Page tree
Skip to end of metadata
Go to start of metadata

Lietošana (Identifikācija un parakstīšana)

This use case contains full flow starting with end-user identification till receiving PKCS#1 signature in logical sequence.

If there is a need to only identify end-user, use only "Electronic identification of end-user".

All subchapter names are created from paragraph names in which you can find detailed explanation of the specific operation.


Obtain Authorization code

Request 

 urn:lvrtc:fpeil:aa scope shall be used 


GET /trustedx-authserver/oauth/{as}?response_type=code&
   client_id=...&
   state=...&
   redirect_uri=...&
   scope=...&
   prompt=...&
   acr_values=...&
   ui_locales=...&

Response

GET {redirection_uri_path}?code={code}&state={state}
HTTP/1.1
Host: {redirection_uri_host}

Obtain a access token

Request example

Using "code" value received from previous operation


POST /trustedx-authserver/oauth/lvrtc-eips-as/token HTTP/1.1
Host: eidas.eparaksts.lv
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh
Content-Type: application/x-www-form-urlencoded;
charset=UTF-8
grant_type=authorization_code&
     redirect_uri=https://www.demoapp.lv/oauth/back&
     code=4515...e0ban

Response example

{
"access_token" : {string},
"token_type" : "Bearer",
"expires_in" : {number}
}

Obtain Information About the Authenticated User

Request example

Using Access token received from previous operation


GET /trustedx-resources/openid/v1/users/me
Host: eidas.eparaksts.lv
Authorization: Bearer a2b4...6daf

Response example for urn:lvrtc:fpeil:aa scope

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Date: Thu, 16 Nov 2017 10:14:21 GMT
{
"sub": "ddf12735f35675ecb652e6e1a80e41f1",
"domain": "citizen",
"acr": "urn:safelayer:tws:policies:authentication:level:high",
"amr":["urn:eparaksts:tws:policies:authentication:adaptive:methods:sc_plugin"],
"given_name": "ANDRIS",
"family_name": "PARAUDZIŠ",
"name": "ANDRIS PARAUDZIŠ",
"serial_number": "PNOLV-010180-15097",
"eips": "VAS \"Latvijas Valsts radio un televzijas centrs\""
}

Obtain Authorization code

Request 

urn:safelayer:eidas:sign:identity:profile scope shall be used


GET /trustedx-authserver/oauth/{as}?response_type=code&
   client_id=...&
   state=...&
   redirect_uri=...&
   scope=...&
   prompt=...&
   acr_values=...&
   ui_locales=...&

Response

GET {redirection_uri_path}?code={code}&state={state}
HTTP/1.1
Host: {redirection_uri_host}

Obtain a access token

Request 

Using "code" value received from previous operation 

POST /trustedx-authserver/oauth/lvrtc-eips-as/token HTTP/1.1
Host: eidas.eparaksts.lv
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh
Content-Type: application/x-www-form-urlencoded;
charset=UTF-8
grant_type=authorization_code&
     redirect_uri=https://www.demoapp.lv/oauth/back&
     code=4515...e0ban

Response

{
"access_token" : {string},
"token_type" : "Bearer",
"expires_in" : {number}
}

Obtain Information About the Authenticated User (Getting signing identities)

Request

Using Access token received from previous operation

GET /trustedx-resources/openid/v1/users/me
Host: eidas.eparaksts.lv
Authorization: Bearer a2b4...6daf

Response example for urn:safelayer:eidas:sign:identity:profile scope

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{"sign_identities": [
        {"id": "a46...hu6",
            "status": {
                "value": "enabled"
            },
            "labels": [
                "serverid",
                "x509:keyUsage:contentCommitment",
                "eparaksts",
                "serveridVersion1"
            ],
            "domain": "citizen",
            "links": {
                "Signatures.create.server.raw": {
                    "auth": {
                        "oauth2": {
                            "scopes": [
                                "urn:safelayer:eidas:sign:identity:use:server"
                            ]
                        }
                    }
                }
            },
            "self": "https://eidas-demo.eparaksts.lv/trustedx-resources/esigp/v1/sign_identities/a46...hu6",
            "access": [
                {"user_id": "55f...16d"
                }
            ],
            "type": "pki:x509"
        },
        {"id": "oth...516",
            "status": {
                "value": "enabled"
            },
            "labels": [
                "mobileidVersion1",
                "eparaksts",
                "mobileid",
                "x509:keyUsage:digitalSignature"
            ],
            "domain": "citizen",
            "device_id": "ae34dd7.........104a2",
            "self": "https://eidas-demo.eparaksts.lv/trustedx-resources/esigp/v1/sign_identities/oth...516",
            "access": [
                {
                    "user_id": "55f...16d"
                }
            ],
            "type": "pki:x509"
        }
    }

Obtain Signing Identity Information (Getting Signing or Authentication certificate)

Request

Authentication certificate

To receive authentication certificate, you shall read and use  id value (from previous operation) where labels array contains mobileid tag.

Authentication certificate is needed if you are using Sign API service for finalizing signature.

Signing certificate

To receive signing certificate, you shall read and use id value (from previous operation) where labels array contains serverid tag.

Signing certificate is needed if you are using Sign API service or other solution to sign signable data according to XAdES or PAdES specification.

You also need to make sure the status value is enabled. 

GET /trustedx-resources/esigp/v1/sign_identities/a46...hu6
HTTP/1.1
Authorization: Bearer mF_9.B5f-4.1JqM

Response

{
 "id" : {string},
 "self" : {string},
 "description" : {string},
 "labels" : [ {string} ],
 "type" : {string},
 "device_id" : {string},
 "domain" : {string},
 "access" : [ {
 "user_id" : {string}
} ]
"details" : {
     "certificate" : {string},
"activation_mode": {string},
"public_key" : {string}
},
"links" : {
   <operation_alias> : {
     "auth" : {
"oauth2": {
    "scopes": [ {string}
]
 }
 }
 }
},
  "status" : {
  "value" : {string},
  "reason" : {string}
 }
}

details.certificate property contains X.509 certificate encoded in DER and base64.

Authentication certificate is used in Sign API service for finalizing certificate.

Signing certificate is used to calculate signable data.

Obtain Authorization code

Request

urn:safelayer:eidas:sign:identity:use:server scope shall be used

GET /trustedx-authserver/oauth/{as}?response_type=code&
   client_id=...&
   state=...&
   redirect_uri=...&
   scope=...&
   prompt=...&
   acr_values=...&
   ui_locales=...&
   sign_identity_id = ...&
   digests_summary = ...&
   digests_summary_algorithm = ...&

sign_identity_id value is previously received value

digests_summary value ir signable data calculated by using received signing certificate

At this point end-user with active SSO session enters HSM password in redirected page

Response

GET {redirection_uri_path}?code={code}&state={state}
HTTP/1.1
Host: {redirection_uri_host}

Obtain a access token

Request

Using "code" value received from previous operation


POST /trustedx-authserver/oauth/lvrtc-eips-as/token HTTP/1.1
Host: eidas.eparaksts.lv
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh
Content-Type: application/x-www-form-urlencoded;
charset=UTF-8
grant_type=authorization_code&
     redirect_uri=https://www.demoapp.lv/oauth/back&
     code=4515...e0ban

Response

{
"access_token" : {string},
"token_type" : "Bearer",
"expires_in" : {number}
}

Create a Digital Signature on the Server

Request

Using "sign_identity_id" value received from previous operations and "digest_value" value calculated by using received signing certificate.

If you are using Sign API service, then received "diggest" property value from the calculateDigest operation response shall be used as "digest_value" value

POST /trustedx-resources/esigp/v1/signatures/server/raw
Host: eidas.eparaksts.lv
Content-Type: application/json
Authorization: Bearer cbc...6daf
Content-Length: 213
{
"digest_value" :
"n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg",
"signature_algorithm" : "rsa-sha256",
"sign_identity_id" : "nio...omq"
}

Response

Response contains the binary value of the PKCS #1 signature.

  • No labels