Bank iD Support

Version: 1.0 modified on 28.11.2022

The goal of this document is to help Service Providers with getting support from Bank iD. In order to solve problems with Bank iD services as quickly and smoothly as possible, we need the right information to identify the problem. The speed of processing and the quality of help is directly dependent on the data provided by the ticket submitter. You can find support in the Helpdesk tab after logging into Bank iD Developer Portal.

To enter the ticket correctly, you need to fill out the form with the following items:

  • Associated app - if you have more than one application, you need to specify which application is affected by the problem
  • Associated Organization - it may help us track down the problem faster if we know
  • Ticket title - e.g. "user cannot authenticate" or "endpoint /profile does not respond to IdP XYZ"
  • Ticket description - here you need to describe the problem in detail, it is important to supply identifiers that come from responses from Bank iD, not from your internal systems. We recommend identifiers such as traceId, txn, sub.
  • TraceID - Bank iD inserts a traceId into each http header, we recommend logging this parameter, it will help us to identify a specific API call as quickly as possible. If you have a traceId longer than 128 bits (16 characters), it does not come from Bank iD and it's useless to us.
  • Request - if you have an incorrect request, state it here
  • Response - if you have an incorrect response, state it here
  • The date the problem occured
  • Exact time
  • Attachments - for example, if you have any additional files, e.g. uploaded *.har file, additional logs, etc.. you can put them in the ticket, just please use 7zip or zip

Example of response http header when calling /auth endpoint with traceId included:

HTTP/1.1 200
Date: Mon, 28 Nov 2022 16:01:36 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Access-Control-Expose-Headers: traceId
traceId: 4819cea128c50a8c

If the same error occurs in several cases of the same issue or problem, do not make duplicate requests, but rather write the data for individual cases in the body of the ticket, or insert it as an attachment

User sub - clearly identifies the user - we are unable to trace the user based on personal data, e.g. first and last name.

Bank iD tries to return a meaningful callback for most errors and it is up to the Service Provider to ensure adequate error handling on its side. The code is further specified by error_description, where possible, the description can slightly differ for individual IDPs. List of the most common error codes from the /auth endpoint:

  • access_denied - the user cancelled authentication or consent

User declined the authentication - the user did not authenticate (e.g. forgot password, nickname, etc.) User declined consent - the user did not confirm data transfer on consent screen (declined, closed the web page or browser)

  • eid_doesnt_exist - the bank identity service for the given bank and the given end user is not active

User not eligible - the user does not meet conditions for issuing a means of electronic identification or was not physically identified in the bank branch yet. User disabled authentication - the users identity is turned off, usually by removing of consent or has IB blocked

  • insufficient_scope - the user does not meet the conditions for the provision of the service or the IdP did not transfer data necessary for the provision of the service (usually the IdP does not register the data)

Email must be present, Majority must be present, Addresses must be present, Insufficient age of the end user for this operation...

  • server_error - an error occurred on the server side, either on the IdP or Bank iD side

  • user_not_eligible - the service cant be provided, because the client either has limited legal capacity or does not meet age requirements for the provision of the service

End user must not have limited legal capacity, Insufficient user data or age restriction

  • auth_failed - Authorization code was already issued during this session. The error is caused by repeated request of authCallback, for example by refresh of the loading screen by the end user, after the code was issued.

Code was already issued

If you do not receive a callback, it is an error in the bank's mobile app or internet banking, or a wrong setting on the user's side, so attach a screenshot of the application or the mobile app, verification may fail, for example, due to the lack of security method settings on the part of the user (two-factor authentication turned off in the internet banking settings).

Recommended scope of data for audit records

For audit records, we recommend logging the complete payload from the response endpoints /userinfo and /profile, where there are personal data and other parameters on the basis of which it is possible to uniquely identify the transaction, e.g. sub and txn. As mentioned above, the traceId from the header is also suitable for auditing.