Versies vergeleken

Sleutel

  • Deze regel is toegevoegd.
  • Deze regel is verwijderd.
  • Formattering is gewijzigd.
Informatie

By default PKIsigning uses OpenIDconnect or OAuth2.0 SSO integrations. Only if this type of integration is not possible, a fallback can be implemented using information below.

...

Codeblok
<html>
<head></head>
<body>
  <form method="post" id="jwtSubmitForm" action="https://devidentityaccidentity.pkisigning.io">
    <input type="hidden" name="jwt" value="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdGVzdC5waW5rd2ViLm5sIiwic3ViIjoiaW5pdGlhdGVHZXRVc2VySW5mb1JlcXVlc3QiLCJpYXQiOjE2MDY4MzcxNzYsImV4cCI6MTYwNjgzNzIwNiwiaGFuZHNoYWtlVG9rZW4iOiIwYmJlMTcyNDc4M2FmYjM5ZjE5NjcxZmE4MWNiOTg4NyJ9.0k3xUmzAYCcVT4HSYCaEj3gaVjeGqTeeiM4EhnhCbCo" />
  </form>
  <script type="text/javascript">
    document.getElementById('jwtSubmitForm').submit();
  </script>
</body>
</html>
Urgent

Please check the returnurl you get in the queryparameter to match the pkisigning.io domain. This to prevent against open redirect url attacks.

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect

Acquiring user information

...

Codeblok
{
  "Id":"internal unique id of integrating party indicating the user parmanently",
  "Email":"emailaddress of the user",
  "Mobilephone":"mobile number of user in international format",
  "Surname":"Surname of user",
  "Firstname":"First name of the user",
  "Infix":"infix/prefix of lastname"
}

The content-type of the response should be text/json.

This backchannel call will be done immediately after the callback of step 3, so the used token doesn’t need to have a very long validity period.

...

Depending on the environment used, the user is directed to a specified PKIsigning IDP .by the integrating partner: http://identity.pkisigning.io/connect/authorize?…

Please add an extra parameter named acr_values to this url. This parameter will instruct the PKIsigning IDP to skip the loginpage altogether and directly use the specified SSO integration.

http://identity.pkisigning.io/connect/authorize?…&acr_values=idp:SSO_ID

Please note the colon-sign ( : ) between idp and the SSO_ID. This should preferrably encoded as %3A.

The specified SSO_ID will be given to you by the PKIsigning development team.