PhenixID DocumentationPhenixID Authentication ServicesVersion 2.7 Developer integration guidesUsing PhenixID HTTP API for NetID Access (SITHS/EFOS/Own CA) authentication

Using PhenixID HTTP API for NetID Access (SITHS/EFOS/Own CA) authentication

Overview

To use the API, two methods must be called. The first API method call is to trigger the authentication. This will return a transaction ID value. The second API method call will poll the status of the authentication. The API client must poll until a status=OK or an error is returned.

Prerequisites

- PhenixID Authentication Services HTTP API configured

- NetID Access client

- NetID Access enrolled

- If PhenixID Authentication Services HTTP API is protected with client certificate authentication: Client certificate (p12)

- If PhenixID Authentication Services HTTP API is protected with basic authentication: Username and password

Trigger authentication - data to be fetched before api call

To trigger NetID authentication, the api client may fetch this value:

- Certificate subject id (this can be the user personal number, hsa-id, userPrincipalName. It depends on the certificate that is used)

 

To trigger NetID Access authentication with autostart, no data needs to be fetched.

For information how to use autostart for NetID Access, please view the relying party guidelines for NetID Access.

Trigger authentication - api call

Request

Method: HTTP PUT

Endpoint: /api/authentication/netid_start_auth

Headers:

Name Value
Mandatory Comment
Content-Type application/json Yes
tenant t1 Yes .Value must be given to you by PhenixID Signing Service admin, it might differ depending on the environment.
Authorization <basic_auth_value> No If applicable, username and password must be given to you by PhenixID Signing Service admin.

Body:

The body must contains a json structure.

{
"pnr":"..",
} 

Json structure properties:

Name Value Mandatory Comment
pnr <certificate subject id> Yes Certificate subject Id (userID).

Example request (Please note that authorization data is not included in this example).

 

PUT /api/authentication/netid_start_auth HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/json
tenant: t1
Cache-Control: no-cache
{ "pnr":"191212127771" }

Response

Example response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 3900
{
  "transactionID":"829b3b56-5a0a-449f-8dc8-50e6772c076f"
}

Poll authentication status - use transactionID

The API client must fetch the transactionID returned by the Trigger authentication call.

The API client must call the Poll authentication status API method periodically until it returns a status OK or an error message.

Poll authentication status - api call

Request

Method: HTTP PUT

Endpoint: /api/authentication/netid_check_auth

Headers:

Name Value Mandatory Comment
Content-Type application/json Yes
tenant t1 Yes This value must be given to you by the PhenixID Signing Service admin.
Authorization <basic_auth_value> No Basic authentication username and password must be given to you by PhenixID Signing Service admin.

Body:

The body must contains a json structure.

{"transactionID":"..."} 

Json structure properties:

Name Value Mandatory Comment
transactionID <Value_returned_from_trigger_sign> Yes

Example request (Please note that authorization data is not included in this example).

PUT /api/authentication/netid_check_auth HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/json
tenant: t1
Cache-Control: no-cache
{ "transactionID": "b3734e10-d5e4-49a9-b5fb-affa89e31191" }

Response

Response

The response body JSON structure properties:

 

Name Possible values Comment
status COMPLETE
OUTSTANDING_TRANSACTION
USER_SIGN
PENDING
SIGN_VALIDATION_FAILED
ERROR
CANCELLED

PENDING -> User did not yet open the NetID Access application. Continue to poll.

OUTSTANDING_TRANSACTION-> User did not yet open the NetID Access application. Continue to poll.

USER_SIGN -> User opened the BankID application. Continue to poll.

COMPLETE-> Successful authentication. Stop polling

Other status -> Stop polling


name
Full name of Certificate holder. Only available if status=OK.
givenName
Given name (first name) of Certificate holder. Only available if status=OK.
surName
Last name of Certificate holder. Only available if status=OK.
ocspResponse

OCSP response value of the authentication. Only available if status=OK.
signature

Signature value of the authentication. Only available if status=OK.
message
Error message. Only available if status=ERROR.
details
Detailed error message. Only available if status=ERROR.

Example response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 390010
{
    "surName": "Landgren",
    "givenName": "Reine",
    "name": "Reine Landgren",
    "status": "OK"
}

Common errors

Common errors from the NetID Access backend will result in a HTTP Status 200 with a body containing the error message:

{”message”:”<error explained>”}