ZignSec

Online PHP code demo of BankID autostarttoken -se

Online demo link showing the Swedish BankID appĀ“s startup variants with autostarttoken. (requires BankID for test):

The demo lets you optionally pin-point a person for authentication. The autostarttoken is an optional startup parameter for the Swedish BankID app, when started via the bankid:// uri scheme. For details, see also the BankID Relying Party Guidelines.

The autostarttoken parameter has these purposes:

  • The token ensures that the same/the correct BankID session is bound in the BankID app. That is – the same session that initiated the BankID process somewhere else.
  • If the BankID session was setup with the personal number (an optional parameter), then the only user possible to respond in the app is that particualar person. If no personal number was given upon session initiation, any person configured on the local BankID app are legitimate responders to the authentication request.

Here is the PHP code for the demo:

            ...
<?php
sleep(2);
ini_set('display_errors', 1);
error_reporting(~0);

if (isset($_GET['pnr'])) {
$request = array( 
	'PersonalNumber' => $_GET['pnr']
);
} 
else
{
$request = array( 
);

}
	
// cURL
$ch = curl_init("https://test.zignsec.com/v2/BankIDSE/Authenticate");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/json; charset=UTF-8',
        'Authorization: YourKeyHere...'
));
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($request, JSON_UNESCAPED_UNICODE));

// Execute
$result = json_decode(curl_exec($ch));

if (isset($_GET['pnr'])) {
	echo "<br><br>BankID session created <b>WITH pnr=".$_GET['pnr']."</b>";
}
else{
	echo "<br><br>BankID session created <b>WITHOUT a pnr</b></br>";
}
echo "<br>Click the link below within 30 secs</b> to autostart the BankID app.";
echo "<br><a href=\"bankid:///?autostarttoken=".$result->autoStartToken."&redirect=null\">bankid:///?autostarttoken=".$result->autoStartToken."&redirect=null</a>";

echo "<i>";
echo "<br><br><br>EXPLANATION: ";
echo "<br>This demo-page can be called with/without url-argument ?pnr=NNNNNNNNNNNN (12 digits)";
echo "<br> * If you supply a pnr, only that person can login in the app";
echo "<br> * If you omit the pnr, any person configured on the app can login.";
echo "<br>The app is started via a custom uri scheme called <b>bankid://</b>";
echo "<br>(Install the BankID app for TEST on a pc, easy to setup several test persons, to see difference!)";

echo "<br><br>The orderRef below can be used with the API to fetch the results after the successful BankID login, ";
echo "<br>however fetching and displaying of the id results is not part of this demo.";
echo "<br>  orderRef=".$result->orderRef;
echo "</i>";
?>