chore: initial commit

Co-authored-by: patrickhelvik <[email protected]>

.github/workflows/example-ciba-aspnet.yml

@@ -0,0 +1,24 @@
+name: Build CIBA Example - ASP.NET
+
+on:
+  push:
+    paths:
+      - ".github/workflows/example-ciba-aspnet.yml"
+      - "example-ciba-flow/aspnet-and-nextjs/backend/app/**"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: example-ciba-flow/aspnet-and-nextjs/backend/app
+          file: example-ciba-flow/aspnet-and-nextjs/backend/app/Dockerfile
+          push: false
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/example-ciba-nextjs.yml

@@ -0,0 +1,40 @@
+name: Build CIBA Example - Next.js
+
+on:
+  push:
+    paths:
+      - ".github/workflows/example-ciba-nextjs.yml"
+      - "example-ciba-flow/aspnet-and-nextjs/frontend/**"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: pnpm/action-setup@v2
+        name: Install pnpm
+        with:
+          version: 8
+          run_install: false
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - uses: actions/cache@v3
+        name: Setup pnpm cache
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('example-ciba-flow/aspnet-and-nextjs/frontend/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-            
+
+      - name: Install pnpm dependencies
+        working-directory: example-ciba-flow/aspnet-and-nextjs/frontend
+        run: pnpm install --frozen-lockfile --strict-peer-dependencies
+
+      - name: Run build
+        working-directory: example-ciba-flow/aspnet-and-nextjs/frontend
+        run: pnpm build
+

.github/workflows/example-code-nextjs.yml

@@ -0,0 +1,40 @@
+name: Build Code Example - Next.js
+
+on:
+  push:
+    paths:
+      - ".github/workflows/example-code-nextjs.yml"
+      - "example-code-flow/nextjs-fullstack/**"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: pnpm/action-setup@v2
+        name: Install pnpm
+        with:
+          version: 8
+          run_install: false
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - uses: actions/cache@v3
+        name: Setup pnpm cache
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('example-code-flow/nextjs-fullstack/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-            
+
+      - name: Install pnpm dependencies
+        working-directory: example-code-flow/nextjs-fullstack
+        run: pnpm install --frozen-lockfile --strict-peer-dependencies
+
+      - name: Run build
+        working-directory: example-code-flow/nextjs-fullstack
+        run: pnpm build
+

.github/workflows/example-code-spring.yml

@@ -0,0 +1,24 @@
+name: Build Code Example - Spring
+
+on:
+  push:
+    paths:
+      - ".github/workflows/example-code-spring.yml"
+      - "example-code-flow/spring-auth-only/**"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+
+      - name: Execute Gradle build
+        working-directory: example-code-flow/spring-auth-only
+        run: ./gradlew build --no-daemon

.gitignore

@@ -0,0 +1,3 @@
+.idea/
+*.iml
+.DS_Store

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 BankID BankAxept AS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,17 @@
+# OpenID Connect Integration Examples
+
+This repository serves as a collection of examples on how to integrate
+with [BankID OIDC](https://confluence.bankidnorge.no/confluence/pdoidcl/introducing-bankid-on-openid-connect)
+and [BankID with Biometrics](https://developer.bankid.no/bankid-with-biometrics/home/). For further details on how to
+integrate with BankID, see the [BankID developer documentation](https://developer.bankid.no).
+
+## Examples
+
+- [oidc](example-code-flow) - [Authorization Code Flow](https://developer.bankid.no/bankid-with-biometrics/flows/code/)
+  examples (BankID High & BankID Substantial)
+- [ciba-flow](example-ciba-flow) - [Client Initiated Backchannel Authentication (CIBA)](https://developer.bankid.no/bankid-with-biometrics/flows/ciba/)
+  examples (BankID Substantial)
+
+## License
+
+This repository is licensed under the MIT License — see the [LICENSE](LICENSE) file for details.

example-ciba-flow/.gitignore

@@ -0,0 +1,6 @@
+
+
+# misc
+./.idea
+.DS_Store
+*.pem

example-ciba-flow/README.md

@@ -0,0 +1,7 @@
+# Client-Initiated Backchannel (CIBA)
+
+Learn more about CIBA in our [documentation](https://developer.bankid.no/bankid-with-biometrics/flows/ciba/).
+
+## Examples
+
+- [ASP.NET and Next.js](aspnet-and-nextjs) 

example-ciba-flow/aspnet-and-nextjs/README.md

@@ -0,0 +1,152 @@
+# CIBA flow example application
+
+This application is a simple example of integrating BankID with Biometrics into a payment system using the CIBA flow. We
+will create a payment permission based on user action, and have this permission granted using the CIBA flow.
+
+This example demonstrates how to implement the different calls to the BankID with Biometrics APIs in order to
+successfully implement the CIBA flow.
+
+## Prerequisites
+
+1. [Node.js](https://nodejs.org/en/) v18 LTS
+2. [pnpm](https://pnpm.io/) v8
+3. [dotnet](https://dotnet.microsoft.com/en-us/download) v6
+4. [Docker](https://www.docker.com/)
+
+## Getting started with Docker
+
+1. You need to request merchant client credentials from [BankID](https://developer.bankid.no/bankid-with-biometrics/testing/).
+
+2. Navigate to [backend/app](/example-ciba-flow/aspnet-and-nextjs/backend/app/) and make a copy
+   of `appsettings.example.json` to `appsettings.json`. You need to replace the following values with your own
+   credentials:
+
+- `CLIENT_ID` the merchant client id.
+- `CLIENT_SEC` the merchant client secret.
+
+Now you should be good to go!
+
+Navigate back to the [root](/example-ciba-flow/aspnet-and-nextjs/) folder where the `docker-compose.yaml` resides.
+
+```bash
+docker compose up --build --remove-orphans
+```
+
+Now you should be able to open a browser at `http://localhost:3000` to test out the application.
+
+## Run the project locally without Docker
+
+You can run the project locally without using docker. However, there are more steps involved.
+
+1. Navigate to [backend/app](/example-ciba-flow/aspnet-and-nextjs/backend/app/) and install the dependencies.
+    ```bash
+    cd backend/app
+    dotnet restore
+    ```
+
+2. Run the backend
+    ```bash
+    dotnet run
+    ```
+
+3. Navigate to the [frontend](/example-ciba-flow/aspnet-and-nextjs/frontend/) and run the following:
+    ```bash
+    cd frontend
+    pnpm install
+    pnpm dev
+    ```
+
+Now you should be able to open a browser at `http://localhost:3000` to test out the application.
+
+## Folder Structure
+
+- [backend](backend) - The backend written in ASP.NET.
+- [frontend](frontend) - The frontend written in Next.js.
+- [docker-compose.yaml](docker-compose.yaml) - The docker-compose file used to run the project. This will automatically
+  build the docker images for the backend and frontend.
+
+## How does this work?
+
+The following diagram illustrates the example application that integrates with BankID with Biometrics' CIBA flow.
+
+```mermaid
+sequenceDiagram
+    actor u as User / Browser
+    participant m as merchant
+    participant db as Merchant Database
+    participant sub as BankID SUB
+    participant bid as BankID OIDC
+
+
+# User initiated payment
+    note over u, bid: User initiated payment
+
+    u ->>+ m: POST /api/usercheck {nnin}
+    note left of u: User clicks "Confirm with BankID"
+    m ->>+ sub: POST /permissions/v1/user-exists {nnin}
+    sub -->>- m: exists
+    m -->>- u: exists
+    note left of u: If user exists continue the flow
+
+    u ->>+ m: POST /api/confirmpayment {type, iat, exp, permission, loginHint}
+    m ->>+ bid: POST /auth/realms/current/protocol/openid-connect/token {client_credentials, client_id, client_secrets, scope}
+    bid -->>- m: access_token
+    m ->>+ sub: POST /permissions/v1/ {type, loa, iat, exp, intents, permission, loginHint}
+    sub -->>- m: permissionToken, permissionID and bindingMessage
+
+# Push Notification:
+    note over u, bid: Push Notification
+    m ->>+ sub: POST /oidc/v1/bc-authorize {permissionToken, scope, binding_message}
+    sub -->>- m: auth_req_id
+    
+    m ->>+ db: STORE {access_token, permissionToken, binding_message, permissionID, HashedPermissionID. }
+    m -->>- u: binding_message and HashedPermissionID
+    note left of u: Message Displayed
+
+    u ->>+ m: POST api/authorize {binding_message, HashedPermissionID}
+    db ->>- m: FETCH {access_token, permissionToken, permissionID}
+    note over m, sub: Polling waiting approval from user
+    m ->>+ sub: POST oidc/v1/token
+    sub -->>- m: authorization_pending
+    break Payment timeout
+        m -->> u: returns a timeout error
+        u -->> u: Redirect to Failure page
+    end
+    
+    note over m, sub: User approved the payment
+    m ->>+ sub: POST oidc/v1/token
+    sub -->>- m: id_token
+
+    note over m, db: Fetch the grant
+    m ->>+ sub: POST permissions/v1/{permissionID}/grant
+    sub -->>- m: grant_token
+    break Grant timeout
+        m -->> u: returns a timout error
+        u -->> u: Redirect to Failure page
+    end
+# Payment authorized:
+    note over u, bid: Payment granted
+ 
+    m ->>+ db: STORE {permission_id grant_token}
+    
+    m -->>+ u: Payment successfull
+    u ->>+ u: Redirect to Successfull page
+```
+
+For more details and a tutorial on how to implement the CIBA flow
+see https://developer.bankid.no/bankid-with-biometrics/flows/ciba/.
+
+## Considerations
+
+This example application is not production-ready. It is meant to be used as a reference for how to integrate with
+BankID. The following considerations should be taken into account when using this example application:
+
+- The user controls the payment amount. This is not a good practice in a production environment. The merchant should
+  rather control the payment amount, for example when performing bank payments, approving a card payment initiated by
+  another merchant, etc.
+
+- The polling mechanism is not robust. It is meant to be used as a reference for how to implement the CIBA flow. In a
+  production environment, the merchant should implement a more robust polling mechanism to prevent the user from losing
+  their session, or eventually their payment authorization.
+
+- The id token and the grant token is currently not validated against JWKs.