Passwordless login flow

Passwordless login flows allow users to log in without needing to visit the Digidentity web page. Once logged in, the client can retrieve the user's personal details via either:

• OIDC (OpenID Connect): A summary of the user's primary personal details.
• Metadata report: A report containing more extensive personal details (eg. results of background checks, or photos of the user's identity documents).

Passwordless login with OIDC

sequenceDiagram
    participant USR as End-user
    participant CFE as Client<br>webpage
    participant CBE as Client<br>backend
    participant DBE as Digidentity<br>backend

    USR -->> CFE: User requests access<br>to client resource
    CFE -->> CBE: Log in with Digidentity
    CBE ->>+ DBE: Authorisation request (1)
    DBE ->>- CBE: Login URL and<br>authorisation code
    CBE -->> CFE: Display Login URL<br>as QR code
    CBE ->>+ DBE: Poll for access token<br>with authorisation code (2)
    USR -->> CFE: Scan QR code
    USR -->> USR: Register/Enter PIN<br>in Digidentity app
    DBE ->>- CBE: Access token
    CBE ->>+ DBE: Request user info<br>with access token (3)
    DBE ->>- CBE: User info
    CBE -->> CFE: Update webpage

---

• (1) /oauth2/authorize.json
• (2) /oauth2/token
• (3) /user_info.json

Passwordless login with metadata report

sequenceDiagram
    participant USR as End-user
    participant CFE as Client<br>webpage
    participant CBE as Client<br>backend
    participant DBE as Digidentity<br>backend

    loop Once per day
        CBE ->>+ DBE: Request application token (1)
        DBE ->>- CBE: Application token
    end

    USR -->> CFE: User requests access<br>to client resource
    CFE -->> CBE: Log in with Digidentity
    CBE ->>+ DBE: Authorisation request (2)
    DBE ->>- CBE: Login URL and<br>authorisation code
    CBE -->> CFE: Display Login URL<br>as QR code
    CBE ->>+ DBE: Poll for access token<br>with authorisation code (3)
    USR -->> CFE: Scan QR code
    USR -->> USR: Register/Enter PIN<br>in Digidentity app
    DBE ->>- CBE: Access token
    CBE -->> CBE: Retrieve user pseudonym<br>from access token
    CBE ->>+ DBE: Request metadata report<br>with application token<br>and user pseudonym (4)
    DBE ->>- CBE: Metadata report
    CBE -->> CFE: Update webpage

---

• (1) /oauth2/token.json
• (2) /oauth2/authorize.json
• (3) /oauth2/token
• (4) /api/v1/reports.json