Skip to content
This repository has been archived by the owner on Oct 7, 2024. It is now read-only.
/ py-consent-sign Public archive

Functional examples of Signicat Consent Signature

Notifications You must be signed in to change notification settings

signicat/py-consent-sign

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

py-consent-sign

Functional examples of Signicat Consent Signature


These are functional examples of Consent Signature. It does not illustrate how to implement the solution in a production environment, it merely illustrates the API calls required to make the flow work as expected. It can be viewed as a jumping-off point for your app implementation.

This example follows the documentation at https://developer.signicat.com/documentation/signing/signing-consent-signature/.

Dependencies:

  • Python 3
  • Built in: sys, random, time, urllib.parse
  • Requests: HTTP for Humans.

Supported eIDs.

To be able to use our Consent Signature solution, the eID must fullfil several technical requirements related to mobile integration. So far Signicat has created inapp methods for only Norwegian and Swedish BankID.

Flow

Preparations:

  • Fetch JWKs - prepare the public key.
  • Prepare the encrypted payload.
  • Prepare PKCE (optional)

Steps:

  1. Call /authorize
  2. Poll statusUri until status=finished (sbid: collectUrl until progressStatus=COMPLETE)
  3. Call completeUri (sbid: completeUrl) - the last redirect will contain CODE and STATE.
  4. Call /token end-point as normal (using CODE we got in STEP 3)
  5. Call /userinfo with access token. (optional)
  6. Call /signature with access token, to get the ltv-sdo document.

Note: All steps should be performed in backend. Alternatively Step 1-3 can be performed in a mobile app. Step 4 & 5 must always be performed at a backend (the web service hosted at your redirect URI).

Application Usage

Norwegian BankID (nbid-consent-sign.py)

The variable payload['login_hint'] needs to be changed to a valid Norwegian BankID test-user. This test-user has to be enabled for BankID on a mobile device! Format: ["birthdate-ddmmyy", "phone-nnnnnnnn"]

Once you have changed these variable, you can run it with python3 nbid-consent-sign.py.

Swedish BankID (sbid-consent-sign.py)

The variable payload['login_hint'] needs to be changed to a valid Norwegian BankID test-user. This test-user has to be enabled for BankID on a mobile device! Format: subject-yyyymmddnnnn

Once you have changed this variable, you can run it with python3 sbid-consent-sign.py.

Security Concerns

There are certain key concepts to keep in mind to be able to achive a good level of security when implementing consent signing.

  • Proof Key for Code Exchange: Signicat feels that a code interception attack is likely if the flow is ran in a mobile device. As such it is strongly recommended that you implement this extension for OAuth/OIDC (supported by default on Signicat's OIDC clients). The code examples in this repo already has PKCE implemented!
  • Unless you have specifically hardened security of your mobile application, you have to consider it somewhat unsafe. OIDC tokens and client secrets provided by Signicat should not be stored in your app.
  • As mentioned earlier step 4 & 5 should not be performed in-app.
  • General hardening of mobile applications should also be considered. See for instance AppSamurai blog post: 12 Various Ways To Ensure Mobile Application Security

References

Norwegian BankID: Test Information.

Swedish BankID: Test Information.

For general information about the Authentication service, please refer to Get Started With Authentication.

Specifications

Releases

No releases published

Packages

No packages published

Languages