Using PhenixID HTTP API for Swedish BankID authentication
Overview
To use the API, two methods must be called. The first API method call is to trigger the authentication. This will return a transaction ID value. The second API method call will poll the status of the authentication. The API client must poll until a status=OK or an error is returned.
Prerequisites
- PhenixID Authentication Services HTTP API configured
- BankID client
- BankID enrolled
- If PhenixID Authentication Services HTTP API is protected with client certificate authentication: Client certificate (p12)
- If PhenixID Authentication Services HTTP API is protected with basic authentication: Username and password
Trigger authentication - data to be fetched before api call
To trigger bankid authentication in v5.1 of the BankID api, the api client may fetch this value:
- Personal identification number (personnummer)
With v6.0 of the BankID api autostart or start with Qr-code is mandatory.
For information how to use autostart and Qr-Code for bankid, please view the relying party guidelines here.
Trigger authentication - api call
Request
Method: HTTP PUT
Endpoint: /api/authentication/bankid_start_auth
Headers:
Name | Value |
Mandatory | Comment |
---|---|---|---|
Content-Type | application/json | Yes | |
tenant | t1 | Yes | .Value must be given to you by PhenixID Authentication Services admin, it might differ depending on the environment. |
Authorization | <basic_auth_value> | No | If applicable, username and password must be given to you by PhenixID Authentication Services admin. |
The body of the request can be left empty. Configure your BankIDAuthenticateValve with the attributes to be handled in the request.
Body:
{ "userVisibleData":"text to be shown"
}
Json structure properties:
Name | Value | Mandatory | Comment |
---|---|---|---|
pnr | <user personal identification number> | No | Only accepted in v5.1 of the BankID API Personal identification number. 12 digits. Numbers only. Please view BankID documentation for recommendations regarding autostart flows. |
Example request (Please note that authorization data is not included in this example).
PUT /api/authentication/bankid_start_auth HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/json
tenant: t1
Cache-Control: no-cache
{ "pnr":"191212127771" }
Response
Example response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 3900
{
"transactionID":"829b3b56-5a0a-449f-8dc8-50e6772c076f"
}
Example request autostart (Please note that authorization data is not included in this example).
PUT /api/authentication/bankid_start_auth HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/json
tenant: t1
Cache-Control: no-cache
{ }
Example response autostart
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 3900
{
"autostarttoken": "c5698d12-0cf4-4456-ae7b-d795f9967798", "qrStartSecret": "78ed3fab-020c-41e8-a4ba-b64fb00788e1", "qrStartToken": "0c32dc95-74a4-4209-9ff2-e819bb740b8a", "transactionID": "eca638ac-fa8a-4943-bec1-1d83b4c7d3a6"
}
Poll authentication status - use transactionID
The API client must fetch the transactionID returned by the Trigger authentication call.
The API client must call the Poll authentication status API method periodically until it returns a status OK or an error message.
Poll authentication status - api call
Request
Method: HTTP PUT
Endpoint: /api/authentication/bankid_check_auth
Headers:
Name | Value | Mandatory | Comment |
---|---|---|---|
Content-Type | application/json | Yes | |
tenant | t1 | Yes | This value must be given to you by the PhenixID Authentication Services admin. |
Authorization | <basic_auth_value> | No | Basic authentication username and password must be given to you by PhenixID Authentication Services admin. |
Body:
The body must contains a json structure.
{"transactionID":"..."}
Json structure properties:
Name | Value | Mandatory | Comment |
---|---|---|---|
transactionID | <Value_returned_from_trigger_auth> | Yes |
Example request (Please note that authorization data is not included in this example).
PUT /api/authentication/bankid_check_auth HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/json
tenant: t1
Cache-Control: no-cache
{ "transactionID": "b3734e10-d5e4-49a9-b5fb-affa89e31191" }
Response
Response
The response body JSON structure properties:
Name | Possible values | Comment |
---|---|---|
status | OK PENDING USER_SIGN ERROR CANCELLED |
PENDING -> User did not yet open the BankID application. Continue to poll. USER_SIGN -> User opened the BankID application. Continue to poll. Other status -> Stop polling Status=OK means successful authentication |
personalNumber |
Personal identification number (personnummer) of BankID holder. |
|
name | Full name of BankID holder. Only available if status=OK. | |
givenName | Given name (first name) of BankID holder. Only available if status=OK. | |
surName | Last name of BankID holder. Only available if status=OK. |
|
ocspResponse |
OCSP response value of the authentication. Only available if status=OK. |
|
signature |
Signature value of the authentication. Only available if status=OK. |
|
message | Error message. Only available if status=ERROR. | |
details | Detailed error message. Only available if status=ERROR. |
Example response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 390010
{
"surName": "Landgren",
"givenName": "Reine",
"name": "Reine Landgren",
"personalNumber": "191212127771",
"status": "OK"
}
Common errors
Common errors from the BankID backend will result in a HTTP Status 200 with a body containing the error message:
{”message”:”<error explained>”}