Core concepts
API version: 2.0
Login is to a large degree based on the OAuth2 and OpenID Connect standards. Some core concepts related to these are presented below.
OAuth 2.0β
OAuth 2.0 is the industry-standard protocol for authorization. Giving a proper introduction to the standard is out of the scope of this documentation, but there are many excellent resources on the web. If you are new to the subject, we recommend this talk by Nate Barbettini at Okta. We also recommend reading:
OpenID Connectβ
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in a REST-like manner.
Some good sources to get you started are: Identity, Claims, & Tokens β An OpenID Connect Primer and OpenID Connect explained.
Supported OpenID Connect flowsβ
Authorization code grantβ
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
For more information see RFC-6749 section 4.1.
Tokensβ
ID tokenβ
The ID token is a signed information object representing the authenticated identity of the user. As part of the OpenID Connect standard, the ID token is encoded as a JWT and signed using the JWS standard. The ID Token can be decoded for debugging purposes by tools such as jwt.io.
Example header:
{
"alg": "RS256",
"kid": "public:80f3c34a-9779-4e1e-b645-117f3b771af8",
"typ": "JWT"
}
Example body:
{
"at_hash": "tyFnH20TOmPZkgJU8e5iKw",
"aud": [
"vipps-integration"
],
"auth_time": 1557319296,
"exp": 1557322938,
"iat": 1557319338,
"iss": "https://apitest.vipps.no/access-management-1.0/access/",
"jti": "62a85e56-3d45-4c7e-a055-46932093257a",
"nonce": "",
"msn": "123456",
"rat": 1557319255,
"sub": "c06c4afe-d9e1-4c5d-939a-177d752a0944"
}
You can read more at the OIDC standard.
It is important to validate the Id-token before using any data contained in it. See the OIDC standard on Id-token validation for the specifics. We recommend that you use a library for this. A good place to start is finding a library for your language at jwt.io.
ID token user infoβ
It is possible to configure whether the ID token includes userinfo on portal.vippsmobilepay.com.
ID token without user infoβ
When the ID token configuration is set to exclude userinfo, the ID token will contain only the standard OpenID Connect claims:
{
"at_hash": "tyFnH20TOmPZkgJU8e5iKw",
"aud": [
"vipps-integration"
],
"auth_time": 1557319296,
"exp": 1557322938,
"iat": 1557319338,
"iss": "https://apitest.vipps.no/access-management-1.0/access/",
"jti": "62a85e56-3d45-4c7e-a055-46932093257a",
"nonce": "",
"msn": "123456",
"rat": 1557319255,
"sub": "c06c4afe-d9e1-4c5d-939a-177d752a0944"
}
ID token with user infoβ
When the ID token configuration is set to include userinfo, the ID token will include the userinfo claims directly in the token payload. The userinfo claims in the ID token have the same format as the response from the /userinfo
endpoint.
Example ID token with userinfo:
{
"at_hash": "c8TWrG6a1gOmsSmTDlWiMA",
"sub": "123456-79f0-4e0a-9a35-3e39c5402650",
"birthdate": "1931-07-25",
"gender": "male",
"iss": "https://ece46ec4-6f9c-489b-8fe5-146a89e11635.tech-02.net/access-management-1.0/access/",
"msn": "12345",
"sid": "a572828d-a303-4545-8709-f0867f5ce866",
"nin": "11073100000",
"azp": "edddb32f-5028-4397-b0ab-e8ecf218fdc2",
"auth_time": 1758770735,
"exp": 1758774335,
"iat": 1758770735,
"jti": "acc52f3c-3ea2-4739-8d16-1647a5ee7144",
"email": "some@email.com",
"other_addresses": [
{
"address_type": "work",
"country": "NO",
"formatted": "Test\n1780\nOslo\nNO",
"postal_code": "1780",
"region": "Oslo",
"street_address": "Test"
},
{
"address_type": "other",
"country": "NO",
"formatted": "Gate\n6362\nRegion\nNO",
"postal_code": "6362",
"region": "Region",
"street_address": "Gate"
}
],
"address": {
"address_type": "home",
"country": "NO",
"formatted": "Street\n0543\nOslo\nNO",
"postal_code": "0543",
"region": "Oslo",
"street_address": "Street"
},
"email_verified": true,
"rat": 71232147,
"phone_number_verified": true,
"given_name": "Some",
"nonce": "bafe1f3b-081e-453a-870a-cabddac0f803",
"aud": "uqwuer-12345-4397-b0ab-e8ecf218fdc2",
"name": "Some Name",
"phone_number": "123456789",
"family_name": "Name"
}
For more information about the available userinfo claims and their formats, see User info: scopes.
Access tokenβ
Access tokens are random strings that represent the authorization of a specific application to access specific parts of a userβs data.
These access tokens are provided by the
POST:/access-management-1.0/access/oauth2/token
endpoint.
The token itself does not provide any information, but it can be used to
fetch the data that the end-user has consented to share from the
userinfo endpoint.
Access tokens must be kept confidential in transit and storage.
Example:
"hel39XaKjGH5tkCvIENGPNbsSHz1DLKluOat4qP-A4.WyV61hCK1E2snVs1aOvjOWZOXOayZad0K-Qfo3lLzus"
For more information see RFC-6749 section 4.1.3-4.1.4.
Refresh tokenβ
Login does not currently support refresh tokens.
Token endpoint authentication methodβ
The token endpoint is a standard OIDC endpoint used for requesting Access and ID Tokens.
The default token endpoint authentication method is client_secret_basic
.
It is possible to change the authentication method to client_secret_post
on portal.vippsmobilepay.com.
This setting will then apply to all login transactions on this sales unit.
For more information on how to change the authentication method,
see FAQ: How can I use client_secret_post for authentication.
For more information on the token endpoint, see OpenID Connect Core 1.0 and RFC-6749 section 3.2.
Scopesβ
The scope
determines what information the user is asked to share.
It can include several values, separated by a space.
For a full list of scopes, see User info: scopes.