Authorization

Authorization for Kit is dependent on several factors. As this is your integration built for use by Bright Energy, architecture, User country and security restrictions will all play a factor in deciding the authorization methods enabled.

There are two groups of authorization methods:

• User Authorization
• Data Layer Authorization

User Authorization

BankId (Sweden)

In Sweden the most well known login eID solution is BankId.

BankID is a common way to identify yourself in digital environments. You do not have to create accounts with passwords with different actors, and can instead use the same secure solution for everyone. Like showing your ID, but digitally.

In order for your end-users to trust the application and login securely, we relay all BankId API calls to your backend so the end-user will see your company name and certificate in the BankId app.

Test BankId

If you do not have a BankId for personal use already, please obtain a test bankId from: https://developers.bankid.com/test-portal/bankid-for-test

Afterwards you can test if it works at: https://test.bankid.com/

Get a BankId certificate

You must order a BankId certificate from one of the approved banks found at: https://www.bankid.com/en/foretag/kontakt-foeretag.

OpenId

OpenID is an easy and safe way for people to reuse an existing account and user profile from an identity provider, for example Apple, Google, or Microsoft to login to any OpenID-enabled applications and websites without creating a new registration and password. You choose the provider, such as Google and enter your Gmail address and password to login.

Requirements

• You must expose your.well-known/openid-configurationfor Bright Energy to read.
• client_Id, client_secret and scope needs to be sent to your Customer Success Manager in a secure manner.
• You need to configure the following callbackUrl's:

📘

Only if you have a My Pages setup do you need My Pages callback URLs.

Learn more at: https://openid.net/developers/how-connect-works/

openId endpoints

The endpoints in openId are provided as examples so you can test your OpenID setup with Bright Kit. Please build your OpenID integration to the specification: https://swagger.io/docs/specification/v3_0/authentication/openid-connect-discovery/.

If you do not have an OpenId solution provider today, we recommend Signicat .

Signicat

Signicat is an all-in-one solution for using the country specific eID for your Users login. Read more at: Signicat Developer Hub to see what methods are included in each country and how to get started with your own Signicat account.

One-time code via email

If some of your Users cannot login with bankId we can enable an email login using a single use verification code. Please note that users should be uniquely identified with their email address and have access to a single Account only.

Data Layer Authorization

Bright Energy requires access to your entire data layer at any time regardless user interactions. This is due to the requirement to implement the Data Synchronisation for an optimal User experience.

API Key

The simplest method to implement is an apiKey header.

The API key must be environment specific, generated by the Organisation and able to be revoked and replaced in the event of a security exposure.

The header name can be anything, for example Ocp-Apim-Subscription-Keyand the correct value.

Bearer: Access Token

Using the Authorization header in combination with a valid access_token generated from oauth or openId. It is possible to use a pre-generated JWT token that never expires, similar to an apiKey, but we recommend an oauth implementation to increase security.