NAV Navbar

eIDAS Verification

Third Party Providers (TPPs) are required to identify themselves to banks using their QSEAL (Qualified Certificate for Electronic Seals) eIDAS (electronic IDentification Authentication Services ) to receive access to their bank’s sandbox and APIs.

This flow is designed to allow TPPs to gain access to one particular bank without manual verification. In order to be verified, you must do the following:

  1. Set up the Client.

  2. Call createMember under the realm of the bank you wish to gain access to, specifying the memberId of the bank (i.e the realmId should be equal to the bank’s memberId).

  3. Call the addAlias method with the type eIDAS under the same realm. Set the value equal to your TPP authNumber which can be found in the certificate.

  4. Verify your eIDAS certificate by calling verifyEidas. The payload should be signed with the private key that corresponds to the public key in the certificate.

    The input takes the following two parameters:
    payload includes memberId, eIDAS alias, base64 encoded eIDAS certificate, and a signing algorithm used to sign the certificate.
    signature the above payload signed with the private key corresponding to the given certificate

    The method returns one of the following status codes in the VerifyEidasResponse:
    SUCESS Your request was successful.
    FAILURE_EIDAS_INVALID Your certificate is invalid.
    FAILURE_ERROR_RESPONSE The verification service returned an error response.

It also returns string with the status details about an error that occurred or the validity of the certificate.

If the request is successful and the provided certificate is valid, the TPP member and their eIDAS alias become verified and get the permissions listed in the certificate.

NOTE: If you want to update your certificate validation, you need to reverify your alias with your new certificate.

NOTE: The certificate is revalidated every 12 hours. If it becomes invalid (e.g. expired) the TPP member becomes unverified and loses all the permissions that had been previously granted.

Create Member and verify eIDAS Sample

Source↗
public static Member verifyEidas(
        Member member,
        String tppAuthNumber,
        String certificate,
        PrivateKey privateKey) {
    // Suppose we already have a member registered under the realm of a bank with a
    // verified or not verified EIDAS alias.
    // Now we want to submit a new certificate (e.g. instead of an expired or invalid one)
    Algorithm signingAlgorithm = Algorithm.RS256;
    Crypto crypto = CryptoRegistry.getInstance().cryptoFor(signingAlgorithm);
    Signer signer = crypto.signer("eidas", privateKey);

    // create an eIDAS alias
    // (if the alias is verified you can just fetch it with member.aliasesBlocking())
    Alias eidasAlias = normalize(Alias.newBuilder()
            .setValue(tppAuthNumber)
            .setRealmId(member.realmId())
            .setType(EIDAS)
            .build());
    // construct a payload with all the required data
    VerifyEidasPayload payload = VerifyEidasPayload
            .newBuilder()
            .setAlgorithm(signingAlgorithm)
            .setAlias(eidasAlias)
            .setCertificate(certificate)
            .setMemberId(member.memberId())
            .build();
    // verify eIDAS
    VerifyEidasResponse response = member
            .verifyEidas(payload, signer.sign(payload))
            .blockingSingle();
    // get the verification status (useful if verifyEidas response has IN_PROGRESS status)
    GetEidasVerificationStatusResponse statusResponse = member
            .getEidasVerificationStatus(response.getVerificationId())
            .blockingSingle();

    return member;
}

Copyright © 2019 Token, Inc. All Rights Reserved