustrates a scenario where the AUTHORIZATION_CODE
has been successfully retrieved.
Note
The MobileID process is finalised in the same way regardless of whether the operation in question is registration, authentication, Authorisation or Consent Signature.
# Complete operation
# 1. Retrieve authorisation code
Signicat's backend sends a request for the authorisation code to the CUSTOMER_REDIRECT_URL
.
Important
It is important that the
HTTP GET
does not use or inherit the HTTP HeaderAccept:application/json
from the previous calls to Signicat.Make sure that your HTTP client follows all redirects until either the
AUTHORIZATION_CODE
or an error is returned.
# Request
GET <COMPLETE_URL>
# Response
AUTHORIZATION_CODE
If an error occurs and the AUTHORIZATION_CODE
cannot be retrieved, an error message will be returned. The following is one example of a possible error response.
{
"status":"ERROR",
"data":"The Resource Owner did not complete the login. urn:signicat:error; Unspecified error"
}
# 2. Retrieve access token and id token
The authorisation code is exchanged for an access token, id token and optionally refresh token.
# Request
POST <SIGNICAT_TOKEN_ENDPOINT> HTTP/1.1
Content-Type: application/json
Authorization: Basic <CUSTOMER_BASIC_AUTH_HEADER>
# Request body
redirect_uri=<CUSTOMER_REDIRECT_URI>&
grant_type=authorization_code&
code=<AUTHORIZATION_CODE>
# Response
{
"access_token":"<ACCESS_TOKEN>",
"token_type":"Bearer",
...
}
# 3. Retrieve device properties (optional)
Additional information (such as data on the authenticated user) can be retrieved from Signicat's OIDC backend using the /userinfo
endpoint.
# Request optional
GET <SIGNICAT_USERINFO_ENDPOINT> HTTP/1.1
Content-Type: application/json
Authorization: Bearer <ACCESS_TOKEN>
# Response
For registration:
{
"sub":"WGrzaZJTOm7hJ-uDN4zK9zMhPgg1qznE",
"name":"<EXTERNAL_REF>"
...
}
For authentication and Authorisation:
{
"sub":"WGrzaZJTOm7hJ-uDN4zK9zMhPgg1qznE",
"externalRef":"ca389fae-153d-11ec-82a8-0242ac130003",
"deviceName":"sampleDevice",
...
}
# Risk attributes
Optionally, Signicat can configure your service to return risk attributes. These can be used to reduce fraud by means of improved risk evaluation. Risk attributes can be retrieved with all operations: registration, authentication, Authorisation or Consent Signature.
For details on how to return risk attributes, refer to our risk attributes guide.
# Further reading
- MobileID InApp overview
- Mobile app-initiated operations via OIDC
- Mobile app-initiated operations: URL construction
- Mobile app-initiated operations: Finalise operation
- Backend-initiated operations via OIDC
- Backend-initiated operations: URL construction
- Backend-initiated operations: Finalise operation
- MobileID InApp upgrade guide
- MobileID InApp release notes