Authentication

Introduction

Buypass offer two main protocols for doing end-user authentication:

  • The Buypass Bx-protocol (implemented by IPS)

  • The OpenID Connect 1.0 protocol (implementation of the open specification based on OAuth 2.0)

Both protocols are delegation based and does not require server side components installed at the Merchant/Relying Party. Both protocols implement an Identity Provider (IdP).

In both cases client libraries are available to ease the technical integration.

In addition Buypass offer a 2-factor authentication solution called Buypass Code, using other protocols for integration.

Bx-protocol (IPS)

The Bx-protocol is a message base protocol develop by Buypass. It has proven itself for years and is based on public key cryptography. This means that all messages are signed and encrypted making the protocol secure even over open networks (does not require HTTPS).

The Bx-protocol requires a Buypass issued "Merchant Certificate" for identification of the Merchant/Relying Party.

The Bx-protocol also supports features other than authentication like Signing and custom payment schemes. The protocol is highly adaptable to suite specific customer needs.


An overview of the basic flows and of the protocol (and IPS) is documented here: IPS grensesnittet - Autentisering (kun for de som fortsatt bruker IPS-BX-protokollen).

Specific documentation for doing authentication with the Bx-protocol is documented here: Autentisering med IPS-Bx


Even though the security features of the Bx-protocol has yet to be challenged, the ease of use and standardization properties may be for some use cases and technologies.

OpenID Connect 1.0 (OIDC)

OpenID Connect 1.0 (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. The protocols focuses on client developer simplicity and allows a range of clients, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users.

OIDC specifies a RESTful HTTP API, using JSON as a data format. The protocols are dependent on channel security, in other words HTTPS is required.

The OIDC protocol is basically scoped to only handle authentication and basic profile information, and not other custom features, making the protocol relatively simple.


As OIDC is a standardized protocol, there are numerous resources describing the protocol, but the OpenID Foundation is an authoritative starting point for learning about the protocol.

In addition there are several implementations of it both client- and server-side (as well as libraries and examples) to be found: Certified OpenID Connect Implementations.


The OIDC specification has openings for vendor specific adaptations,  ex. protocol claims and scopes, as well as the the overall architectural fit. This documentation describes the Buypass implementation of the protocol at a general level. Note that for some OpenID Security Domains there may be additions/changes from the general model. If this is the case, documentation will be provided to the relevant customers.