Requirement
RP may use the requirement parameter to describe how the signature must be created and verified. A typical use case is to require Mobile BankID or a special card reader. A requirement can be set for both auth and sign orders.
The following table describes requirements, their possible values and defaults.
Name |
---|
cardReader |
Value
Default |
certificatePolicies |
Value The values for production BankIDs are:
The values for test BankIDs are:
Default
The following are default in the test system:
If one certificate policy is set, all the default policies are dismissed. |
issuerCn |
Value
Example Nordea values for test:
Default |
autoStartTokenRequired |
Value Boolean. To be used if it is important that the BankID App is on the same device as the RP service. Default |
allowFingerprint |
Value
Default |
tokenStartRequired |
Value Default |
Name
Value
-
"class1" - (default).
The transaction must be performed using a card reader where the PIN code is entered on the computers keyboard, or a card reader of higher class. -
"class2" -
The transaction must be performed using a card reader where the PIN code is entered on the reader, or a reader of higher class. -
- defaults to "class1".
This condition should be combined with a certificatePolicies for a smart card to avoid undefined behavior.
Default
No special type of card reader required.
Value
The oid in certificate policies in the user certificate. List of String. One wildcard is allowed from position 5 and forward.
The wildcard is: *
Example: 1.2.752.78.*
The values for production BankIDs are:
- "1.2.752.78.1.1" - BankID on file
- "1.2.752.78.1.2" - BankID on smart card
- "1.2.752.78.1.5" - Mobile BankID
- "1.2.752.71.1.3" - Nordea e-id on file and on smart card.
The values for test BankIDs are:
- "1.2.3.4.5" - BankID on file
- "1.2.3.4.10" - BankID on smart card
- "1.2.3.4.25" - Mobile BankID
- "1.2.752.71.1.3" - Nordea e-id on file and on smart card
- “1.2.752.60.1.6” - Test BankID for some BankID Banks
Default
If no certificate policies are set, the following are default in the production system:
- 1.2.752.78.1.1
- 1.2.752.78.1.2
- 1.2.752.78.1.5
- 1.2.752.71.1.3
The following are default in the test system:
- 1.2.3.4.5
- 1.2.3.4.10
- 1.2.3.4.25
- 1.2.752.60.1.6
- 1.2.752.71.1.3
If one certificate policy is set, all the default policies are dismissed.
Value
The cn (common name) of the issuer. List of String. Wildcards are not allowed. Nordea values for production:
- "Nordea CA for Smartcard users 12" - E-id on smart card issued by Nordea CA.
- "Nordea CA for Softcert users 13" - E-id on file issued by Nordea CA.
Example Nordea values for test:
- "Nordea Test CA for Smartcard users 12" - E-id on smart card issued by Nordea CA.
- "Nordea Test CA for Softcert users 13" - E-id on file issued by Nordea CA.
Default
If issuer isn't defined, all relevant BankID and Nordea issuers are allowed.
Value
Deprecated. Will not be possible to use in future versions of the RP API. Use tokenStartRequired. If present, and set to true, one of the following methods must be used to start the client:
Boolean. To be used if it is important that the BankID App is on the same device as the RP service.
If this requirement is omitted or set to false, the client does not need to be started using autoStartToken.
Default
The client doesn't need to be started using autoStartToken.
Value
Users of iOS and Android devices may use fingerprint for authentication and signing if the device supports it and the user configured the device to use it. Boolean. No other devices are supported at this point.
- If set to true, the users are allowed to use fingerprint.
- If set to false, the users are not allowed to use fingerprint.
Default
true for authentication.
false for signing.
Value
The tokenStartRequired replaces the autostartTokenRequired. Boolean. If present, and set to true, one of the following methods must be used to start the client:
Default
The client doesn't need to be started using a token.
Example – allowFingerprint for sign
POST /rp/v5.1/sign HTTP/1.1
Content-Type: application/json
Host: appapi2.bankid.com
{
"personalNumber": "190000000000",
"endUserIp": "192.168.0.1",
"requirement": {
"allowFingerprint": true
}
}
Example – certificatePolicies for auth with Mobile BankID
POST /rp/v5.1/auth HTTP/1.1
Content-Type: application/json
Host: appapi2.bankid.com
{
"personalNumber": "190000000000",
"endUserIp": "192.168.0.1",
"requirement": {
"certificatePolicies": ["1.2.752.78.1.5"]
}
}
Example – Combined Requirements
Multiple parameters can be set for a requirement (AND). Multiple values can be set for parameter certificatePolicies and issuerCn (OR).
POST /rp/v5.1/auth HTTP/1.1
Content-Type: application/json
Host: appapi2.bankid.com
{
"personalNumber": "190000000000",
"endUserIp": "192.168.0.1",
"requirement": {
"certificatePolicies": [
"1.2.752.78.1.5",
"1.2.752.71.1.3",
"1.2.752.78.1.2"
],
"tokenStartRequired": true
}
}