Validate User Tokens

ID tokens retrieved upon successful authentication using the /token endpoint should be validated as follows:

  • Validate that the ID token is signed by BindID. The signature can be validated using the public key retrieved using a backend API from the OIDC /jwks endpoint (see the JWKS API reference).
  • Validate that the audience of the ID token (aud) is equal to the client ID issued during BindID enrollment.
  • Validate that the issuer of the ID token (iss) is equal to one of the following, according to environment: sandbox is https://signin.bindid-sandbox.io and production is https://signin.bindid.io
  • Validate that the expiry time (exp) of the ID token has not passed.
  • Validate that the nonce value of the ID token is equal to the one provided to the authentication request.

For transaction signing flows (see Request Transaction Signing), the following additional validations should be performed:

  • Validate that the transaction details displayed to the user match the ones requested. The display_data fields of the bindid_psd2_transaction claim (e.g., payee) should match the corresponding fields that were passed in the transaction signing request.
  • Validate that a multi-factor authenticator was used, as required by PSD2.0 SCA. The amr claim must include ts.bind_id.mfca.