eIDAS Verification
Third Party Providers (TPPs) are required to identify themselves to banks using their QSEAL (Qualified Certificate for Electronic Seals) eIDAS (electronic IDentification Authentication Services ) to receive access to their bank’s sandbox and APIs.
This flow is designed to allow TPPs to gain access to one particular bank without manual verification. In order to be verified, you must do the following:
Call
createMember
under the realm of the bank you wish to gain access to, specifying thememberId
of the bank (i.e therealmId
should be equal to the bank’smemberId
).Call the
addAlias
method with the typeeIDAS
under the same realm. Set the value equal to your TPPauthNumber
which can be found in the certificate.Verify your eIDAS certificate by calling
verifyEidas
. The payload should be signed with the private key that corresponds to the public key in the certificate.The input takes the following two parameters:
payload includes memberId
, eIDAS alias, base64 encoded eIDAS certificate, and a signing algorithm used to sign the certificate.signature
the above payload signed with the private key corresponding to the given certificate The method returns one of the following status codes in the
VerifyEidasResponse
:SUCESS
Your request was successful. FAILURE_EIDAS_INVALID
Your certificate is invalid. FAILURE_ERROR_RESPONSE
The verification service returned an error response.
It also returns string with the status details about an error that occurred or the validity of the certificate.
If the request is successful and the provided certificate is valid, the TPP member and their eIDAS alias become verified and get the permissions listed in the certificate.
NOTE: If you want to update your certificate validation, you need to reverify your alias with your new certificate.
NOTE: The certificate is revalidated every 12 hours. If it becomes invalid (e.g. expired) the TPP member becomes unverified and loses all the permissions that had been previously granted.
Create Member and verify eIDAS Sample
public static Member verifyEidas(
Member member,
String tppAuthNumber,
String certificate,
PrivateKey privateKey) {
// Suppose we already have a member registered under the realm of a bank with a
// verified or not verified EIDAS alias.
// Now we want to submit a new certificate (e.g. instead of an expired or invalid one)
Algorithm signingAlgorithm = Algorithm.RS256;
Crypto crypto = CryptoRegistry.getInstance().cryptoFor(signingAlgorithm);
Signer signer = crypto.signer("eidas", privateKey);
// create an eIDAS alias
// (if the alias is verified you can just fetch it with member.aliasesBlocking())
Alias eidasAlias = normalize(Alias.newBuilder()
.setValue(tppAuthNumber)
.setRealmId(member.realmId())
.setType(EIDAS)
.build());
// construct a payload with all the required data
VerifyEidasPayload payload = VerifyEidasPayload
.newBuilder()
.setAlgorithm(signingAlgorithm)
.setAlias(eidasAlias)
.setCertificate(certificate)
.setMemberId(member.memberId())
.build();
// verify eIDAS
VerifyEidasResponse response = member
.verifyEidas(payload, signer.sign(payload))
.blockingSingle();
// get the verification status (useful if verifyEidas response has IN_PROGRESS status)
GetEidasVerificationStatusResponse statusResponse = member
.getEidasVerificationStatus(response.getVerificationId())
.blockingSingle();
return member;
}
Copyright © 2019 Token, Inc. All Rights Reserved