### Authentication Endpoint (GET) Example Source: https://developer.bankid.cz/docs/apis This GET request initiates the OAuth2 and OpenID Connect authorization code flow. It authenticates the user and returns tokens as part of the callback. The request includes parameters for redirect URI, client ID, response type, state, and scope. This is the starting point for the authentication process. ```text GET /auth? redirect_uri=https://bankid.cz/callback &client_id=D40D25DB-C330 &response_type=code &state=1234 &scope=openid%20profile.name%20profile.gender%20offline_access Host: somebank.cz ``` -------------------------------- ### User Info API Request Example (HTTP) Source: https://developer.bankid.cz/docs/apis Illustrates a GET request to the UserInfo endpoint. The request includes an Authorization header with a Bearer token, which is required to retrieve user data. ```HTTP GET /userinfo HTTP/1.1 Host: idp.somebank.cz Accept: application/jwt Authorization: Bearer eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiw ``` -------------------------------- ### Profile API Request Example Source: https://developer.bankid.cz/docs/apis_sep Example of a GET request to the Profile API for KYC or AML client authentication. Access is authorized using a valid end-user access_token. The request includes an Authorization header with a Bearer token. ```http GET /profile HTTP/1.1 Host: oidc.sandbox.bankid.cz Accept: application/json Authorization: Bearer eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwi ``` -------------------------------- ### Profile API Request Example (HTTP) Source: https://developer.bankid.cz/docs/apis This example demonstrates a GET request to the BankID CZ Profile API. It includes the HTTP method, host, accepted content type, and an authorization header with a Bearer token. This API is used for KYC/AML client authentication and requires a valid end-user access token. ```http GET /profile HTTP/1.1 Host: idp.somebank.cz Accept: application/json Authorization: Bearer eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwi ``` -------------------------------- ### TokenInfo API Request Example Source: https://developer.bankid.cz/docs/apis_sep Example of a POST request to the TokenInfo API to get meta information about an OAuth 2.0 token. It uses client credentials or a client access token for authentication. The request includes parameters like client_id, client_secret, token, and token_type_hint. ```http POST /token-info HTTP/1.1 Host: oidc.sanbox.bankid.cz Content-Type: application/x-www-form-urlencoded client_id=0f8837d4-77e0-47cc-9789-c53d8ca27928 &client_secret=368b8099c14c0964a4a9f958c8b5786c46845ec1 &token=WwVEraxkI7KbtP31wD3XSpZKqGpsLiXg &token_type_hint=refresh_token ``` -------------------------------- ### Bank iD Authorization Request with PKCE Source: https://developer.bankid.cz/docs/apis_sep Example of a GET request to the Bank iD /auth endpoint incorporating PKCE (Proof Key for Code Exchange). It includes 'code_challenge' and 'code_challenge_method' to enhance security against code interception attacks. ```http GET /auth? client_id=30487be6-53e1-484a-ad41-cc0ec21bb8e9 &response_type=code &redirect_uri=https://serviceprovider.cz/callback? &scope=openid%20profile.name%20profile.gender &state=main002 &code_challenge=123 &code_challenge_method=plain Host: bankid.cz Copy to clipboard ``` -------------------------------- ### User Profile Retrieval (Example) Source: https://developer.bankid.cz/docs/apis_sep This snippet shows an example of a successful response when retrieving user profile information. It includes various personal details and identifiers. ```APIDOC ## GET /profile ### Description Retrieves the authenticated user's profile information. ### Method GET ### Endpoint /profile ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (200 OK) - **sub** (string) - Unique identifier for the user. - **txn** (string) - Transaction identifier. - **verified_claims** (object) - Contains verification details. - **verification** (object) - **trust_framework** (string) - The trust framework used for verification. - **verification_process** (string) - Identifier for the verification process. - **given_name** (string) - User's first name. - **family_name** (string) - User's last name. - **gender** (string) - User's gender. - **birthdate** (string) - User's date of birth (YYYY-MM-DD). - **birthnumber** (string) - User's birth number. - **age** (integer) - User's age. - **majority** (boolean) - Indicates if the user has reached the age of majority. - **date_of_death** (string|null) - User's date of death, if applicable. - **birthplace** (string) - User's place of birth. - **primary_nationality** (string) - User's primary nationality. - **nationalities** (array) - List of user's nationalities. - (string) - **maritalstatus** (string) - User's marital status. - **email** (string) - User's email address. - **phone_number** (string) - User's phone number. - **pep** (boolean) - Indicates if the user is a politically exposed person. - **limited_legal_capacity** (boolean) - Indicates if the user has limited legal capacity. - **addresses** (array) - List of user's addresses. - (object) - **type** (string) - Type of address (e.g., PERMANENT_RESIDENCE). - **street** (string) - Street name. - **buildingapartment** (string) - Building or apartment number. - **streetnumber** (string) - Street number. - **city** (string) - City name. - **zipcode** (string) - Postal code. - **country** (string) - Country code. - **ruian_reference** (string) - RUIAN reference number. - **idcards** (array) - List of user's ID cards. - (object) - **type** (string) - Type of ID card (e.g., ID). - **description** (string) - Description of the ID card. - **country** (string) - Country issuing the ID. - **number** (string) - ID card number. - **valid_to** (string) - Expiration date of the ID card. - **issuer** (string) - Issuing authority. - **issue_date** (string) - Date of issue. - **paymentAccounts** (array) - List of user's payment accounts (IBANs). - (string) - **updated_at** (integer) - Timestamp of the last update. #### Response Example ```json { "sub": "23f1ac00-5d54-4169-a288-794ae2ead0c4", "txn": "6941683f-c6ee-410c-add0-d52d63091069:openid:profile.name:profile.addresses", "verified_claims": { "verification": { "trust_framework": "cz_aml", "verification_process": "45244782" } }, "given_name": "Jan", "family_name": "Novák", "gender": "male", "birthdate": "1970-08-01", "birthnumber": "7008010147", "age": 50, "majority": true, "date_of_death": null, "birthplace": "Praha 4", "primary_nationality": "CZ", "nationalities": [ "CZ", "AT", "SK" ], "maritalstatus": "MARRIED", "email": "J.novak@email.com", "phone_number": "+420123456789", "pep": false, "limited_legal_capacity": false, "addresses": [ { "type": "PERMANENT_RESIDENCE", "street": "Olbrachtova", "buildingapartment": "1929", "streetnumber": "62", "city": "Praha", "zipcode": "14000", "country": "CZ", "ruian_reference": "14458921" } ], "idcards": [ { "type": "ID", "description": "Občanský průkaz", "country": "CZ", "number": "123456789", "valid_to": "2023-10-11", "issuer": "Úřad městské části Praha 4", "issue_date": "2020-01-28" } ], "paymentAccounts": [ "CZ0708000000001019382023" ], "updated_at": 1650887066 } ``` ``` -------------------------------- ### Sector Identifier URI JSON Example Source: https://developer.bankid.cz/docs/high_level_overview_sep Example JSON array representing a list of Redirect URIs. This is used by a Sector Identifier URI to unify the Sector Identifier across multiple applications with distinct hostnames. ```json [ "https://app1.123.com/callback", "https://app2.456.com/callback" ] ``` -------------------------------- ### TokenInfo API Request and Response Examples (HTTP/JSON) Source: https://developer.bankid.cz/docs/apis Demonstrates the POST request and its corresponding JSON response for the TokenInfo API. The request includes client credentials and token details, while the response provides 'active' status and other meta-information about the token. ```HTTP POST /token-info HTTP/1.1 Host: idp.somebank.cz Content-Type: application/x-www-form-urlencoded client_id=0f8837d4-77e0-47cc-9789-c53d8ca27928 &client_secret=368b8099c14c0964a4a9f958c8b5786c46845ec1 &token=WwVEraxkI7KbtP31wD3XSpZKqGpsLiXg &token_type_hin=refresh_token &client_assertion=eyJraWQiOiJycC1zaWduIiw......7xpA26QF5_Oung7E4y2n6 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer ``` ```JSON { "active": true, "scope": "openid profile.addresses", "client_id": "d1bdc32e-1b06-4609-9f60-073685267f88", "token_type": "access_token", "exp": 1419356238, "iat": 1419350238, "sub": "25657805-66d4-4707-980a-f12429f17592", "aud": "https://idp.somebank.cz/token-info", "iss": "https://idp.somebank.com/" } ``` -------------------------------- ### Success Response Example (JSON) Source: https://developer.bankid.cz/docs/apis This JSON response shows a successful registration and includes various client details. It outlines the structure and content of a successful API response, including client ID, secrets, URIs, and token configuration. It is an example of the kind of data returned upon successful registration. ```JSON { "client_id": "D40D25DB-C330-4331-A191-0A4F6CCD17D8", "client_secret": "689A79B8-9EE4-45A9-83B1-4F0130649394", "registration_access_token": "44010DFF-F77F-461A-8F3D-1466B24C5CC1", "registration_client_uri": "https://idp.example.com/connect/register/D40D25DB-C330-4331-A191-0A4F6CCD17D8", "client_id_issued_at": 1579263956, "redirect_uris": [ "https://client.example.com/callback", "https://rp.example.com/callback" ], "response_types": [ "code" ], "grant_types": [ "authorization_code", "refresh_token" ], "application_type": "web", "contacts": [ "ve7jtb@example.com", "mary@example.com" ], "client_name": "My Example", "logo_uri": "https://client.example.com/logo.png", "client_uri": "https://client.example.com", "policy_uri": "https://client.example.com/policy", "tos_uri": "https://client.example.com/tos", "jwks_uri": "https://client.example.com/my_public_keys.jwks", "sector_identifier_uri": "https://other.example.net/file_of_redirect_uris.json", "subject_type": "pairwise", "id_token_signed_response_alg": "PS512", "id_token_encrypted_response_alg": "RSA-OAEP-256", "id_token_encrypted_response_enc": "A256GCM", "userinfo_signed_response_alg": "PS512", "userinfo_encrypted_response_alg": "RSA-OAEP-256", "userinfo_encrypted_response_enc": "A256GCM", "profile_signed_response_alg": "PS512", "profile_encrypted_response_alg": "RSA-OAEP-256", "profile_encrypted_response_enc": "A256GCM", "request_object_signing_alg": "PS512", "request_object_encryption_alg": "RSA-OAEP-256", "request_object_encryption_enc": "A256GCM", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "PS512", "default_max_age": 3600, "require_auth_time": false, "default_acr_values": [ "loa3" ], "initiate_login_uri": "https://client.example.com/login", "request_uris": [ "https://client.example.com/rf.txt", "#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA" ], "backchannel_logout_uri": "https://client.example.com/backchannel_logout\"", "scope": "openid profile.name profile.addresses offline_access", "required_scope": "profile.addresses", "notification_uri": "https://api.bankid.cz/v1/notifyme" } ``` -------------------------------- ### BankID Incorrectly Specified Scope Example Source: https://developer.bankid.cz/docs/error-callbacks This example demonstrates an HTTP GET request to the BankID authorization endpoint with an incorrectly specified scope. The response is a 302 Found redirect indicating an `invalid_scope` error due to the missing mandatory `openid` scope. ```http GET https://oidc.bankid.cz/auth?redirect_uri=https%3A%2F%2Fsomeadr.com%2Fcallback%2Fconsent&scope=profile.phonenumber%20profile.birthnumber%20profile.gender%20profile.titles%20profile.birthplaceNationality%20profile.name%20profile.idcards%20profile.locale%20profile.maritalstatus%20profile.verification%20profile.legalstatus%20profile.email%20offline_access%20profile.addresses%20profile.birthdate&response_type=code&state=some%20state&nonce=26b6&prompt=login&display=page&acr_values=loa3 HTTP/1.1 HTTP/1.1 302 Found Location: http://someadr.com/callback?error=invalid_scope&error_description=Mandatory%20scope%20openid%20is%20missing&state=some%20state ``` -------------------------------- ### Authorize API Source: https://developer.bankid.cz/docs/api/idp-for-bankid Begin the IDP authorization flow. ```APIDOC ## GET /auth ### Description Begin the IDP authorization flow. ### Method GET ### Endpoint /auth ### Parameters #### Query Parameters - **client_id** (string) - Required - The client identifier. - **redirect_uri** (string) - Required - The URI to redirect to after authorization. - **response_type** (string) - Required - The response type, typically 'code'. - **scope** (string) - Required - The scope of the requested authorization. - **state** (string) - Optional - An opaque value used to maintain state between the request and callback. ### Request Example ``` GET /auth?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=openid&state=SOME_STATE ``` ### Response #### Success Response (302 Found) Redirects to the Bank iD login page. #### Response Example ``` HTTP/1.1 302 Found Location: https://bankid.example.com/login?auth_request_id=... ``` ``` -------------------------------- ### URL Parameter for SLA Identifier Source: https://developer.bankid.cz/docs/high_level_overview_sep Example of an HTTP GET request to the /auth endpoint, including the 'sep_id' parameter. This parameter is used for redirected endpoints to pass the unique organization identifier for SLA services. ```http GET /auth? redirect_uri=https://serviceprovider.cz/callback &client_id=589b7c53-c0bf-4f6d-8fee-c6972c5d88bf &response_type=code &scope=openid%20profile.name%20profile.gender &state=main002 &sep_id=f8ba33de-4ca8-4a11-a251-867cd3e3b41b Host: bankid.cz ``` -------------------------------- ### UserInfo API Response Example Source: https://developer.bankid.cz/docs/apis_sep Example of a successful 200 OK JSON response from the UserInfo API. It contains various user details such as sub, txn, name, given_name, family_name, gender, birthdate, email, zoneinfo, locale, phone_number, and updated_at. ```json { "sub": "23f1ac00-5d54-4169-a288-794ae2ead0c4", "txn": "6941683f-c6ee-410c-add0-d52d63091069:openid:profile.name:profile.gender", "name": "Jan Novák", "given_name": "Jan", "family_name": "Novák", "gender": "male", "birthdate": "1970-08-01", "email": "j.novak@email.com", "zoneinfo": "Europe/Prague", "locale": "cs_CZ", "phone_number": "+420123456789", "updated_at": 1650887066 } ``` -------------------------------- ### Bank iD TraceId in HTTP Header Example Source: https://developer.bankid.cz/docs/support-doc This snippet shows an example of an HTTP response header from the Bank iD /auth endpoint, specifically highlighting the 'traceId' parameter. This identifier is crucial for Bank iD to quickly pinpoint specific API calls when troubleshooting issues. The traceId should ideally be 16 characters or less. ```http HTTP/1.1 200 Date: Mon, 28 Nov 2022 16:01:36 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Access-Control-Expose-Headers: traceId traceId: 4819cea128c50a8c ``` -------------------------------- ### UserInfo API - Get CONNECT Product Data Source: https://developer.bankid.cz/docs/java_examples This endpoint is primarily intended for obtaining CONNECT product data. The data obtained depends on the application's scope and user-granted permissions. ```APIDOC ## GET /userinfo ### Description Retrieves data for the Bank iD CONNECT product. The specific data returned is determined by the application's scope and user-granted permissions. ### Method GET ### Endpoint `/userinfo` ### Parameters #### Query Parameters - **access_token** (string) - Required - The bearer access token obtained during the authentication process. ### Request Example ```json { "example": "GET /userinfo?access_token=Bearer .... my access token ..." } ``` ### Response #### Success Response (200) - **data** (object) - Contains the CONNECT product-specific data. - **sub** (string) - Subject identifier. - **name** (string) - Full name of the user. - ... (other product-specific fields) #### Response Example ```json { "example": { "sub": "user123", "name": "John Doe", "email": "john.doe@example.com" // ... other fields based on product and scope } } ``` #### Error Response - **error** (object) - Details about the error. - **code** (string) - Error code. - **message** (string) - Error description. #### Error Response Example ```json { "example": { "error": { "code": "access_denied", "message": "The user did not grant consent for this scope." } } } ``` ``` -------------------------------- ### Bank iD Authorization Request (Implicit Flow) Source: https://developer.bankid.cz/docs/apis_sep Example of a GET request to the Bank iD /auth endpoint to initiate an OAuth2 authorization flow. It includes parameters like redirect_uri, client_id, response_type, scope, and state. The scope 'openid' is mandatory. ```http GET /auth? redirect_uri=https://serviceprovider.cz/callback &client_id=589b7c53-c0bf-4f6d-8fee-c6972c5d88bf &response_type=code &scope=openid%20profile.name%20profile.gender%20offline_access &state=main002 Host: bankid.cz Copy to clipboard ``` -------------------------------- ### Authorization Code Exchange with PKCE Request Source: https://developer.bankid.cz/docs/apis_sep This example shows an authorization code exchange request that incorporates Proof Key for Code Exchange (PKCE). It includes the 'code_verifier' parameter, which the server uses to verify the request's authenticity by comparing its hashed value against the 'code_challenge' provided during the authorization request. This enhances security by preventing authorization code interception attacks. ```HTTP POST /token HTTP/1.1 Host: bankid.cz Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=8BFAC1DA-3F94-4BBD-A743-473080FB6073 &redirect_uri=https://serviceprovider.cz/callback &client_secret=368b8099c14c0964a4a9f958c8b5786c46845ec1 &code_verifier=123 ``` -------------------------------- ### Profile API - Get Product Data Source: https://developer.bankid.cz/docs/java_examples This endpoint is used to retrieve data from identification products such as IDENTIFY, IDENTIFY PLUS, and IDENTIFY AML. The data obtained depends on the application's scope and user consent. ```APIDOC ## GET /profile ### Description Retrieves data for Bank iD identification products (IDENTIFY, IDENTIFY PLUS, IDENTIFY AML). The specific data returned is determined by the application's scope and user-granted permissions. ### Method GET ### Endpoint `/profile` ### Parameters #### Query Parameters - **access_token** (string) - Required - The bearer access token obtained during the authentication process. ### Request Example ```json { "example": "GET /profile?access_token=Bearer .... my access token ..." } ``` ### Response #### Success Response (200) - **data** (object) - Contains the product-specific data. - **family_name** (string) - The user's family name. - ... (other product-specific fields) #### Response Example ```json { "example": { "family_name": "Doe", "given_name": "John", "birthdate": "1990-01-01" // ... other fields based on product and scope } } ``` #### Error Response - **error** (object) - Details about the error. - **code** (string) - Error code. - **message** (string) - Error description. #### Error Response Example ```json { "example": { "error": { "code": "invalid_token", "message": "The access token is invalid or expired." } } } ``` ``` -------------------------------- ### Client Registration API Source: https://developer.bankid.cz/docs/apis This API allows for the registration of new clients. It supports POST requests for initial registration and PUT, GET, DELETE requests for managing existing client configurations. ```APIDOC ## POST /register ### Description Registers a new client application with the BankID service. This endpoint is used for initial client setup. ### Method POST ### Endpoint /register ### Parameters #### Header Parameters - **Host** (string) - Required - The host address of the BankID service. - **Content-Type** (string) - Required - Specifies the content type of the request body, typically 'application/json'. - **client_assertion** (string) - Required - A JWT bearer token used for client authentication. - **client_assertion_type** (string) - Required - Indicates the type of client assertion, usually 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'. #### Request Body - **redirect_uris** (array of strings) - Required - A list of valid redirect URIs for the client. - **response_types** (array of strings) - Required - The response types supported by the client (e.g., 'code'). - **grant_types** (array of strings) - Required - The grant types supported by the client (e.g., 'authorization_code', 'refresh_token'). - **application_type** (string) - Optional - The type of application ('web' or 'native'). - **contacts** (array of strings) - Optional - Email addresses for client contacts. - **client_name** (string) - Optional - The human-readable name of the client. - **logo_uri** (string) - Optional - A URL for the client's logo. - **client_uri** (string) - Optional - A URL for the client's homepage. - **policy_uri** (string) - Optional - A URL for the client's policy page. - **tos_uri** (string) - Optional - A URL for the client's terms of service. - **jwks_uri** (string) - Optional - A URL for the client's JSON Web Key Set. - **sector_identifier_uri** (string) - Optional - A URL that identifies a sector-specific identifier. - **subject_type** (string) - Optional - The subject type ('public' or 'pairwise'). - **id_token_signed_response_alg** (string) - Optional - The JWS signing algorithm for the ID token. - **id_token_encrypted_response_alg** (string) - Optional - The JWE encryption algorithm for the ID token. - **id_token_encrypted_response_enc** (string) - Optional - The JWE encryption method for the ID token. - **userinfo_signed_response_alg** (string) - Optional - The JWS signing algorithm for the userinfo response. - **userinfo_encrypted_response_alg** (string) - Optional - The JWE encryption algorithm for the userinfo response. - **userinfo_encrypted_response_enc** (string) - Optional - The JWE encryption method for the userinfo response. - **profile_signed_response_alg** (string) - Optional - The JWS signing algorithm for the profile response. - **profile_encrypted_response_alg** (string) - Optional - The JWE encryption algorithm for the profile response. - **profile_encrypted_response_enc** (string) - Optional - The JWE encryption method for the profile response. - **request_object_signing_alg** (string) - Optional - The JWS signing algorithm for request objects. - **request_object_encryption_alg** (string) - Optional - The JWE encryption algorithm for request objects. - **request_object_encryption_enc** (string) - Optional - The JWE encryption method for request objects. - **token_endpoint_auth_method** (string) - Optional - The authentication method for the token endpoint. - **token_endpoint_auth_signing_alg** (string) - Optional - The JWS signing algorithm for token endpoint authentication. - **default_max_age** (integer) - Optional - The default maximum age of an authenticated session. - **require_auth_time** (boolean) - Optional - Whether authentication time is required. - **default_acr_values** (array of strings) - Optional - Default values for the Authentication Context Class Reference. - **initiate_login_uri** (string) - Optional - URI used to initiate login. - **request_uris** (array of strings) - Optional - URIs for signed request objects. - **backchannel_logout_uri** (string) - Optional - URI for backchannel logout. - **scope** (string) - Optional - The scope of access requested. - **required_scope** (string) - Optional - The scope that is required for the client. - **notification_uri** (string) - Optional - URI for receiving notifications. ### Request Example ```json { "redirect_uris": [ "https://client.example.com/callback", "https://rp.example.com/callback" ], "response_types": [ "code" ], "grant_types": [ "authorization_code", "refresh_token" ], "application_type": "web", "contacts": [ "ve7jtb@example.com", "mary@example.com" ], "client_name": "My Example", "logo_uri": "https://client.example.com/logo.png", "client_uri": "https://client.example.com", "policy_uri": "https://client.example.com/policy", "tos_uri": "https://client.example.com/tos", "jwks_uri": "https://client.example.com/my_public_keys.jwks", "sector_identifier_uri": "https://other.example.net/file_of_redirect_uris.json", "subject_type": "pairwise", "id_token_signed_response_alg": "PS512", "id_token_encrypted_response_alg": "RSA-OAEP-256", "id_token_encrypted_response_enc": "A256GCM", "userinfo_signed_response_alg": "PS512", "userinfo_encrypted_response_alg": "RSA-OAEP-256", "userinfo_encrypted_response_enc": "A256GCM", "profile_signed_response_alg": "PS512", "profile_encrypted_response_alg": "RSA-OAEP-256", "profile_encrypted_response_enc": "A256GCM", "request_object_signing_alg": "PS512", "request_object_encryption_alg": "RSA-OAEP-256", "request_object_encryption_enc": "A256GCM", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "PS512", "default_max_age": 3600, "require_auth_time": false, "default_acr_values": [ "loa3" ], "initiate_login_uri": "https://client.example.com/login", "request_uris": [ "https://client.example.com/rf.txt", "#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA" ], "backchannel_logout_uri": "https://client.example.com/backchannel_logout", "scope": "openid profile.name profile.addresses offline_access", "required_scope": "profile.addresses", "notification_uri": "https://api.bankid.cz/v1/notifyme" } ``` ### Response #### Success Response (200) - **client_id** (string) - The unique identifier for the newly registered client. - **client_secret** (string) - The secret associated with the client (if applicable). - **registration_access_token** (string) - An access token for subsequent registration management operations. - **registration_client_uri** (string) - The URI for managing the registered client. #### Response Example ```json { "client_id": "your_client_id", "client_secret": "your_client_secret", "registration_access_token": "access_token_for_management", "registration_client_uri": "/clients/your_client_id" } ``` ### Error Handling - **400 Bad Request**: Invalid request parameters or body. - **401 Unauthorized**: Invalid or missing client assertion. - **409 Conflict**: A client with the same identifier already exists. ## PUT, GET, DELETE /clients/{client_id} ### Description Manages existing client registrations. PUT is used for updating client details, GET for retrieving them, and DELETE for removing a client. ### Method PUT, GET, DELETE ### Endpoint /clients/{client_id} ### Parameters #### Path Parameters - **client_id** (string) - Required - The unique identifier of the client to manage. #### Header Parameters - **Host** (string) - Required - The host address of the BankID service. - **Content-Type** (string) - Required - Specifies the content type of the request body, typically 'application/json' for PUT requests. - **client_assertion** (string) - Required - A JWT bearer token used for client authentication. - **client_assertion_type** (string) - Required - Indicates the type of client assertion, usually 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'. - **Authorization** (string) - Required - Bearer token obtained during the initial POST registration, used for authorization of management operations. #### Request Body (for PUT requests) *Same as the Request Body for POST /register* ### Request Example (PUT) ```json { "redirect_uris": [ "https://client.example.com/updated_callback" ], "client_name": "Updated Client Name" } ``` ### Response #### Success Response (200 for GET/PUT, 204 No Content for DELETE) - **GET**: Returns the current configuration of the client. - **PUT**: Returns the updated client configuration. - **DELETE**: No content is returned upon successful deletion. #### Response Example (GET) ```json { "client_id": "your_client_id", "redirect_uris": [ "https://client.example.com/updated_callback" ], "client_name": "Updated Client Name", "application_type": "web", "contacts": [ "ve7jtb@example.com" ] } ``` ### Error Handling - **400 Bad Request**: Invalid request parameters or body. - **401 Unauthorized**: Invalid or missing client assertion or authorization token. - **403 Forbidden**: The provided authorization token does not have permission to manage this client. - **404 Not Found**: The specified client_id does not exist. ``` -------------------------------- ### POST /notify Request Example (HTTP) Source: https://developer.bankid.cz/docs/apis_sep Example of an HTTP POST request to the /notify endpoint. This request is used by the Identity Provider (IdP) to send notifications about End-User changes to a Service Provider (SeP). The request body contains a notification token. ```http POST /notify HTTP/1.1 Host: serviceprovider.cz Content-Type: application/x-www-form-urlencoded notification_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ``` -------------------------------- ### Handle Missing client_id in BankID OAuth Request Source: https://developer.bankid.cz/docs/error-callbacks This example demonstrates an HTTP GET request to the BankID OAuth authorization endpoint where the 'client_id' parameter is missing. The expected response is a 302 Found redirect with an 'invalid_request' error, indicating the mandatory parameter is absent. ```HTTP GET https://oidc.bankid.cz/auth?redirect_uri=https%3A%2F%2Fsomeadr.com%2Fcallback%2Fconsent&scope=profile.phonenumber%20profile.birthnumber%20profile.gender%20profile.titles%20profile.birthplaceNationality%20profile.name%20profile.idcards%20profile.locale%20profile.maritalstatus%20profile.verification%20profile.legalstatus%20profile.email%20offline_access%20profile.addresses%20profile.birthdate&response_type=code&state=some%20state&nonce=26b6&prompt=login&display=page&acr_values=loa3 HTTP/1.1 HTTP/1.1 302 Found Location: http://someadr.com/callback?error=invalid_request&error_description=Mandatory%20parameter%20client_id%20is%20missing&state=some%20state ```