Anyone can try banking identity services without restrictions. The Sandbox environment is used for the first experience and development support, which includes the same services as the production environment and is freely available.
The Bank iD developer portal is intended for the interaction of third-party application developers with the Banking Identity services. Access to the portal's individual functions is free through an account created by simple registration. The account created by registration allows the user to personalize their applications, consumed services, and organizations. At the same time, it serves for collaboration with colleagues when working with the Banking Identity services.
The developer's main path is described in a few steps, from logging in to the developer portal to putting the application into operation on a production environment.
To create an account, you can use the "Log in" link in the portal's upper right corner. If you do not have an account yet, click on the "Register" tab. After filling out the form, a confirmation message will be sent to your e-mail.
After registration, you will receive a confirmation e-mail. Follow the instructions in the e-mail.
It is important to use the correct e-mail address.
After successfully creating an account, you can manage your own data in the My Profile section. Here, you can, for example, change your password or enable two-factor authentication when logging in.
Two-factor authentication is mandatory for contracted users with an active organization who act as administrators.
After logging in to the developer portal, the user is redirected to the application
dashboard, where he has the option to create the first application. The user is redirected directly to this dashboard after each login.
Each application in Bank iD represents the definition of its own solution for connection to the Bank Identity. The application settings allow you to define specific parameters of the consumed services. If a developer needs to access the Banking Identity from two different solutions with different data range needs, he can configure multiple applications with different settings.
As a first step in creating a new application, you need to define its name and optionally its logo. The name of the application and its logo can be changed at any time later.
The created application has automatic access to the Sandbox and cannot be used in production yet. The status is signaled by a semaphore for each environment.
Green - The environment is ready to use Yellow - the environment needs to be configured Red - Environment not available
To configure the environment, you need to click on its name. In our case, the new app, it's Sandbox. If the application does not even have a basic configuration, you need to go to Settings from the Credentials page.
Setting up the application is the most important step. The settings include:
The configuration of application characteristics (name, URL, logo).
Users management (invitation of additional users, permissions).
Selection of required data.
Configuration of technical parameters of OIDC communication.
Most parameters are preset, and the user has the option to change the values. Identical parameters can be set for the application in the Sandbox environment and Production. Different values may be used in each environment.
In the App settings section, it is possible to change the logo and the application's name within the selected environment (Sandbox, for example). This information will be displayed to the application's end-user when logging in via the selected IDP (Bank).
Most of the data is mandatory, and it is possible to use pre-filled default values for the first steps on the Sandbox. It's different for production environment, where production data has to be used in order to pass validation process before allowing application for live operation.
Setting OIDC parameters is important for the correct function of the application. The meaning of individual parameters can be found in the documentation https://developer.bankid.cz/docs. The only required parameters for this area is Redirect URIs. Their default values can be used only to verify the result of the authentication process via the service https://oidcdebugger.com/debug. For the real function of the application, it is necessary to change the values.
The scopes area is used to set the required data. By default, most scopes are set to "optional". Each scope has a list of included claims (data). By selecting scope, all its defined claims are required and passed.
The setting allows you to select unwanted scopes, optional scopes, and required scopes. The end-user can deny the optional scope on the consent page during the IDP authentication process, if IDP allows it. The required scope is displayed on the
consent page, and the end-user can refuse to pass it only by terminating/rejecting the entire authentication process.
It is recommended to set scopes as required only if the application absolutely needs them.
Advanced application settings allow you to select the preferred method of token exchange authorization within the OIDC (OAuth2) flow.
It is recommended to choose the parameters according to the application's character and possibilities and the required level of communication security.
All changes to the application settings need to be applied by button "Apply". At the bottom of the screen, the user has the option to review the changes and use the menu to confirm or reject (discard) the change.
After applying the changes, "credentials" are created for the new application and the user is redirected to their overview.
The credentials page contains information important for integrating the application with the Banking Identity.
The information on the page includes client_id (unique to the application) and client_secret (unique to the application and environment), which the application uses to communicate with the Bank identity.
The OIDC Discovery drop-down area lists all the URLs needed for the environment.
The Authorization URI example contains an application-personalized link that can be used to verify application functionality.
The next required step is Organization creation. Currently, it is a matter of filling in the form with the request to establish the organization, which is available from the App Settings.
After sending the form, Bank iD will check the form data and prepare the contracts which needs to be signed by both parties. Issuance of an invoice and payment of the activation fee.
As soon as the organization is established, the user is informed by e-mail with an organization's invitation. At the same time, it is possible to connect a specific application to the created organization in the App Settings.
Once all the previous steps are done, it is possible to configure the application for production environment. The Production Environment settings are similar to those in the Sandbox. When setting, it is necessary to carefully check all entered parameters' content so that the preset default values do not remain somewhere. Parameter settings can be changed at any time. It is necessary to keep in mind that every change will be reflected in the application's function.
Application name in the production environment is the one, that will be seen on the IdP login screen. Make the name of the app meaningful.
The application's Credentials page then lists specific production values, including a list of URIs from the Bank iD OIDC.
The production value of client_secret needs to be well protected!