diff --git a/src/pages/verify/getting-started/oidc-intro.mdx b/src/pages/verify/getting-started/oidc-intro.mdx index 1bc825d5..d3f39480 100644 --- a/src/pages/verify/getting-started/oidc-intro.mdx +++ b/src/pages/verify/getting-started/oidc-intro.mdx @@ -355,7 +355,7 @@ CIBA supports use cases not covered by other OpenID Connect flows, such as: - Using a smartphone to authorize a payment at a point of sale terminal. - Enabling a bank agent to authenticate a customer in a bank branch during a face-to-face interaction. -Idura Verify supports CIBA for the [Swedish BankID Phone Authentication](/verify/guides/caller-authentication/#caller-authentication-with-swedish-bankid). +Idura Verify supports CIBA for the [Swedish BankID Phone Authentication](/verify/guides/caller-authentication/#caller-authentication-with-swedish-bankid) and the [Norwegian BankID Caller Authentication](/verify/guides/caller-authentication/#caller-authentication-with-norwegian-bankid). ### Example request @@ -367,12 +367,12 @@ HTTP POST https://YOUR_SUBDOMAIN.idura.broker/ciba/bc-authorize Content-Type: application/x-www-form-urlencoded scope=openid -&callInitiator=RP &login_hint=sub:ssn:SSN &acr_values=urn:grn:authn:se:bankid &binding_message=BINDING_MESSAGE &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=YOUR_JWT_ASSERTION +authorization_details=%5B%7B%22type%22%3A%22phoneAuth%22%2C%22callInitiator%22%3A%22RP%22%7D%5D ``` ### Example response diff --git a/src/pages/verify/guides/caller-authentication.mdx b/src/pages/verify/guides/caller-authentication.mdx index e59b12e0..9adbddaf 100644 --- a/src/pages/verify/guides/caller-authentication.mdx +++ b/src/pages/verify/guides/caller-authentication.mdx @@ -53,6 +53,7 @@ Make an `HTTP POST` request to the `/ciba/bc-authorize` endpoint: # Replace `YOUR_DOMAIN.idura.broker` with your Idura domain # Replace `$client_assertion` with your JWT assertion # Replace `SSN` with a valid SSN +# Note: If you authenticate with a client secret, use HTTP Basic Authorization (Authorization: Basic base64(client_id:client_secret)). HTTP POST https://YOUR_DOMAIN.idura.broker/ciba/bc-authorize Content-Type: application/x-www-form-urlencoded @@ -62,7 +63,7 @@ scope=openid &acr_values=ACR_VALUE &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=$client_assertion -# Add eID-specific parameters here +&authorization_details=... # Add eID-specific parameters here ``` @@ -75,25 +76,39 @@ scope=openid - - + + +
**Swedish BankID** - `callInitiator=RP` or `user` -
+ `authorization_details=[{"type":"phoneAuth", "callInitiator":"RP"}]` + `binding_message=BINDING_MESSAGE` -
+ `acr_values=urn:grn:authn:se:bankid` 		- `callInitiator` must be either `RP`("Relying Party", e.g. a customer service agent) or - `user`, depending on who initiated the call. -
-
- The `binding_message` value will be shown to the end user in the BankID app. +
    +
  • `authorization_details` is a [Rich Authorization Request (RAR)](https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request) parameter + and must be sent as a URL-encoded JSON string.
    • +
  • `callInitiator` must be either `RP`("Relying Party", e.g. a customer service agent) or + `user`, depending on who initiated the call.
    • +
  • The `binding_message` value will be shown to the end user in the BankID app.
    • +
**Norwegian BankID**`acr_values=urn:grn:authn:no:bankid`Do not include a `binding_message`: the BankID app handles this internally. + `authorization_details=[{"type":"customerServiceCall.v1"}]` + + `acr_values=urn:grn:authn:no:bankid` +
+ 		+
    +
  • `authorization_details` is a [Rich Authorization Request (RAR)](https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request) parameter + and must be sent as a URL-encoded JSON string.
    • +
  • Do not include a `binding_message`: the BankID app handles this internally.
    • +
+
@@ -127,7 +142,7 @@ The response will be slightly different depending on the eID provider. "auth_req_id" : "3857f8ff-21b9-48ae-a732-a3bd8128a7ae", "expires_in" : 900, "interval" : 3, - "bindingMessage" : "Frekk julekos" + "bindingMessage" : "Frekk Julekos" } ``` @@ -158,6 +173,7 @@ After receiving `auth_req_id`, poll the token endpoint (`/oauth2/token`) to get ```sh # Replace `AUTH_REQ_ID` with the id returned by authentication response # Replace `$client_assertion` with your JWT assertion +# Note: If you authenticate with a client secret, use HTTP Basic Authorization (Authorization: Basic base64(client_id:client_secret)). HTTP POST https://YOUR_DOMAIN.idura.broker/oauth2/token Content-Type: application/x-www-form-urlencoded @@ -179,7 +195,7 @@ auth_req_id=AUTH_REQ_ID **Token Delivery Modes:** CIBA allows three token delivery methods: Poll, Ping and Push. Idura - Verify only supports the Poll mode at the moment. + Verify supports Poll mode. #### 4. Polling results @@ -197,7 +213,8 @@ On successful user identification, a token response is returned: Continue polling until the token endpoint returns a token response or an `"access_denied"` error. - While the authentication process is ongoing, the provider will always return `"error": "authorization_pending"`. + While the authentication process is ongoing, the provider will always return `"error": + "authorization_pending"`. The exact response format for intermediate authentication states depends on the eID provider. @@ -292,7 +309,7 @@ The exact response format for intermediate authentication states depends on the ## Caller Authentication with Swedish BankID -BankID in telephone calls facilitates user authentication during a phone call. +[BankID in telephone calls](https://www.bankid.com/en/foretag/telephone-identification) facilitates user authentication during a phone call. ### How authentication works @@ -305,9 +322,24 @@ The exact response format for intermediate authentication states depends on the The example above demonstrates what it looks like when the customer is calling the service. A different security check is shown when the service is calling the customer. +### Getting ready for Production + +To go live, follow the [Get ready for production](/verify/guides/production/) guide and [order Swedish BankID](/verify/e-ids/swedish-bankid/#ordering-swedish-bankid) for your organization. + ## Caller Authentication with Norwegian BankID -Caller Authentication enables identity verification during a live call or while the user is waiting in the call queue. +[Caller Authentication](https://bankid.no/bedrift/vaare-tjenester/sikker-samtale) enables identity verification during a live call or while the user is waiting in the call queue. The user authenticates in the BankID app using biometrics. -This product is currently in BETA. If you're interested in using it, please contact us at [support@idura.eu](mailto:support@idura.eu). +### How authentication works + +1. **SSN input:** The caller's SSN is collected by your IVR/phone system or a customer service representative. +2. **Authentication request:** The caller's SSN is used to start the authentication request. +3. **Security check:** The user hears a word pair over the phone and sees three word pair options in their BankID app. They select the words they heard. +4. **User response:** After selecting the correct pair, the app shows the “Phone call with customer service” screen and prompts the user to confirm their identity using biometrics. + +![CIBA Norwegian BankID](./images/ciba-bankid-no-phone-auth.png) + +### Getting ready for Production + +To go live, follow the [Get ready for production](/verify/guides/production/) guide and [order Norwegian BankID client credentials](/verify/e-ids/norwegian-bankid/#ordering-norwegian-bankid). diff --git a/src/pages/verify/guides/images/ciba-bankid-no-phone-auth.png b/src/pages/verify/guides/images/ciba-bankid-no-phone-auth.png new file mode 100644 index 00000000..9dc3e731 Binary files /dev/null and b/src/pages/verify/guides/images/ciba-bankid-no-phone-auth.png differ