...
login_hint (the users Social Id number)
scope (openid, profile, signature. Also possible to add “related party” info here (see example))
acr_values (“app-auth”. This value is different between authentication/signing methods)
iss (the Client id)
aud (Should have “https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni“)
exp (the lifetime of the token)
binding_message (the message to display at users mobile device)
Max length of this message string is 60 characters.binding_content (Hash value, used to calculate verification code)
Also needed to create the JWT
Private key (to sign the JWT)
Alg info (Should be “RS256”)
The hash value
The hash string is used to generate the verification code displayed in the users APP.
You’ll need to provide the hash string to use. That’s how you can calculate the verification code at your side to display at your website for your user to see.
The hash string should be of type SHA512. Click here to search for more info about SHA512.
The verification code is calculated by:
verification code = integer(SHA256(the hash)[-2:-1]) mod 10000
Calculate SHA256 from the hash, extract 2 rightmost bytes from the result, interpret them as a big-endian unsigned integer and take the last 4 digits in decimal form for display. SHA256 is always used here.
Please mind that hash is a real hash byte value, not the Base64 form or the hexadecimal representation.
In this example we have generated a hash string and calculated a verification code.
Text used to generate a hash string
“Auðkenni APP Authentication”
Hash string generated
n/kRNhXaZ2jFKv8KlQX7ydgedXUmVy8b2O4xNq2ZxHteG7wOvCa0Kg3rY1JLOrOBXYQm+z2FRVwIv47w8gUb5g==
Verification code calculated from the hash
4141
Example of JWT
| Code Block |
|---|
eyJ0eXAiOiJKV1QiLCscbGciOiJSUzI1NiJ9.eyJsb2dpbl9oaW50IjoiMTQwNjcxNDg4OSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgc2lnbmF0dXJlIFJFTEFURURQQVJUdspNeU93bkNsaWVudCIsImFjcl92YWx1ZXMiOiJhcHAtYXV0aCIsImlzcyI6Im15Q2liYUNsaWVudElkIiwiYXVkIjoiaHR0cHM6Ly9wZnp3dy5hdWRrZW5uaS5pczo0NDMvc3NvL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvYXVka2VubmkiLCJleHAiOjE2skewNzYzNzYuMDg3LCJiaW5kaW5nX21lc3NhZ2UiOiJBdXRoZW50aWNhdGlvbiB0byBBdcOwa2VubmkiLCJiaW5kaW5nX2NvbnRlbnQiOiJuL2tSTmhYYVoyakZLdjhLbFFYN3lkZ2VkWFVtVnk4YjJPNHhOcTJaeEh0ZUc3d092Q2EwS2czclkxSkxPck9CUFlRsSt6MkZSVndJdjQ3dzhnVWI1Zz09In0.iwcslN5W4we832gHsB6GRF0RRiOceyE93WkIBlhhUL_yheI4xVxSWQX7hz48FfO5coOpTyLTwxzP3UVUrBScxpDhveKbCBn5GuvI8zm1330xUyU8N0WwXEIoTh5sxc-P0XDM8_BYGVUyPUHQe0JtaQntpTmPghFqdwpUPwnIVqqjOzeo3rGdgLQ7C1O-Pn_cJgZdD0mzLST5kzeSsbkD-4T02Yfzo5Qgb6BtFrsXrH9-qHq6dgOXsnQh5AdZDRqNKBBwJdyQ50L_Kp4cEyOOXFIQbuN3yqrEJvQq756xvutYUi8ugBMADAQ8IppvJv7ZtBGN4pzIqSTAIvaIjkDc6w |
...
Optional parameters in JWT
Three optional parameters can be added to the JWT. These optional parameters makes it possible to show messages of up to 200 characters in length and/or let the App display 3 Codes user have to select the correct Verification Code from.
binding_message_long (Long message string to display at users mobile device. This message string can hold up to 200 characters. “confirmation_message” must also be in JWT and must be set to “true” for this message string to be used)
confirmation_message (If set to “true” then a prompt window is displayed at users mobile device. The user needs to confirm before continuing the process. If set to “false” the user is prompt for PIN right away)
vchoice (Verification code. If set to “true” three codes are displayed for user to select the correct one to continue. If set to “false” the verification code is displayed directly)
Please note, if both vchoice and confirmation_message are set to “true” the selecting of Verification code is made on the prompt window.
Expected behavior when using optional parameters
binding_message_long | confirmation_message | vchoice | Expected behavior |
|---|---|---|---|
Not included, included empty or with a string | Not included or with “false” | Not included or with “false” | App prompts for PIN with message from “binding_message” |
Not included, included empty or with a string | Not included or with “false” | Included with “true” | App prompts for selecting of Verification Code. Displays message from “binding_message” |
Not included, included empty or with a string | Included with “true” | Not included or with “false” | If “binding_message_long” contains message then a prompt window appears with that message. If “binding_message_long” is empty or not included the message from “binding_message” are displayed |
Not included, included empty or with a string | Included with “true” | Included with “true” | If “binding_message_long” contains message then a prompt window appears with that message along selecting of Verification Code. If “binding_message_long” is empty or not included the message from “binding_message” are displayed along selecting of Verification Code |
Included with a string up to 200 characters | Not included or with “false” | Not included or with “false” | App prompts for PIN with message from “binding_message” |
Included with a string up to 200 characters | Not included or with “false” | Included with “true” | App prompts for selecting of Verification Code. Displays message from “binding_message” |
Included with a string up to 200 characters | Included with “true” | Not included or with “false” | App prompts for confirmation displaying message from “binding_message_long” |
Included with a string up to 200 characters | Included with “true” | Included with “true” | App prompts for selecting of Verification Code. Displays message from “binding_message_long” |
Also needed to create the JWT
Private key (to sign the JWT)
Alg info (Should be “RS256”)
The hash value
The hash string is used to generate the verification code displayed in the users APP.
You’ll need to provide the hash string to use. That’s how you can calculate the verification code at your side to display at your website for your user to see.
The hash string should be of type SHA512. Click here to search for more info about SHA512.
The verification code is calculated by:
verification code = integer(SHA256(the hash)[-2:-1]) mod 10000
Calculate SHA256 from the hash, extract 2 rightmost bytes from the result, interpret them as a big-endian unsigned integer and take the last 4 digits in decimal form for display. SHA256 is always used here.
Please mind that hash is a real hash byte value, not the Base64 form or the hexadecimal representation.
In this example we have generated a hash string and calculated a verification code.
Text used to generate a hash string
“Auðkenni APP Authentication”
Hash string generated
n/kRNhXaZ2jFKv8KlQX7ydgedXUmVy8b2O4xNq2ZxHteG7wOvCa0Kg3rY1JLOrOBXYQm+z2FRVwIv47w8gUb5g==
Verification code calculated from the hash
4141
Example of JWT
| Code Block |
|---|
eyJ0eXAiOiJKV1QiLCscbGciOiJSUzI1NiJ9.eyJsb2dpbl9oaW50IjoiMTQwNjcxNDg4OSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgc2lnbmF0dXJlIFJFTEFURURQQVJUdspNeU93bkNsaWVudCIsImFjcl92YWx1ZXMiOiJhcHAtYXV0aCIsImlzcyI6Im15Q2liYUNsaWVudElkIiwiYXVkIjoiaHR0cHM6Ly9wZnp3dy5hdWRrZW5uaS5pczo0NDMvc3NvL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvYXVka2VubmkiLCJleHAiOjE2skewNzYzNzYuMDg3LCJiaW5kaW5nX21lc3NhZ2UiOiJBdXRoZW50aWNhdGlvbiB0byBBdcOwa2VubmkiLCJiaW5kaW5nX2NvbnRlbnQiOiJuL2tSTmhYYVoyakZLdjhLbFFYN3lkZ2VkWFVtVnk4YjJPNHhOcTJaeEh0ZUc3d092Q2EwS2czclkxSkxPck9CUFlRsSt6MkZSVndJdjQ3dzhnVWI1Zz09In0.iwcslN5W4we832gHsB6GRF0RRiOceyE93WkIBlhhUL_yheI4xVxSWQX7hz48FfO5coOpTyLTwxzP3UVUrBScxpDhveKbCBn5GuvI8zm1330xUyU8N0WwXEIoTh5sxc-P0XDM8_BYGVUyPUHQe0JtaQntpTmPghFqdwpUPwnIVqqjOzeo3rGdgLQ7C1O-Pn_cJgZdD0mzLST5kzeSsbkD-4T02Yfzo5Qgb6BtFrsXrH9-qHq6dgOXsnQh5AdZDRqNKBBwJdyQ50L_Kp4cEyOOXFIQbuN3yqrEJvQq756xvutYUi8ugBMADAQ8IppvJv7ZtBGN4pzIqSTAIvaIjkDc6w |
Example of JWT Payload
| Code Block | ||
|---|---|---|
| ||
{
"login_hint": "1406714889",
"scope": "openid profile signature RELATEDPARTY:MyOwnClient",
"acr_values": "app-auth",
"iss": "myCibaClientId",
"aud": "https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni",
"exp": 1611076236.982,
"binding_message": "Authentication to Auðkenni",
"binding_content": "n/kRNhXaZ2jFKv8KlQX7ydgedXUmVy8b2O4xNq2ZxHteG7wOvCa0Kg3rY1JLOrOBXYQm+z2FRVwIv47w8gUb5g=="
} |
Example of JWT Payload using optional parameters
| Code Block | ||
|---|---|---|
| ||
{
"login_hint": "1406714889",
"scope": "openid profile signature RELATEDPARTY:MyOwnClient",
"acr_values": "app-auth",
"iss": "myCibaClientId",
"aud": "https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni",
"exp": 1611076236.982,
"binding_message": "",
"binding_message_long": "Authentication to Auðkenni using long message string, up to 200 characters in length",
"binding_content": "n/kRNhXaZ2jFKv8KlQX7ydgedXUmVy8b2O4xNq2ZxHteG7wOvCa0Kg3rY1JLOrOBXYQm+z2FRVwIv47w8gUb5g==",
"confirmation_message": "true",
"vchoice": "true"
} |
Step 2
Step 2: (Authorize)
...