BankID proxy API

BankID API acts as proxy in front of the actual BankID backend.  Apart from the ability to deploy anywhere this feature also adds value through support for multiple client certificates and augmenting the response before sending the response back to the calling client.

The supported BankID API version is 5. Specifications followed is 3.2.1 issued by Finansiell ID-Teknik BID AB. When using the BankID proxy API from PhenixID, the api interface is close to identitical to the BankID API. So moving to PhenixID bankid proxy API should not mean a great deal of work for api client developers.

PAS version 4.7 and later supports BankID API 6.0. See below for more information on how to upgrade. 

General notes

This API is to be considered as a connection point for other applications requiring BankID authentication or signing. 

It is not to be exposed without additional security layers such as firewalls and TLS encryption.

Prerequisites

  1. Keystore to communicate with BankID backend.
    1. Upload keystore to PhenixID Authentication Services using Scenario.
    2. Copy the keystore ID to be used in next step.

Configuration

Configure the module according to the example:


 {
 	"name": "com.phenixidentity~phenix-api-bankid",
 	"enabled": "true",
   "id" : "bankid_proxy_api",
 	"config": {
 		"tenant": [{
 			"id": "<id of the calling tenant>",
            "password": "<password of the calling tenant>",
 			"bankidStore": "<id of the keystore fetched in previous step.>",
 			"mode": "test",
            "version": "v6.0",
            "onCompletePipeID":"<id of the pipe executed after an completed bankID request.>"
 		}],
 		"http_configuration_ref": "<id of the http configuration used. [OPTIONAL] If omitted, the default http configuration is used.>"
 	}
 }
Click to copy

Tenant configuration

PhenixID BankID supports multiple calling tenants.  Each tenant must be configured in order to be allowed calling the API.

Name Description Default value
id id used to identify the calling tenant N/A
password password used to identify the calling tenant N/A
bankidStore Id of the uploaded keystore used when communicating with the actual BankID API. N/A
mode If using the BankID test environment or node (prod/test is valid value) prod
version Sets the version of the BankID API to use. PAS 4.7 and later. v5.1
onCompletePipeID If configured, PAS will perform a pipe execution before sending the respons back to the calling client. The data recieved from the pipe will be added to the BankID response and sent to the client. N/A

Enable the module

Add the id of the module to NODE_GROUPS->module_refs. Example: 

"module_refs": "bankid_proxy_api,.........."

Switching to v6.0

In PAS 4.7 and later tenants can enable BankID API v6.0 by adding the parameter "version": "v6.0".