CIBA flow in iframe (advanced)
This guide details how to embed the Norwegian BankID authentication inside an iframe in your own flow (as opposed to redirecting to another page).
Using an iframe in authentication comes with security considerations. It is NOT supported for regular BankID authentication. However, we support using iframes for ecommerce customers under certain conditions.
iframe is primarily used with BankID Biometric (BIS), which gives a substantial level of assurance. If you want to use a higher level of assurance, you can configure a step-up to BankID High, meaning the end-user must authenticate with a password after the biometric identification.
If you want access to the iframe functionality, please contact us by creating a support ticket in the Signicat Dashboard.
Prerequisites
We assume you have done the initial preparations and received the needed access to the service, as described on the Initial preparations page.
Set up the OIDC client in the Dashboard
1. Add an OIDC client
To create an OIDC client for CIBA:
- In the Signicat Dashboard, go to eID Hub > OIDC clients and select Create/Add client.
- Set the Primary grant type to "Ciba".
- Enter a name for the client.
- Add the OIDC scopes specific for your integration.
For more details about how to add/edit scopes, see the below section.
Configure scopes
Available scopes for Norwegian BankID are: openid profile idp-id nin nbid-extra
openid
is mandatory for all ID methods.
To be able to add scopes in your request, you first need to define them in the Signicat Dashboard:
- In the Dashboard, go to the OIDC Client you intend to use for the ID method.
- Click Edit: to view your client configuration.
- Open the Access tab.
- Click Add scope in the "Allowed scopes" section and select the scopes from the list.
For descriptions of these scopes, see the Attributes reference.
Add parent domains
When embedding Norwegian BankID in an iframe, you must add parent domains:
- In the menu for the OIDC Client, select Advanced > Security.
- In the Allowed Parent Domains for Embedded flows field, add at least one domain.
2. Add a client secret
Depending on the type of your application, you may want to add a client secret. To do this:
- In the menu for the OIDC Client, go to the Secrets tab and click Add secret.
- Enter a name for your client secret and click Create.
- Copy your new client secret and store it safely.
- Save the client secret in a safe place, since you will only be able to view your client secret once, right after you create it. If you ever forget it or lose it, you have to create a new one.
- If you intend to use the OIDC client in a frontend flow or any type of application that cannot store a client secret, you must use Proof Key for Code Exchange (PKCE). We strongly recommend using PKCE, even when you are using a client secret. Learn more about PKCE in the eID Hub documentation.
Implement the OIDC authentication flow
In a CIBA flow:
- The client application initiates the authentication process by making a backchannel authentication request to the authorization server.
- The server responds with a unique authentication reference.
- The client can then receive real-time updates on the authentication status by polling the token endpoint.
1. Start the transaction
This step describes how to start a transaction towards Norwegian BankID by calling the CIBA endpoint.
The call to the CIBA endpoint should be an HTTP POST request with content-type application/x-www-form-urlencoded
. Make sure to authenticate the request with Basic authentication and operational parameters (login_hint, acr_values and scope):
The HTTP request could look like this:
POST /auth/open/connect/ciba HTTP/1.1
Authorization: Basic ZGV2LW...CamdraTd2
Host: yourdomain.signicat.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
login_hint=nbid_ciba&
acr_values=idp%3Anbid&%20flow%3embedded&
scope=openid%20profile%20nin
return_url=https%3A%2F%2Fexample.com
The values you specify in the query parameters must match the values in the OIDC client configuration in the Dashboard.
You can find additional authorization request query parameters in the OIDC specification.
The acr_values
and login_hint
parameters are described in more detail below.
Control the BankID flow (acr_values and login_hint)
You can control the Norwegian BankID flow by using the acr_values
and login_hint
parameters.
acr_values
Available parameters and values are:
BankID does an internal risk assessment and will force users to do a step-up if they deem it necessary, but by providing high
you can force a step-up if you have your own risk assessment strategy. Transactions with forced step-up will be billed differently than transactions where it is not forced.
login_hint
login_hint=nbid_ciba
login_hint=nin:17029012345
Response example
The response for the authentication request could look as follows (some headers omitted for brevity):
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
{
"auth_req_id": "31920977-995e-254d-87d4-b323a6956552",
"expires_in": 300,
"interval": 1
}
The auth_req_id
is needed when you request the Token endpoint (see below).
2. Obtain the authentication URL
To obtain the authentication URL where the user should be redirected, you must make a request to the Token endpoint.
To do that, you perform a HTTP POST call to the Token endpoint with the following parameters
auth_req_id = 31920977-995e-254d-87d4-b323a6956552
(Theauth_req_id
received in the previous response.)grant_type = urn:openid:params:grant-type:ciba
An example of HTTP request would look like this:
POST /auth/open/connect/token HTTP/1.1
Authorization: Basic ZGV2LW...CamdraTd2
Host: yourdomain.signicat.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
auth_req_id=31920977-995e-254d-87d4-b323a6956552&grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba
In the first call to the Token endpoint the response will contain the error_uri
element (some headers omitted for brevity):
{
"error": "authorization_pending",
"error_description": "Authentication Pending, you need to log using the url",
"error_uri": "https://api.signicat.dev/idps/sandbox/nbid/ciba/initialize-auth?transactionId=31920977-995e-254d-87d4-b323a6956552&messageId=eddc24af-ccb8-409d-b5d3-e591111e2807"
}
You must redirect the user to this error_uri
.
3. Retrieve the sessionNonce
After the user has finished the authentication and been redirected to your specified return_url
, you must retrieve the returned sessionNonce
value and include it in the ID token request (see below) to get information about the transaction and the user.
We return the sessionNonce
value to ensure that the communication session is unique and cannot be used in replay attacks.
The sessionNonce
value is returned at the end of the return_url
, for example:
https://example.com/?sessionNonce=P-zvdIDsW6ZKGn5__48Df9RitMlxHvUe1RHZ-PLxczc
4. Retrieve the ID token
Once the user has successfully completed the authentication, you must perform a new HTTP POST call to the Token endpoint with the following body parameters:
auth_req_id = 31920977-995e-254d-87d4-b323a6956552
(theauth_req_id
received when creating the session.)grant_type = urn:openid:params:grant-type:ciba
You must also include the sessionNonce
in the POST request to the Token endpoint (see Retrieve the sessionNonce). It must be included as a query parameter called session_nonce
.
POST /auth/open/connect/token?session_nonce=zvdIDsW6ZKGn5__48Df9RitMlxHvUe1RHZ-PLxczc
Full request example:
POST /auth/open/connect/token?session_nonce=zvdIDsW6ZKGn5__48Df9RitMlxHvUe1RHZ-PLxczc HTTP/1.1
Authorization: Basic ZGV2LW...CamdraTd2
Host: yourdomain.signicat.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
auth_req_id=31920977-995e-254d-87d4-b323a6956552&grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba
By sending this request you will receive an access_token
and an id_token
in the Token endpoint response.
Response example:
{
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6...",
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6...",
"expires_in": 600,
"token_type": "Bearer",
"scope": "openid profile nin idp-id nbid-extra"
}
ID token
An ID token is a JWT that encoded looks like "eyJhbGciOiJSUzI1NiIsImtpZCI6..."
(abbreviated).
The decoded payload (data) part of the ID token for Norwegian BankID would then look like:
{
"iss": "https://<YOUR_SIGNICAT_DOMAIN>/auth/open",
"nbf": 1730276949,
"iat": 1730276949,
"exp": 1730277549,
"aud": "<OIDC_CLIENT_ID>",
"at_hash": "L5ArXYPIth0nCL38oSdt2w",
"sub": "MuTkzKJfQi-X7oQu86mTDtE01AHMGA9gPx3Pe-tlUdM=",
"auth_time": 1730276926,
"idp": "nbid",
"idp_id": "9578-6000-4-890775",
"name": "Kari Nordmann",
"family_name": "Nordmann",
"given_name": "Kari",
"birthdate": "1990-02-17",
"nin": "17029012345",
"nin_type": "BIRTH",
"nin_issuing_country": "NO",
"nbid_alternative_subject": "9578-6000-4-890775",
"nbid_idp": "BIS",
"nbid_subject_uuid": "vFafzatjbz1_k_FlizIpRzxrPspN_i_0mGLd0mWRVNM",
"nbid_updated_at": "1726237448",
"nbid_sid": "BiXRO3eqJqn6HAUdCSA6aRcFAzKwGBDY613XHLEPQvc",
"nbid_originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
"idp_issuer": "https://current.aletheia-test.idtech.no",
"transaction_id": "00f4cf79-bf99-5949-8db3-e302dc735905",
"sandbox": true
}
In this example we have used the following scopes for Norwegian BankID: openid profile idp-id nin nbid-extra
ID Token is configured by default to return only the claims defined in the OIDC standard (standard scopes).
To control the data returned in the ID Token:
- Open the Dashboard OIDC clients and select your OIDC client.
- Go to the Advanced > Security tab and edit the Id Token User data. You can choose between:
- Standard Scopes (default): Returns the standard OIDC scopes.
- All: Returns all claims.
- Minimal: Returns only
sub
.
In the above example, we have set the Id Token User data to All, which means it returns all the claims for Norwegian BankID.
The access token will be used in the UserInfo request (see Obtain user information below).
4. Obtain user information
You use the UserInfo request to obtain the user information as defined in the scopes.
For step details, see the general guide, UserInfo.
Here is a response example:
{
"idp_id": "9578-6000-4-890775",
"sub": "MuTkzKJfQi-X7oQu86mTDtE01AHMGA9gPx3Pe-tlUdM=",
"name": "Kari Nordmann",
"family_name": "Nordmann",
"given_name": "Kari",
"birthdate": "1990-02-17",
"nin": "17029012345",
"nin_type": "BIRTH",
"nin_issuing_country": "NO",
"nbid_originator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
"nbid_sid": "BiXRO3eqJqn6HAUdCSA6aRcFAzKwGBDY613XHLEPQvc",
"nbid_updated_at": "1726237448",
"nbid_subject_uuid": "vFafzatjbz1_k_FlizIpRzxrPspN_i_0mGLd0mWRVNM",
"nbid_idp": "BIS",
"nbid_alternative_subject": "9578-6000-4-890775",
"idp_issuer": "https://current.aletheia-test.idtech.no"
}
For more details about available scopes and claims, see the Attributes reference.
See also
Get inspired and learn more about how to set up CIBA for other ID methods: