Validate User Tokens
ID tokens retrieved upon successful authentication using the
/token endpoint should be validated as follows:
- Validate that the ID token is signed by BindID. The signature can be validated using the public key retrieved using a backend API from the OIDC
/jwksendpoint (see the JWKS API reference).
- Validate that the audience of the ID token (
aud) is equal to the client ID issued during BindID enrollment.
- Validate that the issuer of the ID token (
iss) is equal to one of the following, according to environment: sandbox is
https://signin.bindid-sandbox.ioand production is
- Validate that the expiry time (
exp) of the ID token has not passed.
- Validate that the
noncevalue of the ID token is equal to the one provided to the authentication request.
For transaction signing flows (see Request Transaction Signing), the following additional validations should be performed:
- Validate that the transaction details displayed to the user match the ones requested. The
display_datafields of the
payee) should match the corresponding fields that were passed in the transaction signing request.
- Validate that a multi-factor authenticator was used, as required by PSD2.0 SCA. The
amrclaim must include