2. Preparation of electronic signing
1) Obtain Authorization code
Request
urn:safelayer:eidas:sign:identity:profile scope shall be used
GET /trustedx-authserver/oauth/lvrtc-eipsign-as?response_type=code&
client_id=...&
state=...&
redirect_uri=...&
scope=...&
prompt=...&
acr_values=...&
ui_locales=...&
Response
GET {redirection_uri_path}?code={code}&state={state}
HTTP/1.1
Host: {redirection_uri_host}
2) Obtain a access token
Request
Using "code" value received from previous operation
POST /trustedx-authserver/oauth/lvrtc-eipsign-as/token HTTP/1.1
Host: eidas.eparaksts.lv
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh
Content-Type: application/x-www-form-urlencoded;
charset=UTF-8
grant_type=authorization_code&
redirect_uri=<https://www.demoapp.lv/oauth/back&>
code=4515...e0ban
Response
{
"access_token" : "{string}",
"token_type" : "Bearer",
"expires_in" : "{number}"
}
3) Obtain Information About the Authenticated User (Getting signing identities)
Request
Using Access token received from previous operation
GET /trustedx-resources/openid/v1/users/me
Host: eidas.eparaksts.lv
Authorization: Bearer a2b4...6daf
Response example for urn:safelayer:eidas:sign:identity:profile scope
Response example for urn:safelayer:eidas:sign:identity:profile scope
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{"sign_identities": \[
{"id": "a46...hu6",
"status": {
"value": "enabled"
},
"labels": [
"serverid",
"x509:keyUsage:contentCommitment",
"eparaksts",
"serveridVersion1"
],
"domain": "citizen",
"links": {
"Signatures.create.server.raw": {
"auth": {
"oauth2": {
"scopes": [
"urn:safelayer:eidas:sign:identity:use:server"
]
}
}
}
},
"self": "<https://eidas-demo.eparaksts.lv/trustedx-resources/esigp/v1/sign_identities/a46...hu6">,
"access": [
{"user_id": "55f...16d"
}
],
"type": "pki:x509"
},
{"id": "oth...516",
"status": {
"value": "enabled"
},
"labels": [
"mobileidVersion1",
"eparaksts",
"mobileid",
"x509:keyUsage:digitalSignature"
],
"domain": "citizen",
"device_id": "ae34dd7.........104a2",
"self": "<https://eidas-demo.eparaksts.lv/trustedx-resources/esigp/v1/sign_identities/oth...516">,
"access": [
{
"user_id": "55f...16d"
}
],
"type": "pki:x509"
}
}
4) Obtain Signing Identity Information (Getting Signing or Authentication certificate)
Request
Authentication certificate
To receive authentication certificate, you shall read and use id value (from previous operation) where labels array contains both mobileid and x509:keyUsage:digitalSignature tags.
Authentication certificate is needed if you are using SignAPI service for finalizing signature.
Signing certificate
To receive signing certificate, you shall read and use id value (from previous operation) where labels array contains serverid tag.
Signing certificate is needed if you are using SignAPI service or other solution to sign signable data according to XAdES or PAdES specification.
You also need to make sure the status value is enabled.
GET /trustedx-resources/esigp/v1/sign_identities/a46...hu6
HTTP/1.1
Authorization: Bearer mF_9.B5f-4.1JqM
Response
{
"id" : {string},
"self" : {string},
"description" : {string},
"labels" : [ {string} ],
"type" : {string},
"device_id" : {string},
"domain" : {string},
"access" : [ {
"user_id" : {string}
} ]
"details" : {
"certificate" : {string},
"activation_mode": {string},
"public_key" : {string}
},
"links" : {
\<operation_alias> : {
"auth" : {
"oauth2": {
"scopes": [ {string}
]
}
}
}
},
"status" : {
"value" : {string},
"reason" : {string}
}
}
details.certificate property contains X.509 certificate encoded in DER and base64.
Authentication certificate is used in SignAPI service for finalizing signature creation.
Signing certificate is used to calculate signable data.
Updated 9 months ago