Versions Compared

Old Version 7

changes.mady.by.user Stine Granviken

Saved on

compared with

New Version Current

changes.mady.by.user Stine Granviken

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Parameter

Description

Example

response_mode

Informs the OpenID Provider of the mechanism to be used for returning parameters from the endpoint.

See the value of the "response_modes_supported" key in the openid-configuration for available values.

response_mode=query

nonce

String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.

nonce=abefb10d2b1b

display

Specifies how the OpenID Provider displays the authentication and consent user interface pages to the end-user.

NOTE: This parameter will have limited support and only be defined per service/domain/customer.

display=page

prompt

Specifies whether the OpenID Provider prompts the end-user for reauthentication and consent. This parameter may be useful for services running in an SSO scenario and authentication should be forced. The value may be a space separated list.

Available values are:

  • none : Do not display any authentication or consent user interface pages

  • login : Prompt the End-User for reauthentication

  • consent : Prompt the end-user for consent before returning information to the client

  • select_account : Prompt the End-User to select a user account

prompt=login consent

max_age

Not currently in use.


ui_locales

A space-separated list of the end-user's preferred language and scripts tag values, ordered by preference.

The tags should be according to Tags for Identifying Languages.

ui_locales=nb-NO en-US

id_token_hint

ID Token previously issued by the OpenID Provider being passed as a hint about the end-user's current or past authenticated session with the client.

id_token_hint=<ID Token JWT>

login_hint

Hint to the OpenID Provider about the login identifier the end-user might use to log in (if necessary). The hit may e.g. be the users phone number, email or Buypass ID.


login_hint=someuserid

acr_values

✋ This open standard request parameter is ignored by Buypass.

Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this authentication request.

In short: this value describes the clients requirements (represented as an agreed value) for the level of assurance/authentication it requires. The values can e.g. be values like 1,2 or 3 or something like the eIDAS assurance levels: low, substantial and high.

NOTE: This parameter will have limited support and only be defined per service/domain/customer.

See also Authentication methods and levels

💡 Even if the request parameter acr_values is ignored the value returned in the acr claim in the ID token will always be "acr": "ediaseidas-loa-high".

Level high is the only level offered by Buypass at present.

acr_values=1 2

amr_values

✋ This open standard request parameter is ignored by Buypass.
Instead see the customized request parameter bp_amr_values.

Space-separated string that specifies the amr values that the OpenID Provider should use when selecting authentication methods.

In short this value enables dynamic control of the authentication methods to be used in this session. The values can e.g. be values like "sc", "mobile" etc. The values are defined as part of the Security Domain. See https://tools.ietf.org/html/rfc8176 for standardised values.

NOTE: This parameter will have limited support and only be defined per service/domain/customer.

Se also Authentication methods and levels

amr_values=sc, mobile

bp_idp_hint

This parameter will give the possibility to access the Fido2 authentication-dialog directly for a User connected to an organisation issuing Buypass ID Fido2 for their employees.

Requirements:

  • Parameter is available in the Buypass ID security domain with the ID Broker flow only (ID Broker Service)

  • Parameter is used for authentication with BpID Fido2 only

  • A valid “tenantID” (reference to organisation) must be provided. A list of valid tenantIDs will be given on request to Buypass

💡 If both the parameters bp_idp_hint and bp_amr_values are requested - see explanation below.

bp_idp_hint=buypass

bp_amr_values

This parameter will give the possibility to select authentication method. By requesting an authentication method, the end user will be redirected directly to the chosen method and the menu options will disappear.

Values: sc, mobile or pwd_otp

  1. sc = Buypass ID on smartcard (PKI)

  2. mobile = Buypass ID on mobile with mobile app (PKI)

  3. pwd_otp = Buypass ID on mobile with password and otp on SMS (PKI)

Requirements:

  • Parameter is available in the Buypass ID security domain with the ID Broker flow only (ID Broker Service)

  • This is a single value option. If several values are sent the first will be chosen, or if invalid the end user will be presented the full menu.

💡 The input value is NOT returned in the amr or the bp_amr claim in the ID-token.

💡 If both the parameters bp_idp_hint and bp_amr_values are requested the parameter bp_idp_hint will have priority. If tenantID given is not known or invalid the bp_idp_hint parameter is ignored and the parameter in bp_amr_values taken into account. If authenticator value given is not known or invalid the end user will be presented the full menu and need to choose authenticator himself.

bp_amr_values=sc

...