eIDAS-related Calls
The -related actions discussed here are not supported by the C# SDK.
You can use your eIDAS certificate to register with a particular bank. However, keep in mind that each member can be registered with only one bank. This is because each member is created under the realm of a single bank, which means that if you wish to register with several banks without becoming a Token.io customer, you will need to create a separate member for each bank.
Each member you create under the realm of a bank should own an eIDAS-type alias with a value equal to the tppAuthNumber.
To onboard the member, you'll need to provide your eIDAS certificate and prove you own it by signing the payload with the private key corresponding to the certificate. Once TPP onboarding is successfully completed, each member is granted permissions based on its certificate. The eIDAS alias becomes verified and visible in the list of member aliases. Remember, an alias belongs to a single member only. Consequently, you cannot onboard another member for this tppAuthNumber under the same bank.
We strongly recommend a registerWithEidas() call to create and onboard a member, although if you already have a member under the realm of a bank and wish to onboard it, or if you want to renew your certificate, you can use a VerifyEidas() call instead, as described below.
In all cases, be sure to use the correct format when providing your certificate and the signature.
Certificate Format
The certificate itself must be in single-line PEM format (i.e., a Base64-encoded certificate) without a header, a footer or any new lines. If you have your certificate in a .pem file, just copy-paste it, omitting the header, footer, and any new lines.
Payload Signature
The signature must be base64Url-encoded (no padding) and in one line. You can generate a signature with openssl like this:
openssl dgst -sha256 -sign private_key.pem -out /tmp/sign.sha256 payload.txt
openssl base64 -in /tmp/sign.sha256 | tr -d "=" | tr -- '+/' '-_' | tr -d "\n"
where private_key.pem is a file with your private key and payload.txt contains the payload in a normalized JSON format, wherein:
- Keys are in alphabetical order
- Keys are in double quotes.
- No space and no new line.
When you're ready to enter production, use the code samples listed next for the purpose outlined to create, register, recover, and/or verify a member under realm of a bank with an eIDAS certificate.
- createMemberWithEidas() – create a new member using an eIDAS certificate and signature
- registerWithEidas() – register a member under the realm of a bank using an eIDAS certificate
- VerifyEidas() – verify an eIDAS certificate
- recoverEidas() – recover a TPP member and verify its EIDAS alias using an eIDAS certificate
- GetEidasVerificationStatus() – retrieve an eIDAS certificate verification status using its verification_id.
The newly created member will have a registered PRIVILEGED-level key from the certificate provided and an EIDAS alias with a value equal to the authNumber from the certificate.