Step 3

​This step is all about retrieving the end user identification information like name, social security number (SSN), log on certificate and other personal data.

​Retrieve user info

To get URLs for token and JWKS (required for validating signed ID Token), a request should be sent to the discovery URL [https://www.ident-preprod1.nets.eu/oidc/.well-known/openid-configuration]. It is returning a JSON document where the two values of interest are named token_endpoint and jwks_uri.​

HTTPResponse discoveryHTTPResp = getHTTPRequest("https://www.ident-preprod1.nets.eu/oidc/.well-known/openid-configuration", truststorepath, truststorepwd).send();

JSONObject discoveryJsonObject = discoveryHTTPResp.getContentAsJSONObject();
String tokenEndPoint = JSONObjectUtils.getString(discoveryJsonObject, "token_endpoint");
String jwks_uri = JSONObjectUtils.getString(discoveryJsonObject, "jwks_uri");

A truststore file is used to establish an HTTPS connection that identifies the caller. See the implementation of ClaimsService.getHTTPRequest in the demo app source code to see how the values from the app config are used in the HTTPS request.

Get ID token by doing an HTTP POST request to the token URL. The request should have the following parameters (URL encoded):

 

  1. ​​grant_type with the value 'authorization_code'
  2. code with the authorisation code received in the redirect_uri  (see Step 2)
  3. redirect_uri with the redirect_uri value that was sent in Step 1 ​(this parameter is optional if only one redirect_uri is configured during registration with Nets)​

The header should have this format: Authorization: Basic <base64-encoded cus​tomer-identifier:client-secret>. The parameter and header are taken care of by the Nimbus SDK in code example below.​​

curl -X POST 'https://www.ident-preprod1.nets.eu/oidc/token?grant_type=authorization_code' 
-H 'Content-Type: application/x-www-form-urlencoded' 
-H 'Authorization: Basic <<Base64Enocoded username:password>>' 
-d 'code=<<URL encoded Authorization Code>>&redirect_uri=<<redirect_uri earlier passed in Authentication request>>'

ClientSecretBasic clientSecretBasic = new ClientSecretBasic(new ClientID(customerIdentifier), new Secret(clientSecret));
TokenRequest tokenReq = new TokenRequest(new URI(tokenEndPoint), clientSecretBasic, new AuthorizationCodeGrant(authCode, new URI(redirectUri)));

HTTPResponse tokenHTTPResp = tokenReq.toHTTPRequest().send();
if(400 == tokenHTTPResp.getStatusCode()) {
   throw new Exception("Invalid response from token URL [statuscode=400].");
}

// Get JSON object from Token response
JSONObject tokenJsonObject = tokenHTTPResp.getContentAsJSONObject();
String idtoken = JSONObjectUtils.getString(tokenJsonObject, "id_token");

​​The signed ID Token should be validated using a public key that is returned from an HTTP GET request to the JWKS URL. This returns a JSON document where the public key is the first element in a JSON array named keys.​

// Parse and check response
SignedJWT signedJWT = SignedJWT.parse(idtoken);

// Get JSON response from jwks_uri
HTTPResponse jwksResp = getHTTPRequest(jwks_uri, truststorepath, truststorepwd).send();
JSONObject jwksJsonObject = jwksResp.getContentAsJSONObject();
JSONArray keys = JSONObjectUtils.getJSONArray(jwksJsonObject, "keys");
JSONObject jsonKey = (JSONObject) keys.get(0);

PublicKey publicKey = buildPublicKey(jsonKey);
if (null != publicKey) {
   // Verify Signature
   JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
   if (!signedJWT.verify(verifier)) {
      throw new JOSEException("Signature mismatch");
   }

   // Verified successfully

}
​​
​​See the implementation of ClaimsService.buildPublicKey in the demo app source code​​. 
Finally, retrieve the claims from the ID Token.​​

JWTClaimsSet jwtClaimsSet = signedJWT.getJWTClaimsSet();
String subjectDN = jwtClaimsSet.getStringClaim("dn");
String birthdate = jwtClaimsSet.getStringClaim("birthdate");

​​​The ID Token is generated and made available to the customer by E-Ident service. The end user identity and associated claims are also stored in E-Ident service. The identification request is configured by way of parameters that specify how the identification session will be set up.

The E-Ident demo app displays the retrieved claims after successful identification.

E-Ident demo app Step3.PNG

Together with the claims, the demo app also displays the full response from the ID Token URL in JSON format.