Skip to content

Overview

This guide will help you get started integrating DIP into your application.

DIP uses the OIDC4IA (OpenID Connect for Identity Assurance) protocol for identity verification. This section describes how to authenticate your application and interact with the DIP API.

Note

For an overview of the terms used in this documentation please see Glossary

Flow

The OIDC4IA flow is initiated by your application (the Relying Party) to verify an end-user's identity through document scanning and facial recognition in the BankID app.

sequenceDiagram
    actor u as End User
    participant rp as Relying Party (Your App)
    participant dip as DIP
    participant bankid as BankID App

    rp->>dip: 1. POST /par (authorization request)
    dip-->>rp: 2. Return request_uri
    rp->>bankid: 3. Redirect to authorization endpoint
    u->>bankid: 4. Complete identity verification
    bankid->>dip: 5. Request authorization code
    dip-->>bankid: 6. Return authorization code
    bankid->>rp: 7. Redirect with authorization code
    rp->>dip: 8. POST /token (exchange code)
    dip-->>rp: 9. Return encrypted ID token
    rp->>rp: 10. Decrypt and validate ID token

Prerequisites

You need to be provided with a client_id and have your public key (JWKS) registered with DIP. Contact Stø to get started.

Implementation Steps

1. Register Your Client

Before you can integrate with DIP, you need:

  1. Client ID - A unique identifier for your application
  2. Keypair - An ES256, PS256, or EdDSA keypair for signing JWTs
  3. Registered JWKS - Your public key registered with DIP
  4. Redirect URI - A registered callback URL for your application

2. Authentication

All requests to DIP require client authentication using signed JWTs. See Authentication for details on:

  • Creating client assertion JWTs
  • Supported signing algorithms
  • JWKS format and registration

3. PAR Request

Push your authorization parameters to DIP using the PAR endpoint. See Implementation Guide for the complete flow including:

  • Building the request object JWT
  • PKCE setup
  • Claims request format

4. Token Exchange

After the user completes verification, exchange the authorization code for an ID token. The ID token contains the verified identity claims.

See ID Token for details on the token structure and claims.

Endpoints

Endpoint Description
/.well-known/openid-configuration Discovery endpoint
/par Pushed Authorization Request
/token Token exchange
/jwks Public keys for signature verification

For detailed API documentation, see the API Reference.