Technical requirements
Short name | Requirement |
---|---|
RFT1 |
When the BankID app is launched with a URL the content of the parameter redirect must be UTF-8 and URL encoded. |
RFT2 |
When the BankID app is launched with a URL the URL must not exceed 2000 characters. |
RFT3 |
When the BankID app is launched with a URL the redirect URL should use HTTPS. |
RFT4 |
The personal number in the RP web service API must be 12 characters (YYYYMMDDNNNN). |
RFT5 |
When a collect returns completed RP shall read and store the values of signature, userInfo and ocspResponse. RP does not need to verify the signature. BankID verifies the signature. |
RFT6 |
Collect should be called every two seconds and must not be called more frequent than once per second. |
RFT7 |
RP should display a progress indicator in its web app when waiting for the complete response from collect. |
RFT8 |
RP must contact the BankID web service API from RP’s backend server. RP must NOT contact the BankID web service API from RP’s client app. |
RFT9 |
RP should always use the latest version of the web service API. |
RFT10 |
If the user selects to use Mobile BankID only, the certificatePolicies condition must be set to 1.2.752.78.1.5 |
RFT11 |
RP must use the issuer of the server cert as trusted root. If the server cert is used as trusted, the RP service will not be able to access the BankID server when the server cert is changed. |
RFT1
When the BankID app is launched with a URL the content of the parameter redirect must be UTF-8 and URL encoded.
RFT2
When the BankID app is launched with a URL the URL must not exceed 2000 characters.
RFT3
When the BankID app is launched with a URL the redirect URL should use HTTPS.
RFT4
The personal number in the RP web service API must be 12 characters (YYYYMMDDNNNN).
RFT5
When a collect returns completed RP shall read and store the values of signature, userInfo and ocspResponse. RP does not need to verify the signature. BankID verifies the signature.
RFT6
Collect should be called every two seconds and must not be called more frequent than once per second.
RFT7
RP should display a progress indicator in its web app when waiting for the complete response from collect.
RFT8
RP must contact the BankID web service API from RP’s backend server. RP must NOT contact the BankID web service API from RP’s client app.
RFT9
RP should always use the latest version of the web service API.
RFT10
If the user selects to use Mobile BankID only, the certificatePolicies condition must be set to 1.2.752.78.1.5
RFT11
RP must use the issuer of the server cert as trusted root. If the server cert is used as trusted, the RP service will not be able to access the BankID server when the server cert is changed.