Step by step instructions for service providers on how to Signing using CIBA and Auðkennis APP.
For all steps to be successful the following must be at hand.
Client Id (received from Auðkenni)
Client secret (received from Auðkenni)
Related party (not necessary)
Base URI (received from Auðkenni)
Private Key (to sign a JSON Web Token)
Public Key (to give to Auðkenni for configuration)
User’s Social Id number
Message text for user
Hash value for verification code calculation
Client id: myCibaClientId
Client secret: MyApiClientP4$sW
Base URI: pfzww.audkenni.is
Private Key: Not shown here for security reasons
Public Key: Not shown
All code examples are generated using Postman. They are therefore only for demo.
The first step is to create a signed JWT to use for CIBA communication.
login_hint (the users Social Id number)
scope (openid, profile, signature. Also possible to add “related party” info here (see example))
acr_values (“app-sign”. This value is different between authentication/signing methods)
iss (the Client id)
aud (Should have “https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni“)
exp (the lifetime of the token)
binding_message (the message to display at users mobile device)
Max length of this message string is 60 characters. Can not contain “\n”.
binding_content (Hash value, used to calculate verification code)
Three optional parameters can be added to the JWT. These optional parameters makes it possible to show messages of up to 200 characters in length and/or let the App display 3 Codes user have to select the correct Verification Code from.
binding_message_long (Long message string to display at users mobile device. This message string can hold up to 200 characters. “confirmation_message” must also be in JWT and must be set to “true” for this message string to be used)
confirmation_message (If set to “true” then a prompt window is displayed at users mobile device. The user needs to confirm before continuing the process. If set to “false” the user is prompt for PIN right away)
vchoice (Verification code. If set to “true” three codes are displayed for user to select the correct one to continue. If set to “false” the verification code is displayed directly)
Please note, if both vchoice and confirmation_message are set to “true” the selecting of Verification code is made on the prompt window.
binding_message_long | confirmation_message | vchoice | Expected behavior |
---|---|---|---|
Not included, included empty or with a string | Not included or with “false” | Not included or with “false” | App prompts for PIN with message from “binding_message” |
Not included, included empty or with a string | Not included or with “false” | Included with “true” | App prompts for selecting of Verification Code. Displays message from “binding_message” |
Not included, included empty or with a string | Included with “true” | Not included or with “false” | If “binding_message_long” contains message then a prompt window appears with that message. If “binding_message_long” is empty or not included the message from “binding_message” are displayed |
Not included, included empty or with a string | Included with “true” | Included with “true” | If “binding_message_long” contains message then a prompt window appears with that message along selecting of Verification Code. If “binding_message_long” is empty or not included the message from “binding_message” are displayed along selecting of Verification Code |
Included with a string up to 200 characters | Not included or with “false” | Not included or with “false” | App prompts for PIN with message from “binding_message” |
Included with a string up to 200 characters | Not included or with “false” | Included with “true” | App prompts for selecting of Verification Code. Displays message from “binding_message” |
Included with a string up to 200 characters | Included with “true” | Not included or with “false” | App prompts for confirmation displaying message from “binding_message_long” |
Included with a string up to 200 characters | Included with “true” | Included with “true” | App prompts for selecting of Verification Code. Displays message from “binding_message_long” |
Private key (to sign the JWT)
Alg info (Should be “RS256”)
The hash string is used to generate the verification code displayed in the users APP.
You’ll need to provide the hash string to use. That’s how you can calculate the verification code at your side to display at your website for your user to see.
The hash string should be of type SHA512. Click here to search for more info about SHA512.
The verification code is calculated by:
verification code = integer(SHA256(the hash)[-2:-1]) mod 10000
Calculate SHA256 from the hash, extract 2 rightmost bytes from the result, interpret them as a big-endian unsigned integer and take the last 4 digits in decimal form for display. SHA256 is always used here.
Please mind that the hash string should be in Base64 format.
In this example we have generated a hash string and calculated a verification code.
“Auðkenni APP Signing“
j9AAK/VM1kokNqRoDTHGOXZ8lFM6nt9q+vWBB1dvyItYcoJ9WH4d8HGmb3RbafzBhg1sf0cY0qBZatGaUOoLKA==
9502
Please note, you could be getting a different Hash string based on the Encoding type your solution is using. See here: https://audkenni.atlassian.net/wiki/spaces/DOC/pages/5579767835/Q+A#Why-am-I-getting-different-Hash-value-than-in-Instructions%3F |
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJsb2dpbl9oaW50IjoiMTIzNDU2Nzg5MCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgc2lnbmF0dXJlIFJFTEFURURQQVJUWTpNeU93bkNsaWVudCIsImFjcl92YWx1ZXMiOiJhcHAtc2lnbiIsImlzcyI6Im15Q2liYUNsaWVudElkIiwiYXVkIjoiaHR0cHM6Ly9wZnp3dy5hdWRrZW5uaS5pczo0NDMvc3NvL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvYXVka2VubmkiLCJleHAiOjE2MTExNTMxODkuMTAxLCJiaW5kaW5nX21lc3NhZ2UiOiJBdcOwa2VubmkgQVBQIFNpZ25pbmciLCJiaW5kaW5nX2NvbnRlbnQiOiJqOUFBSy9WTTFrb2tOcVJvRFRIR09YWjhsRk02bnQ5cSt2V0JCMWR2eUl0WWNvSjlXSDRkOEhHbWIzUmJhZnpCaGcxc2YwY1kwcUJaYXRHYVVPb0xLQT09In0.DtotI4TxuOSVpsZ4OwipFbNaZPnRHHg9B8_WD8i7eNxpoA88_184CYrbBLueQNwaOEI_PDmFIfelQU58ugYw8b1to2p02EBk5FUIP0BN6VMCxcRKEXXNCaRZ2co2dfPuaDE2uDsrVMqzDUHCmV6FvI3sY71M6ZJXXI42tCzmnInSbfREfLN3mEPrIXn0BeCEYrdOWS-c21_hda8O_ewVGQjLz_HzKI5dfpmz22IxLuMcJ-HNTGgkddfp3JOo_vjqk1lr818nXk1-NebMyW7e_sHq8lkv8tQiA9eq63W70A0_hBEAL-5dhZcXWsf8TdwMYKOl460E9PCzue4RMA9zaw |
{ "login_hint": "1234567890", "scope": "openid profile signature RELATEDPARTY:MyOwnClient", "acr_values": "app-sign", "iss": "myCibaClientId", "aud": "https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni", "exp": 1611153189.101, "binding_message": "Auðkenni APP Signing", "binding_content": "j9AAK/VM1kokNqRoDTHGOXZ8lFM6nt9q+vWBB1dvyItYcoJ9WH4d8HGmb3RbafzBhg1sf0cY0qBZatGaUOoLKA==" } |
{ "login_hint": "1234567890", "scope": "openid profile signature RELATEDPARTY:MyOwnClient", "acr_values": "app-sign", "iss": "myCibaClientId", "aud": "https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni", "exp": 1611076236.982, "binding_message": "", "binding_message_long": "Auðkenni APP Signing using long message string, up to 200 characters in length", "binding_content": "n/kRNhXaZ2jFKv8KlQX7ydgedXUmVy8b2O4xNq2ZxHteG7wOvCa0Kg3rY1JLOrOBXYQm+z2FRVwIv47w8gUb5g==", "confirmation_message": "true", "vchoice": "true" } |
To sign using Auðkennis APP a POST call is sent to following URI:
https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/bc-authorize
We need to add following header parameter
A Basic Auth header, using the Client id and Client secret
We need to add following parameter
request (the value should be the JWT from step 1)
curl --location --request POST 'https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/bc-authorize' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Basic bXlDaWJhQ2xpZW50SWQ6TXlBcGlDbGllbnRQNCRzVw==' \ --data-urlencode 'request=eyJ0eXAiOiJKV1QuLCJhbGciOiJSUzI1NiJ9.eyJeb2dpbl9oaW58IjoiNjE3ODg4OCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgc2lnbmF0dXJlIFJFTEFURURQQVJUWTpNeU93bkNsaWVudCIsImFjcl92YWx1ZXMiOiJzaW0tYXV0aCIsImlzcyI6Im15Q2liYUNsaWVudElkIiwiYXVkIjoiaHR0cHM6Ly9wZnp3dy5hdWRrZW5uaS5pczo0NDMvc3NvL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvYXVka2VubmkiLCJleHAiOjE2MTEwNzIxODQuOTkyLCJiaW5kaW5nX21lc3NhZ2UiOiJBdXRoZW50aWNhdGlvbiB0byBBdcOwa2VubmkiLCJiaW5kaW5nX2NvbnRlbnQiOiIifQ.a0NM11W2PNyfzki-gHTrQZqVhuNgL6Uh4sjQQy96lHsfD1NkVe7h-41JT9to-c710GpSvF1ExAcb7b7Bjmy6Ep0M3BVuz066fzv0YfiIHbXd6pQIEXVqUxHQ6mteW1MmaI-xsYDgG_ahXS7ZD8VrN2y1hOGUt1P4kMnVkWVpSQBjolxsZdV1HYn7n9Iy1z0gNaZb_3EIiNGLAHzI2zaDG4x0SFl-vkslf0eqfBMyEquKNFeoBqLLW7WT-PXpIaCQuJ_7ohqbx-pO_JI9Hm2Fv-VH9HoXUhsXWxig3YcQVqYBzq5aEdrE_mulCJMGeCWM02HTxpHennN5GdttlGVksg' |
var client = new RestClient("https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/bc-authorize"); client.Timeout = -1; var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddHeader("Authorization", "Basic bXlDaWJhQ2xpZW50SWQ6TXlBcGlDbGllbnRQNCRzVw=="); request.AddParameter("request", "eyJ0eXAiOiJKV1QuLCJhbGciOiJSUzI1NiJ9.eyJeb2dpbl9oaW58IjoiNjE3ODg4OCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgc2lnbmF0dXJlIFJFTEFURURQQVJUWTpNeU93bkNsaWVudCIsImFjcl92YWx1ZXMiOiJzaW0tYXV0aCIsImlzcyI6Im15Q2liYUNsaWVudElkIiwiYXVkIjoiaHR0cHM6Ly9wZnp3dy5hdWRrZW5uaS5pczo0NDMvc3NvL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvYXVka2VubmkiLCJleHAiOjE2MTEwNzIxODQuOTkyLCJiaW5kaW5nX21lc3NhZ2UiOiJBdXRoZW50aWNhdGlvbiB0byBBdcOwa2VubmkiLCJiaW5kaW5nX2NvbnRlbnQiOiIifQ.a0NM11W2PNyfzki-gHTrQZqVhuNgL6Uh4sjQQy96lHsfD1NkVe7h-41JT9to-c710GpSvF1ExAcb7b7Bjmy6Ep0M3BVuz066fzv0YfiIHbXd6pQIEXVqUxHQ6mteW1MmaI-xsYDgG_ahXS7ZD8VrN2y1hOGUt1P4kMnVkWVpSQBjolxsZdV1HYn7n9Iy1z0gNaZb_3EIiNGLAHzI2zaDG4x0SFl-vkslf0eqfBMyEquKNFeoBqLLW7WT-PXpIaCQuJ_7ohqbx-pO_JI9Hm2Fv-VH9HoXUhsXWxig3YcQVqYBzq5aEdrE_mulCJMGeCWM02HTxpHennN5GdttlGVksg"); IRestResponse response = client.Execute(request); Console.WriteLine(response.Content); |
The CIBA service answer is in JSON format.
When Step 2 is executed the signing process at the users device starts.
auth_req_id (to use in next step)
expires_in (the lifetime of th id)
interval
{ "auth_req_id": "8ag4NXa4ctFJuv1h9EtUnfNeFww", "expires_in": 600, "interval": 2 } |
After executing Step 2 the signing process at the users device starts. It depends on the user, the device and the network how long time this process takes.
In this step we poll for results from the signing process. When signing process is finished successfully you will receive answer with Access and Id token of the user.
To poll for tokens we send another POST call to following URI:
https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/access_token
We need to add following header parameter
A Basic Auth header, using the Client id and Client secret
We need to add following parameter
grant_type (the value should be: “urn:openid:params:grant-type:ciba”)
auth_req_id (the value should be the auth_req_id from last step answer)
curl --location --request POST 'https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/access_token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Basic bXlDaWJhQ2xpZW50SWQ6TXlBcGlDbGllbnRQNCRzVw==' \ --data-urlencode 'grant_type=urn:openid:params:grant-type:ciba' \ --data-urlencode 'auth_req_id=byMGRumm7nantLLD7e4viiJ_ZTU' |
var client = new RestClient("https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/access_token"); client.Timeout = -1; var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddHeader("Authorization", "Basic bXlDaWJhQ2xpZW50SWQ6TXlBcGlDbGllbnRQNCRzVw=="); request.AddParameter("grant_type", "urn:openid:params:grant-type:ciba"); request.AddParameter("auth_req_id", "byMGRumm7nantLLD7e4viiJ_ZTU"); IRestResponse response = client.Execute(request); Console.WriteLine(response.Content); |
If you run the poll call before the user signing process is finished you will receive a answer notifying the process isn’t finished.
The REST API service answer is in JSON format.
If you get answer like this you need to wait for short time and run Step 3 call again.
error_description
error
{ "error_description": "End user has not yet been authenticated", "error": "authorization_pending" } |
The answer from this call should give you the Access and Id tokens along type and lifetime.
The Id token contains a PKCS1 signature and a signing certificate.
The REST API service answer is in JSON format.
Best practice is to verify the signature and the certificate. Verify the user’s info in the Id token against the certificate and the social Id number entered by the user in beginning (login_hint). By decoding the signature using the certificate you should end up with the hash from the earlier step.
access_token
scope
id_token
token_type
expires_in (lifetime of the tokens)
{ "access_token": "eyJ0eXAiOiJKV1QiLCJ6aXBvu7MdOT05FIiwiYWxnIjoiSFMyNTYifQ.eyJzdWIiOiIxMDkMwRe3i7HZS0yNjA4LTRmOWMtODBkMi0zZmI0NTI0MTUyMmMiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiZWQ5NzcwMTgtOWMxYy00MDM3LWFkNTgtYzYxZGMyMjQ4MGE4LTExODQwODMiLCJpc3MiOiJodHRwczovL3Bmend3LmF1ZGtlbm5pLmlzOjQ0My9zc28vb2F1dGgyL3JlYWxtcy9yb290L3JlYWxtcy9hdWRrZW5uaSIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6IjhqVHM3MGEzNDZ5VElsbVYySnBkS3JmalhIayIsImF1ZCI6Im15Q2liYUNsaWVudElkIiwibmJmIjoxNjExMTUyOTk4LCJncmFudF90eXBlIjoidXJuOm9wZW5pZDpwYXJhbXM6Z3JhbnQtdHlwZTpjaWJhIiwic2NvcGUiOlsiUkVMQVRFRFBBUlRZOk15T3duQ2xpZW50Iiwic2lnbmF0dXJlIiwib3BlbmlkIiwicHJvZmlsZSJdLCJhdXRoX3RpbWUiOjE2MTExNTI5OTgsInJlYWxtIjoiL2F1ZGtlbm5pIiwiZXhwIjoxNjExMTU2NTk4LCJpYXQiOjE2MTExNTI5OTgsImV4cGlyZXNfaW4iOjM2MDAsImp0aSI6IkV0T0Z4VTFqUnROZ1dNUy1jODk1WVJIRHM2WSJ9.AegzwJL5OYytT6HfX5As5J3U0AwE5tu_SJDAt3V55es", "scope": "openid profile signature RELATEDPARTY:MyOwnClient", "id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3v8Rt3kOcdlJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiWDnH7eR36kkxSX1VHSXpNTDhkZy1FdyIsInN1YiI6IjEwOTA1ZjFlLTI2MDgtNGY5Yy04MGQyLTNmYjQ1MjQxNTIyYyIsInNpZ25hdHVyZSI6IklYZHlRSjJrT3l6WTFCbXVzLy9NRjhaZng3V1ltN09ZTTIyQm81RGkrS1piR3c0aWhFU0UvdFdpZ3VtTGhFUE9QWW9TL3d5RGw3WFgyZHRhdU1GMnZ0K1B4c0FQaW5iT1JDZ29sWXJZVjVqMkF5UFJwdUZZOXZhd0I3VVMveUdLanNWUkJYRjFWQ1ZXWGtVSFZLbkdhb3U5RmtldEF4T0hwVlhUYjVuUys2MnFlaVZkOS80RmhIM0lvZFpXZ1YzT3NZeHI1MG9ZUmF6Nk80UldIY1BXM3E5WHpaOTFBRVZEU1grRWVrMnJ3RHlrajU3dEFJMnJEVzdNVFdBQXFzMXJ4VVlJZThEYUpkcVVLMWF5Q1ZTQlVOQmRmbUxrdHpNT2pjU1B3WUtqNmlabEduUFFqYzZMU08xMmgxVXlJek9DMGFxcVRpYlVYeXkvN3lyNDVHMG5lUWNiT0NxZnE3bUlFb3A0NWJIMFVabTJESldNWDlPOGFqNG1mYUJBNGpGWUlJSjZjaDNQb1hkVEZiK2djTjNOczRqTGhwSnllQkpjWFIyS0RzV2JNMjI5WXp1enA3NnM4NWw4ZHpuNGFGRHFRNnQ1NWF0LzhldXJwYW1yak1JdmRqQnJKNnZudFN0YjF3bkQyMkxDcXVhbXVxNktDbDBNRERFVW4vdGo4UFFtbUsyaTlaaUhRMG96OS9SRE94MFIySlhTWWVaVG9lOWdjUnZ2RzNIVDgyc2hOdG9hZ3FYTm1zNUpQUm5zYktGci9FMjE5QU9tU1RObW9CTHZQdzl3SzVHcUpaR0hTM3M0NXRzemtqUFlLQUJITko2dk5SdzFHakx6VkdIM0xGaVovbG1VZ3dCMTcyWkxSR2ZmTk42cTgwTjd1SWdjRU1GeG9Iay9aQmpTbkJjbUVORmZReVpreTJhTmFRQ1BabWRqUFNpTG1JL1RlTC92TE95MUo4Q2FLZE5LbkJhQ200OExOS1QrWkdXTVl0OWlHREtVNTBRallDaGdyR0wzdU9nQ1BHSmt1bmpPUklRdVNIZy9oYnN5WlduTVRUcGlBWXlJOWE0T3dUSDcydVpWL0pzY2JmTElxRkxUTHdvRks2NTQvUmIxVi8xZXRYS25qbGZxVkQvOHJqNmErN3JWeWFFNDdyMDJsdFM5NXB2ZW0xZXNDd25RbTJEd2lSZzFwRUJVS0hoVHArUG4waVFOMjZZZ25IdHM4T0JiV2pVdzlLUmlkc2I2MEl1ZS96bmo3MUlJd3NCaU5tb0ZRNU5zTDQ2aTRiVGI1MHlXbk1ESUcyUzZiZDVVYWVDY1pVdkhwVU0vbjJvaXVvV0JmOWJITEV5SElDdDlDY0lCMHNpVHg5dnoiLCJhdWRpdFRyYWNraW5nSWQiOiJlZDk3NzAxOC05YzFjLTQwMzctYWQ1OC1jNjFkYzIyNDgwYTgtMTE4NDA4NCIsImNlcnRpZmljYXRlIjoiTUlJSDNUQ0NCc1dnQXdJQkFnSURJQ2U2TUEwR0NTcUdTSWIzRFFFQkN3VUFNSDR4Q3pBSkJnTlZCQVlUQWtsVE1STXdFUVlEVlFRRkV3bzFNakV3TURBeU56a3dNUlV3RXdZRFZRUUtFd3hCZFdSclpXNXVhU0JvWmk0eEp6QWxCZ05WQkFzVEhsVjBaMlZtWVc1a2FTQm1kV3hzWjJsc1pISmhJSE5yYVd4eWFXdHFZVEVhTUJnR0ExVUVBeE1SUm5Wc2JHZHBiSFFnWVhWa2EyVnVibWt3SGhjTk1qQXhNakV5TVRZeU5qSXdXaGNOTWpVeE1qRXlNVFl5TmpJd1dqQnlNUkl3RUFZRFZRUUVFd2xJY21GbWJuTnpiMjR4RnpBVkJnTlZCQ29NRGtWcGJtRnlJTU9CY25QRHBteHNNUXN3Q1FZRFZRUUdFd0pKVXpFVE1CRUdBMVVFQlJNS01UVXdOVGN4TkRRNE9URWhNQjhHQTFVRUF3d1lSV2x1WVhJZ3c0RnljOE9tYkd3Z1NISmhabTV6YzI5dU1JSURJVEFOQmdrcWhraUc5dzBCQVFFRkFBT0NBdzRBTUlJRENRS0NBd0I3dmJramZIZkg0LzVld0tSdkpZZDR1dWZOREgzSGlBVzRoeUdtSXNWYUdDdUZPa3ZVdVliUVJGR1cvL095WUpzNkl1RVdVaG9pQ1FVVXNWbVlmbU45Z25oRjljcVZERGVqbVlPNU9ad2lJcHhueGp4N05sd2ZEOXVCZEEvUWVzK0h6ZjFWazgvOXBCREk1dHgyMkM0aUNJTVJNeHF6R0VEa2MzVTdOUTVtSXBLcDZycXA3TjdTVkJqcmhJNnBpRmJPOEJyeXNFUkZJUUszdktwQVhwL28rN3A1RzlRTUI1ZlpiL05IWGNQUTJEa2I2K2ZDSlJ3ZHVGcm5RbnNpc0Y4NzdGQ2ZMREFhQ1lvZU4wcjdVZHdFN252NFFFY2JUbE1VSlg3SXpFeUx5N3Vtd0cxVG1QUDJIZ1F3UU9VZXhqeUxRSjRsTERwNEMxc0M5SVVmSmhRS2xGZE16eHF1aDFtRlNGYzQzTEpQSkZZazVUTjgwOTIzdk56Rm5wU09mN2VjeXlJa0Q4b3RVeGZMVUk3U1JEVzlvOXZaZEZTU1QzdlVVU0t0QXpIam9HSTJvMFJTdTd2ZGVjVDZPRGVyK1R5T29hQ3A0V214djNHVkUvQnYzRDZGT1ljM1o0WXpJS2pOSFNZcW9VT1h0QlV4aThwd1ZNbVlzZlA4eDZZS1R1SzRDL3Y5NTJjSmhVK0xQWmJTQ3JZQ2dKOElITm1iTzVqZWVhZWQ4eVFpWmhRZXo0WFJSNjcvaEZ2VFlNSG0xYmRsL0xvcUoxK2w2Z3FORUdMYVQvdkpySUFrdGxCR1JtUm9ucjNacW80YTBIcGhlaHVHWkFULzBEbG5xSFhDSmI0Q200WDhURG41SURhTVhuN0Z0d0dWUDM5S2lRdE5OT0xmc1AxTFpDbDZlVjdKdXZqYklBb2E3Q3AwWHVINkJCOXphU3lOU01qREFtbDhhYWdPdWUxYmJ1aUhxOHB0bGZKVVNlYUkwd245dWhadTRLdnVMQjRNNTZSVXh6ZXhUNm5BdTRWbGgrRUdxY3VrVFBlQ1RreVVMZzZiRE5yMXFuVHZ5WVAwMzk1ZGs2WGppWjRILzZHdzl6R2tkY0sxWkhGZUhLU2c4OVl3UVJHT2pya2NKQWV4dnpvUnc0NHhaMkEyQ1h4enJNWDlJRHNwOS94L3NtNkpVVG1rVExUQzhTZUZFMFRpYzBYWWs3TUs3dXpRaTRzNTFqMHBrSzNzRUpMdHRZamRNbkxBTmRPSGViS0ltQTZTeklaREtGaGNlY1AvbkNNTWRKZG9wQStiZkVqQmpEOGwxdnlTOVJuSS9WeklOeDdtZTBjSFd3OUc3RElkeTdCaGp5Zkw1WFdUUmZjQ0F3RUFBYU9DQW04d2dnSnJNQXdHQTFVZEV3RUIvd1FDTUFBd2dlb0dBMVVkSUFTQjRqQ0IzekNCMFFZSllJSmdBUUlCQVFFQ01JSERNSUdhQmdnckJnRUZCUWNDQWpDQmpScUJpbFJvYVhNZ1kyVnlkR2xtYVdOaGRHVWdhWE1nYVc1MFpXNWtaV1FnWm05eUlITnBaMjVwYm1jdUlGUm9hWE1nWTJWeWRHbG1hV05oZEdVZ2FYTWdhWE56ZFdWa0lHRnpJR0VnY1hWaGJHbG1hV1ZrSUdObGNuUnBabWxqWVhSbElHRnpJR1JsWm1sdVpXUWdhVzRnVW1WbmRXeGhkR2x2YmlBb1JWVXBJRTV2SURreE1DOHlNREUwTGpBa0JnZ3JCZ0VGQlFjQ0FSWVlhSFIwY0hNNkx5OXlaWEJ2TG1GMVpHdGxibTVwTG1sek1Ba0dCd1FBaSt4QUFRSXdkd1lJS3dZQkJRVUhBUUVFYXpCcE1DTUdDQ3NHQVFVRkJ6QUJoaGRvZEhSd09pOHZiMk56Y0M1aGRXUnJaVzV1YVM1cGN6QkNCZ2dyQmdFRkJRY3dBb1kyYUhSMGNEb3ZMMk5rY0M1cGMyeGhibVJ6Y205MExtbHpMM05yYVd4eWFXdHBMMloxYkd4bmFXeDBZWFZrYTJWdWJta3VjRGRpTUdNR0NDc0dBUVVGQndFREJGY3dWVEFJQmdZRUFJNUdBUUV3Q0FZR0JBQ09SZ0VFTUNvR0JnUUFqa1lCQlRBZ01CNFdHR2gwZEhCek9pOHZjbVZ3Ynk1aGRXUnJaVzV1YVM1cGN4TUNTVk13RXdZR0JBQ09SZ0VHTUFrR0J3UUFqa1lCQmdFd0N3WURWUjBQQkFRREFnWkFNQjhHQTFVZEl3UVlNQmFBRk1JcFBvYi9oc1RhTlI5cHBxVC9BWU04U2pPcE1FTUdBMVVkSHdROE1Eb3dPS0Eyb0RTR01taDBkSEE2THk5amNtd3VZWFZrYTJWdWJta3VhWE12Wm5Wc2JHZHBiSFJoZFdSclpXNXVhUzlzWVhSbGMzUXVZM0pzTUIwR0ExVWREZ1FXQkJUdER3a1VKRXV3M0NtSDJvckNTbEtZU0ZrV2pUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFIZzd1RHJvSnh0azBtU1poTFhBKys0ZUdjYUh5T1BickxpcG0wTXhOREtRWVlPb1BQakNUeEptNEVwTFdrNG8vZGNFZ2dCakRZRG04Zi9xQjQ5MThkOU5TY0pLaFkxUUU4dndZQ2p6WFpQY2FZVXpuRDhOWmVEdStGVUFLY3IxVnZQQnhVWnlaUytMejFPL1NYajY2MGxvUW1JWlg1TWVFS09kZ3QvTUNxa2VMejJxYjZwSWdnNlc1TUZPN0hZaE9SWjE0QUlzNTQzeU1Wb08zRnlLU2t6cU1BQnY1eXJkSnRvUUQ1d3dxb3E4UEVidWI5VEFuYjF5Zzh4STZTRjkxbW1xMDU2a1N3TUZUbEtZb2cyRldmdXFzWFUyZElPaDlaajRGTldPd2x1WDF5eUswaHNxWkdUREUzdWMzc2F2eEhBaXRwNFN3WEN1bktWWUw0K2psVEE9PSIsImlzcyI6Imh0dHBzOi8vcGZ6d3cuYXVka2VubmkuaXM6NDQzL3Nzby9vYXV0aDIvcmVhbG1zL3Jvb3QvcmVhbG1zL2F1ZGtlbm5pIiwidG9rZW5OYW1lIjoiaWRfdG9rZW4iLCJhdWQiOiJteUNpYmFDbGllbnRJZCIsImRvY3VtZW50TnIiOiIxNTA1NzE0NDg5LVBTQlAtUSIsIm5hdGlvbmFsUmVnaXN0ZXJJZCI6IjE1MDU3MTQ0ODkiLCJhenAiOiJteUNpYmFDbGllbnRJZCIsImF1dGhfdGltZSI6MTYxMTE1Mjk5OCwibmFtZSI6IkVpbmFyIMOBcnPDpmxsIEhyYWZuc3NvbiIsInJlYWxtIjoiL2F1ZGtlbm5pIiwiZXhwIjoxNjExMTU2NTk4LCJ0b2tlblR5cGUiOiJKV1RUb2tlbiIsImlhdCI6MTYxMTE1Mjk5OH0.GuuUOwBO8Zi7NwYyDE7_FSeGWFSHIylVo9vq8EBUN7uhahcB92fqWo5elIuxeWKold0Z3jxY99XAx2IGbGroq-IymSV0V-fl9e27nKxEJmjCyn4yx5rxqBn2Wr86_0EFA5_e2VKXoeVg8Ilb2f7acTctMfzz7aV4a5Wx9ZwNiucd-uWAPaTZY5JdnvR7PgjXO4YpLi3BjjFxfeiYjpT-KbskSAyZ66B6KvVx2hFu69CIZnFgiHW2XyFP9WO0hIoRZA2Hz86cGx_kJFp0WYcI4WMNgrOC25KrX9DZQ6BnAViRv5tsOri1Nj7YOQnenQxyrWAYTrsyKlxu-NyNJcXvEA", "token_type": "Bearer", "expires_in": 3599 } |
{ "sub": "10935f1e-2688-4f9c-80d2-3fb45241522c", "cts": "OAUTH2_STATELESS_GRANT", "auth_level": 0, "auditTrackingId": "ed977018-9c1c-4037-ad58-c61dc22480a8-1184083", "subname": "10935f1e-2688-4f9c-80d2-3fb45241522c", "iss": "https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni", "tokenName": "access_token", "token_type": "Bearer", "authGrantId": "8jTs70a346yTIlmV2JpdKrfjXHk", "aud": "myCibaClientId", "nbf": 1611152998, "grant_type": "urn:openid:params:grant-type:ciba", "scope": [ "RELATEDPARTY:MyOwnClient", "signature", "openid", "profile" ], "auth_time": 1611152998, "realm": "/audkenni", "exp": 1611156598, "iat": 1611152998, "expires_in": 3600, "jti": "EtOFxU1jRtNgWMS-c895YRHDs6Y" } |
{ "at_hash": "X3W6yYbLR_UGIzML8dg-Ew", "sub": "10935f1e-2688-4f9c-80d2-3fb45241522c", "signature": "IXdyQJ2kOyzY1Bmus//MF8Zfx7WYm7OYM22bFrj7eDi+KZbGw4ihESE/tWigumLhEPOPYoS/wyDl7XX2dtauMF2vt+PxsAPinbORCgolYrYV5j2AyPRpuFY9vawB7US/yGKjsVRBXF1VCVWXkUHVKnGaou9FketAxOHpVXTb5nS+62qeiVd9/4FhH3IodZWgV3OsYxr50oYRaz6O4RWHcPW3q9XzZ91AEVDSX+Eek2rwDykj57tAI2rDW7MTWAAqs1rxUYIe8DaJdqUK1ayCVSBUNBdfmLktzMOjcSPwYKj6iZlGnPQjc6LSO12h1UyIzOC0aqqTibUXyy/7yr45G0neQcbOCqfq7mIEop45bH0UZm2DJWMX9O8aj4mfaBA4jFYIIJ6ch3PoXdTFb+gcN3Ns4jLhpJyeBJcXR2KDsWbM229Yzuzp76s85l8dzn4aFDqQ6t55at/8eurpamrjMIvdjBrJ6vntStb1wnD22LCquamuq6KCl0MDDEUn/tj8PQmmK2i9ZiHQ0oz9/RDOx0R2JXSYeZToe9gcRvvG3HT82shNtoagqXNms5JPRnsbKFr/E219AOmSTNmoBLvPw9wK5GqJZGHS3s45tszkjPYKABHNJ6vNRw1GjLzVGH3LFiZ/lmUgwB172ZLRGffNN6q80N7uIgcEMFxoHk/ZBjSnBcmENFfQyZky2aNaQCPZmdjPSiLmI/TeL/vLOy1J8CaKdNKnBaCm48LNKT+ZGWMYt9iGDKU50QjYChgrGL3uOgCPGJkunjORIQuSHg/hbsyZWnMTTpiAYyI9a4OwTH72uZV/JscbfLIqFLTLwoFK654/Rb1V/1etXKnjlfqVD/8rj6a+7rVyaE47r02ltS95pvem1esCwnQm2DwiRg1pEBUKHhTp+Pn0iQN26YgnHts8OBbWjUw9KRidsb60Iue/znj71IIwsBiNmoFQ5NsL46i4bTb50yWnMDIG2S6bd5UaeCcZUvHpUM/n2oiuoWBf9bHLEyHICt9CcIB0siTx9vz", "auditTrackingId": "ed977018-9c1c-4037-ad58-c61dc22480a8-1184084", "subname": "10935f1e-2688-4f9c-80d2-3fb45241522c", "certificate": "MIIH3TCCBsWgAwIBAgIDIoGu7e3Fr0GCSqGSIb3DQEBCwUAMHkdjvUE3AJBgNVBAYTAklTMRMwEQYDVQQFEwo1MjEwMDAyNzkwMRUwEwYDVQQKEwxBdWRrZW5uaSBoZi4xJzAlBgNVBAsTHlV0Z2VmYW5kaSBmdWxsZ2lsZHJhIHNraWxyaWtqYTEaMBgGA1UEAxMRRnVsbGdpbHQgYXVka2VubmkwHhcNMjAxMjEyMTYyNjIwWhcNMjUxMjEyMTYyNjIwWjByMRIwEAYDVQQEEwlIcmFmbnNzb24xFzAVBgNVBCoMDkVpbmFyIMOBcnPDpmxsMQswCQYDVQQGEwJJUzETMBEGA1UEBRMKMTUwNTcxNDQ4OTEhMB8GA1UEAwwYRWluYXIgw4Fyc8OmbGwgSHJhZm5zc29uMIIDITANBgkqhkiG9w0BAQEFAAOCAw4AMIIDCQKCAwB7vbkjfHfH4/5ewKRvJYd4uufNDH3HiAW4hyGmIsVaGCuFOkvUuYbQRFGW//OyYJs6IuEWUhoiCQUUsVmYfmN9gnhF9cqVDDejmYO5OZwiIpxnxjx7NlwfD9uBdA/Qes+Hzf1Vk8/9pBDI5tx22C4iCIMRMxqzGEDkc3U7NQ5mIpKp6rqp7N7SVBjrhI6piFbO8BrysERFIQK3vKpAXp/o+7p5G9QMB5fZb/NHXcPQ2Dkb6+fCJRwduFrnQnsisF877FCfLDAaCYoeN0r7UdwE7nv4QEcbTlMUJX7IzEyLy7umwG1TmPP2HgQwQOUexjyLQJ4lLDp4C1sC9IUfJhQKlFdMzxquh1mFSFc43LJPJFYk5TN80923vNzFnpSOf7ecyyIkD8otUxfLUI7SRDW9o9vZdFSST3vUUSKtAzHjoGI2o0RSu7vdecT6ODer+TyOoaCp4Wmxv3GVE/Bv3D6FOYc3Z4YzIKjNHSYqoUOXtBUxi8pwVMmYsfP8x6YKTuK4C/v952cJhU+LPZbSCrYCgJ8IHNmbO5jeeaed8yQiZhQez4XRR67/hFvTYMHm1bdl/LoqJ1+l6gqNEGLaT/vJrIAktlBGRmRonr3Zqo4a0HphehuGZAT/0DlnqHXCJb4Cm4X8TDn5IDaMXn7FtwGVP39KiQtNNOLfsP1LZCl6eV7JuvjbIAoa7Cp0XuH6BB9zaSyNSMjDAml8aagOue1bbuiHq8ptlfJUSeaI0wn9uhZu4KvuLB4M56RUxzexT6nAu4Vlh+EGqcukTPeCTkyULg6bDNr1qnTvyYP0395dk6XjiZ4H/6Gw9zGkdcK1ZHFeHKSg89YwQRGOjrkcJAexvzoRw44xZ2A2CXxzrMX9IDsp9/x/sm6JUTmkTLTC8SeFE0Tic0XYk7MK7uzQi4s51j0pkK3sEJLttYjdMnLANdOHebKImA6SzIZDKFhcecP/nCMMdJdopA+bfEjBjD8l1vyS9RnI/VzINx7me0cHWw9G7DIdy7BhjyfL5XWTRfcCAwEAAaOCAm8wggJrMAwGA1UdEwEB/wQCMAAwgeoGA1UdIASB4jCB3zCB0QYJYIJgAQIBAQECMIHDMIGaBggrBgEFBQcCAjCBjRqBilRoaXMgY2VydGlmaWNhdGUgaXMgaW50ZW5kZWQgZm9yIHNpZ25pbmcuIFRoaXMgY2VydGlmaWNhdGUgaXMgaXNzdWVkIGFzIGEgcXVhbGlmaWVkIGNlcnRpZmljYXRlIGFzIGRlZmluZWQgaW4gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cHM6Ly9yZXBvLmF1ZGtlbm5pLmlzMAkGBwQAi+xAAQIwdwYIKwYBBQUHAQEEazBpMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5hdWRrZW5uaS5pczBCBggrBgEFBQcwAoY2aHR0cDovL2NkcC5pc2xhbmRzcm90LmlzL3NraWxyaWtpL2Z1bGxnaWx0YXVka2VubmkucDdiMGMGCCsGAQUFBwEDBFcwVTAIBgYEAI5GAQEwCAYGBACORgEEMCoGBgQAjkYBBTAgMB4WGGh0dHBzOi8vcmVwby5hdWRrZW5uaS5pcxMCSVMwEwYGBACORgEGMAkGBwQAjkYBBgEwCwYDVR0PBAQDAgZAMB8GA1UdIwQYMBaAFMIpPob/hsTaNR9ppqT/AYM8SjOpMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuYXVka2VubmkuaXMvZnVsbGdpbHRhdWRrZW5uaS9sYXRlc3QuY3JsMB0GA1UdDgQWBBTtDwkUJEuw3CmH2orCSlKYSFkWjTANBgkqhkiG9w0BAQsFAAOCAQEAHg7uDroJxtk0mSZhLXA++4eGcaHyOPbrLipm0MxNDKQYYOoPPjCTxJm4EpLWk4o/dcEggBjDYDm8f/qB4918d9NScJKhY1QE8vwYCjzXZPcaYUznD8NZeDu+FUAKcr1VvPBxUZyZS+Lz1O/SXj660loQmIZX5MeEKOdgt/MCqkeLz2qb6pIgg6W5MFO7HYhORZ14AIs543yMVoO3FyKSkzqMABv5yrdJtoQD5wwqoq8PEbub9TAnb1yg8xI6SF91mmq056kSwMFTlKYog2FWfuqsXU2dIOh9Zj4FNWOwluX1yyK0hsqZGTDE3uc3savxHAitp4SwXCunKVYL4+jlTA==", "iss": "https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni", "tokenName": "id_token", "aud": "myCibaClientId", "documentNr": "1406714889-PSBP-Q", "nationalRegisterId": "1406714889", "azp": "myCibaClientId", "auth_time": 1611152998, "name": "Einar Helgi Hrafnsson", "realm": "/audkenni", "exp": 1611156598, "tokenType": "JWTToken", "iat": 1611152998 } |
Here we ask for the users info using the Access token as Authorization header parameter.
To get the Userinfo we send a POST call to following URI:
https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/userinfo
We need to add following header parameter
Token (Bearer, using the Access token from last call as value)
curl --location --request POST 'https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/userinfo' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT25FIiwiYWxnIjoiSFMyNTYifQ.eyJzdWIIOiIxMDkwNWYxZS0yNjA4LTRmOWMtODBkMi0zZmI0NTI0MTUyMmMiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiZWQ5NzcwMTgtOWMxYy00MDM3LWFkNTgtYzYxZGMyMjQ4MGE4LTkzNzUyMCIsImlzcyI6Imh0dHBzOi8vcGZ6d3cuYXVka2VubmkuaXM6NDQzL3Nzby9vYXV0aDIvcmVhbG1zL3Jvb3QvcmVhbG1zL2F1ZGtlbm5pIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiWHY1Yl9odXNGdklGeXJlOU1yZHRsTXVVM3djIiwiYXVkIjoibXlDaWJhQ2xpZW50SWQiLCJuYmYiOjE2MTEwNzQ3ODUsImdyYW50X3R5cGUiOiJ1cm46b3BlbmlkOnBhcmFtczpncmFudC10eXBlOmNpYmEiLCJzY29wZSI6WyJSRUxBVEVEUEFSVFk6TXlPd25DbGllbnQiLCJzaWduYXR1cmUiLCJvcGVuaWQiLCJwcm9maWxlIl0sImF1dGhfdGltZSI6MTYxMTA3NDc4NSwicmVhbG0iOiIvYXVka2VubmkiLCJleHAiOjE2MTEwNzgzODUsImlhdCI6MTYxMTA3NDc4NSwiZXhwaXJlc19pbiI6MzYwMCwianRpIjoiV2dBX3B0RzJoYmcyN3hoeXYyMktYTmNFeEVrIn0.k9AGl4MVncfmmq9USabdxlaIYlYC0_lrQhJFClZgRtM' |
var client = new RestClient("https://pfzww.audkenni.is:443/sso/oauth2/realms/root/realms/audkenni/userinfo"); client.Timeout = -1; var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddHeader("Authorization", "Bearer eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT25FIiwiYWxnIjoiSFMyNTYifQ.eyJzdWIIOiIxMDkwNWYxZS0yNjA4LTRmOWMtODBkMi0zZmI0NTI0MTUyMmMiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiZWQ5NzcwMTgtOWMxYy00MDM3LWFkNTgtYzYxZGMyMjQ4MGE4LTkzNzUyMCIsImlzcyI6Imh0dHBzOi8vcGZ6d3cuYXVka2VubmkuaXM6NDQzL3Nzby9vYXV0aDIvcmVhbG1zL3Jvb3QvcmVhbG1zL2F1ZGtlbm5pIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiWHY1Yl9odXNGdklGeXJlOU1yZHRsTXVVM3djIiwiYXVkIjoibXlDaWJhQ2xpZW50SWQiLCJuYmYiOjE2MTEwNzQ3ODUsImdyYW50X3R5cGUiOiJ1cm46b3BlbmlkOnBhcmFtczpncmFudC10eXBlOmNpYmEiLCJzY29wZSI6WyJSRUxBVEVEUEFSVFk6TXlPd25DbGllbnQiLCJzaWduYXR1cmUiLCJvcGVuaWQiLCJwcm9maWxlIl0sImF1dGhfdGltZSI6MTYxMTA3NDc4NSwicmVhbG0iOiIvYXVka2VubmkiLCJleHAiOjE2MTEwNzgzODUsImlhdCI6MTYxMTA3NDc4NSwiZXhwaXJlc19pbiI6MzYwMCwianRpIjoiV2dBX3B0RzJoYmcyN3hoeXYyMktYTmNFeEVrIn0.k9AGl4MVncfmmq9USabdxlaIYlYC0_lrQhJFClZgRtM"); IRestResponse response = client.Execute(request); Console.WriteLine(response.Content); |
The answer from this call should give you a PKCS1 Signature and a signing certificate. The same signature and certificate as is in the Id token from last step.
The REST API service answer is in JSON format.
Best practice is to verify the signature and the certificate. Verify the user’s info in answer against the certificate and the social Id number entered by the user in beginning (login_hint). By decoding the signature using the certificate you should end up with the hash from the earlier step.
signature (PKCS1)
documentNr (variable text, for Auðkennis internal usage)
certificate (signing certificate)
nationalRegisterId (The social id number of the user)
name (The users name)
sub (A unique Id of the user in our system)
subname (A unique Id of the user in our system)
{ "signature": "IXdyQJ2kOyzY1Bmus//MF8Zfx7WYm7OYM22bFrj7eDi+KZbGw4ihESE/tWigumLhEPOPYoS/wyDl7XX2dtauMF2vt+PxsAPinbORCgolYrYV5j2AyPRpuFY9vawB7US/yGKjsVRBXF1VCVWXkUHVKnGaou9FketAxOHpVXTb5nS+62qeiVd9/4FhH3IodZWgV3OsYxr50oYRaz6O4RWHcPW3q9XzZ91AEVDSX+Eek2rwDykj57tAI2rDW7MTWAAqs1rxUYIe8DaJdqUK1ayCVSBUNBdfmLktzMOjcSPwYKj6iZlGnPQjc6LSO12h1UyIzOC0aqqTibUXyy/7yr45G0neQcbOCqfq7mIEop45bH0UZm2DJWMX9O8aj4mfaBA4jFYIIJ6ch3PoXdTFb+gcN3Ns4jLhpJyeBJcXR2KDsWbM229Yzuzp76s85l8dzn4aFDqQ6t55at/8eurpamrjMIvdjBrJ6vntStb1wnD22LCquamuq6KCl0MDDEUn/tj8PQmmK2i9ZiHQ0oz9/RDOx0R2JXSYeZToe9gcRvvG3HT82shNtoagqXNms5JPRnsbKFr/E219AOmSTNmoBLvPw9wK5GqJZGHS3s45tszkjPYKABHNJ6vNRw1GjLzVGH3LFiZ/lmUgwB172ZLRGffNN6q80N7uIgcEMFxoHk/ZBjSnBcmENFfQyZky2aNaQCPZmdjPSiLmI/TeL/vLOy1J8CaKdNKnBaCm48LNKT+ZGWMYt9iGDKU50QjYChgrGL3uOgCPGJkunjORIQuSHg/hbsyZWnMTTpiAYyI9a4OwTH72uZV/JscbfLIqFLTLwoFK654/Rb1V/1etXKnjlfqVD/8rj6a+7rVyaE47r02ltS95pvem1esCwnQm2DwiRg1pEBUKHhTp+Pn0iQN26YgnHts8OBbWjUw9KRidsb60Iue/znj71IIwsBiNmoFQ5NsL46i4bTb50yWnMDIG2S6bd5UaeCcZUvHpUM/n2oiuoWBf9bHLEyHICt9CcIB0siTx9vz", "documentNr": "1406714889-PSBP-Q", "certificate": "MIIH3TCCBsWgAwIBAgIDIoGu7e3Fr0GCSqGSIb3DQEBCwUAMHkdjvUE3AJBgNVBAYTAklTMRMwEQYDVQQFEwo1MjEwMDAyNzkwMRUwEwYDVQQKEwxBdWRrZW5uaSBoZi4xJzAlBgNVBAsTHlV0Z2VmYW5kaSBmdWxsZ2lsZHJhIHNraWxyaWtqYTEaMBgGA1UEAxMRRnVsbGdpbHQgYXVka2VubmkwHhcNMjAxMjEyMTYyNjIwWhcNMjUxMjEyMTYyNjIwWjByMRIwEAYDVQQEEwlIcmFmbnNzb24xFzAVBgNVBCoMDkVpbmFyIMOBcnPDpmxsMQswCQYDVQQGEwJJUzETMBEGA1UEBRMKMTUwNTcxNDQ4OTEhMB8GA1UEAwwYRWluYXIgw4Fyc8OmbGwgSHJhZm5zc29uMIIDITANBgkqhkiG9w0BAQEFAAOCAw4AMIIDCQKCAwB7vbkjfHfH4/5ewKRvJYd4uufNDH3HiAW4hyGmIsVaGCuFOkvUuYbQRFGW//OyYJs6IuEWUhoiCQUUsVmYfmN9gnhF9cqVDDejmYO5OZwiIpxnxjx7NlwfD9uBdA/Qes+Hzf1Vk8/9pBDI5tx22C4iCIMRMxqzGEDkc3U7NQ5mIpKp6rqp7N7SVBjrhI6piFbO8BrysERFIQK3vKpAXp/o+7p5G9QMB5fZb/NHXcPQ2Dkb6+fCJRwduFrnQnsisF877FCfLDAaCYoeN0r7UdwE7nv4QEcbTlMUJX7IzEyLy7umwG1TmPP2HgQwQOUexjyLQJ4lLDp4C1sC9IUfJhQKlFdMzxquh1mFSFc43LJPJFYk5TN80923vNzFnpSOf7ecyyIkD8otUxfLUI7SRDW9o9vZdFSST3vUUSKtAzHjoGI2o0RSu7vdecT6ODer+TyOoaCp4Wmxv3GVE/Bv3D6FOYc3Z4YzIKjNHSYqoUOXtBUxi8pwVMmYsfP8x6YKTuK4C/v952cJhU+LPZbSCrYCgJ8IHNmbO5jeeaed8yQiZhQez4XRR67/hFvTYMHm1bdl/LoqJ1+l6gqNEGLaT/vJrIAktlBGRmRonr3Zqo4a0HphehuGZAT/0DlnqHXCJb4Cm4X8TDn5IDaMXn7FtwGVP39KiQtNNOLfsP1LZCl6eV7JuvjbIAoa7Cp0XuH6BB9zaSyNSMjDAml8aagOue1bbuiHq8ptlfJUSeaI0wn9uhZu4KvuLB4M56RUxzexT6nAu4Vlh+EGqcukTPeCTkyULg6bDNr1qnTvyYP0395dk6XjiZ4H/6Gw9zGkdcK1ZHFeHKSg89YwQRGOjrkcJAexvzoRw44xZ2A2CXxzrMX9IDsp9/x/sm6JUTmkTLTC8SeFE0Tic0XYk7MK7uzQi4s51j0pkK3sEJLttYjdMnLANdOHebKImA6SzIZDKFhcecP/nCMMdJdopA+bfEjBjD8l1vyS9RnI/VzINx7me0cHWw9G7DIdy7BhjyfL5XWTRfcCAwEAAaOCAm8wggJrMAwGA1UdEwEB/wQCMAAwgeoGA1UdIASB4jCB3zCB0QYJYIJgAQIBAQECMIHDMIGaBggrBgEFBQcCAjCBjRqBilRoaXMgY2VydGlmaWNhdGUgaXMgaW50ZW5kZWQgZm9yIHNpZ25pbmcuIFRoaXMgY2VydGlmaWNhdGUgaXMgaXNzdWVkIGFzIGEgcXVhbGlmaWVkIGNlcnRpZmljYXRlIGFzIGRlZmluZWQgaW4gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cHM6Ly9yZXBvLmF1ZGtlbm5pLmlzMAkGBwQAi+xAAQIwdwYIKwYBBQUHAQEEazBpMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5hdWRrZW5uaS5pczBCBggrBgEFBQcwAoY2aHR0cDovL2NkcC5pc2xhbmRzcm90LmlzL3NraWxyaWtpL2Z1bGxnaWx0YXVka2VubmkucDdiMGMGCCsGAQUFBwEDBFcwVTAIBgYEAI5GAQEwCAYGBACORgEEMCoGBgQAjkYBBTAgMB4WGGh0dHBzOi8vcmVwby5hdWRrZW5uaS5pcxMCSVMwEwYGBACORgEGMAkGBwQAjkYBBgEwCwYDVR0PBAQDAgZAMB8GA1UdIwQYMBaAFMIpPob/hsTaNR9ppqT/AYM8SjOpMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuYXVka2VubmkuaXMvZnVsbGdpbHRhdWRrZW5uaS9sYXRlc3QuY3JsMB0GA1UdDgQWBBTtDwkUJEuw3CmH2orCSlKYSFkWjTANBgkqhkiG9w0BAQsFAAOCAQEAHg7uDroJxtk0mSZhLXA++4eGcaHyOPbrLipm0MxNDKQYYOoPPjCTxJm4EpLWk4o/dcEggBjDYDm8f/qB4918d9NScJKhY1QE8vwYCjzXZPcaYUznD8NZeDu+FUAKcr1VvPBxUZyZS+Lz1O/SXj660loQmIZX5MeEKOdgt/MCqkeLz2qb6pIgg6W5MFO7HYhORZ14AIs543yMVoO3FyKSkzqMABv5yrdJtoQD5wwqoq8PEbub9TAnb1yg8xI6SF91mmq056kSwMFTlKYog2FWfuqsXU2dIOh9Zj4FNWOwluX1yyK0hsqZGTDE3uc3savxHAitp4SwXCunKVYL4+jlTA==", "nationalRegisterId": "1406714889", "name": "Einar Helgi Hrafnsson", "sub": "10935f1e-2688-4f9c-80d2-3fb45241522c", "subname": "10935f1e-2688-4f9c-80d2-3fb45241522c" } |