Validate User Tokens
ID tokens retrieved upon successful authentication using the /token
endpoint should be validated as follows:
- Validate that the ID token is signed by BindID. The signature can be validated using the public key retrieved using a backend API from the OIDC
/jwks
endpoint (see the JWKS API reference). - Validate that the audience of the ID token (
aud
) is equal to the client ID issued during BindID enrollment. - Validate that the issuer of the ID token (
iss
) is equal to one of the following, according to environment: sandbox ishttps://signin.bindid-sandbox.io
, production ishttps://signin.identity.security
, and production EU ishttps://signin.eu.identity.security
. - Validate that the expiry time (
exp
) of the ID token has not passed. - Validate that the
nonce
value of the ID token is equal to the one provided to the authentication request.
For transaction signing flows (see Request Transaction Signing), the following additional validations should be performed:
- Validate that the transaction details displayed to the user match the ones requested. The
display_data
fields of thebindid_psd2_transaction
claim (e.g.,payee
) should match the corresponding fields that were passed in the transaction signing request. - Validate that a multi-factor authenticator was used, as required by PSD2.0 SCA. The
amr
claim must includets.bind_id.mfca
.