Versions Compared

Old Version 13

changes.mady.by.user Einar Ársæll Hrafnsson

Saved on

compared with

New Version Current

changes.mady.by.user Þórður Roth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Info

DRAFT!

We strongly recommend that service providers confirm all communications that take place with Auðkenni's system.

Table of Contents
minLevel1
maxLevel34
outlinefalse
typelist
printablefalse

...

To verify that the responses are coming from us, there is a so-called ".wellknown" endpoint that you can use to access information. Inside this endpoint, you can find the "jwks_uri" which is a path to the keys that can be used to verify that the response you receive is from our server.

An example of a .wellknown endpoint (replace "pfzww" with your Base URL):
https://pfzww.audkenni.is/sso/oauth2/realms/root/realms/audkenni/.well-known/openid-configuration

This endpoint will give you a response similar to this:

Code Block
{"request_parameter_supported":true,"introspection_signing_alg_values_supported":["ES384","PS384","ES256","PS256","PS512","EdDSA","HS512","RS384","RS256","RS512","HS256","ES512","HS384"],"introspection_encryption_alg_values_supported":["RSA-OAEP-256","ECDH-ES+A256KW","A128KW","A192KW","RSA-OAEP","ECDH-ES+A192KW","A256KW","ECDH-ES","ECDH-ES+A128KW","dir"],"claims_parameter_supported":false,"introspection_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/introspect","check_session_iframe":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/connect/checkSession","scopes_supported":["signature","openid","profile"],"backchannel_logout_supported":true,"issuer":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni","id_token_encryption_enc_values_supported":["A256GCM","A128GCM","A256CBC-HS512","A128CBC-HS256","A192CBC-HS384","A192GCM"],"acr_values_supported":["nexus","sim-auth","app-auth","app-certificate-choice","nexus-sign","default","newcards-auth","app-sign","app-sign-with-certificate","apidefault","sim-sign","sim","sim-sign-pkcs1","oldcards-auth"],"userinfo_encryption_enc_values_supported":["A256GCM","A128CBC-HS256","A192CBC-HS384","A192GCM","A128GCM","A256CBC-HS512"],"authorization_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/authorize","request_object_encryption_enc_values_supported":["A128GCM","A256GCM","A192CBC-HS384","A256CBC-HS512","A128CBC-HS256","A192GCM"],"introspection_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256GCM","A256CBC-HS512","A128GCM","A192GCM"],"rcs_request_encryption_alg_values_supported":["RSA1_5","dir","A192KW","RSA-OAEP-256","RSA-OAEP","A256KW","A128KW"],"claims_supported":["profile","name","locale"],"userinfo_signing_alg_values_supported":["ES256","HS512","ES512","HS384","RS256","ES384","HS256"],"rcs_request_signing_alg_values_supported":["RS512","PS384","PS256","HS256","HS384","ES512","RS256","RS384","HS512","ES384","ES256","PS512"],"token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","self_signed_tls_client_auth","tls_client_auth","none","client_secret_basic"],"tls_client_certificate_bound_access_tokens":true,"backchannel_logout_session_supported":true,"token_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/access_token","response_types_supported":["code token id_token","code","code id_token","device_code","id_token","code token","none","token","token id_token"],"revocation_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","self_signed_tls_client_auth","tls_client_auth","none","client_secret_basic"],"request_uri_parameter_supported":true,"rcs_response_encryption_enc_values_supported":["A256CBC-HS512","A192CBC-HS384","A256GCM","A128GCM","A192GCM","A128CBC-HS256"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","dir","A256KW","RSA-OAEP-256","A128KW","A192KW","RSA1_5"],"grant_types_supported":["refresh_token","authorization_code","urn:openid:params:grant-type:ciba","urn:ietf:params:oauth:grant-type:uma-ticket","idm_delegation","urn:ietf:params:oauth:grant-type:jwt-bearer"],"end_session_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/connect/endSession","rcs_request_encryption_enc_values_supported":["A256GCM","A256CBC-HS512","A192GCM","A128CBC-HS256","A128GCM","A192CBC-HS384"],"revocation_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/token/revoke","version":"3.0","rcs_response_encryption_alg_values_supported":["dir","A256KW","RSA-OAEP-256","A128KW","A192KW","RSA-OAEP","RSA1_5"],"userinfo_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/userinfo","token_endpoint_auth_signing_alg_values_supported":["RS512","RS384","RS256","ES512","HS256","HS384","PS512","ES384","PS256","ES256","HS512","PS384"],"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"id_token_encryption_alg_values_supported":["A128KW","A192KW","RSA-OAEP-256","RSA-OAEP","A256KW","RSA1_5","dir"],"jwks_uri":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/connect/jwk_uri","subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS384","RS256","PS512","ES512","HS384","HS256","PS256","ES256","PS384","ES384","RS512","HS512"],"registration_endpoint":"https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/register","request_object_signing_alg_values_supported":["RS256","ES512","PS512","RS384","HS512","ES256","ES384","HS256","HS384","PS384","RS512","PS256"],"request_object_encryption_alg_values_supported":["RSA-OAEP-256","A256KW","RSA-OAEP","RSA1_5","dir","A128KW","A192KW"],"rcs_response_signing_alg_values_supported":["PS256","ES384","RS512","ES256","HS512","PS384","RS256","ES512","PS512","HS384","HS256","RS384"]}

An example of a jwks_uri from the response (replace Base URL):
https://pfzww.audkenni.is/sso/oauth2/realms/root/realms/audkenni/connect/jwk_uri

This endpoint will give you a response similar to this:

...

This response hold keys you can use to verify the access_token and id_token from our system.

To verify the

...

You receive PKCS7 or PKCS1 signature, depending on which method you are using.

...

responses

There are ready-made tools available for most programming languages that can be used to verify PKCS7 JWT signatures. Below is a small code example in C# that hopefully makes it clearer:

Code Block
privatepublic bool validateSignPKCS7(VerifyJwt(string token, string secretKey, string audience, string toValidateissuer)
{
    byte[]try
fromCMSString = null;  {
  SignedCms cms      byte[] certificateData = Convert.FromBase64String(secretKey);
        X509Certificate2 certificate = new X509Certificate2(certificateData);
        X509SecurityKey securityKey = new X509SecurityKey(certificate);        // Define token validation parameters
        var tokenHandler = new JwtSecurityTokenHandler();
        var validationParameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = securityKey,
            ValidateIssuer = true, // Set to true if you want to validate the issuer
            ValidIssuer = issuer, // Replace with the expected issuer
            ValidateAudience = true, // Set to true if you want to validate the audience
            ValidAudience = audience, // Replace with the expected audience
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero
        };        
        // Parse and validate the token
        SecurityToken validatedToken;
        var principal = tokenHandler.ValidateToken(token, validationParameters, out validatedToken);        // You can access the claims in the token via the principal.Claims property if needed.
        // For example:
        // var userId = principal.Claims.FirstOrDefault(c => c.Type == "sub")?.Value;        // If the token is valid, the validation process will not throw an exception.
        // So, if you reach this point, the token is valid.
        return true;
    }
    catch (Exception)
    {
        // If an exception is thrown, the token is not valid.
        return false;
    }
}

To verify the signatures

You receive PKCS7 or PKCS1 signature, depending on which method you are using.

To verify PKCS7 signature

There are ready-made tools available for most programming languages that can be used to verify PKCS7 signatures. Below is a small code example in C# that hopefully makes it clearer:

Code Block
private bool validateSignPKCS7(string toValidate)
{
    byte[] fromCMSString = null;
    SignedCms cms = null;
    try
    {
        fromCMSString = Convert.FromBase64String(toValidate);
        cms = new SignedCms();
        cms.Decode(fromCMSString);
        cms.CheckSignature(true);
    }
    catch (Exception u)
    {
        return false;
    }
    return true;
}

...

Code Block
private bool validatePKCS1Signature(string signatureFromAudkenni, string hashStringFromAuthenticationRequest, string usersCertFromAudkenni)
{
    byte[] orgHash = null;
    byte[] signedHash = null;
    byte[] certBytes = null;
    X509Certificate2 certificate = null;
    try
    {
        orgHash = Convert.FromBase64String(hashStringFromAuthenticationRequest);
        signedHash = Convert.FromBase64String(signatureFromAudkenni);
        certBytes = Convert.FromBase64String(usersCertFromAudkenni);
        certificate = new X509Certificate2(certBytes);
        RSA key = (RSA)certificate.PublicKey.Key;
        RSAPKCS1SignatureDeformatter formatter = new RSAPKCS1SignatureDeformatter(key);
        formatter.SetHashAlgorithm("SHA512");
        var result = formatter.VerifySignature(orgHash, signedHash);
        return result;
    }
    catch (CryptographicException e)
    {
        return false;
    }
}

To verify

...

Certificates

To verify that the user's certificate you receive in the response is correct, you can use our intermediate certificate and the root certificateroot certificate

See list of certificates here under “Skilríki” https://repo.audkenni.is/

For Testing environment:

For Production environment: