Skip to content

Proposal: BankID "order ref token", not sure about naming#22

Merged
joeledstrom merged 5 commits intomasterfrom
order-ref-token
Aug 27, 2025
Merged

Proposal: BankID "order ref token", not sure about naming#22
joeledstrom merged 5 commits intomasterfrom
order-ref-token

Conversation

@joeledstrom
Copy link
Copy Markdown
Contributor

Not sure this is a good idea. Only to be used for the "same device" flow.

We want to let twofer create and sign a JWT token when a BankID auth/sign is initiated. Which stores an encrypted orderRef, and the IP number of the client in its claims.

This token should then be verified in the collect endpoint. Where we make sure the IP stored in the token matches with the IP that called collect. and we decrypt the orderRef and use that for the collect request to the BankID API.

@sonarqubecloud
Copy link
Copy Markdown

Comment thread .github/workflows/tests.yaml Fixed
joeledstrom and others added 2 commits August 14, 2025 15:31
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Comment thread internal/httpserve/bankid.go Outdated
@jonasskarlsson
Copy link
Copy Markdown
Contributor

The approach feels very reasonable

Copy link
Copy Markdown
Contributor

@larsve larsve left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one issue, otherwise I think it look good.

Comment thread internal/httpserve/bankid.go Outdated
Copy link
Copy Markdown
Contributor

@larsve larsve left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@joeledstrom joeledstrom merged commit aa0f5e2 into master Aug 27, 2025
5 checks passed
@larsve larsve deleted the order-ref-token branch September 1, 2025 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants