Passwordless login flow

Passwordless login flows allow users to log in without needing to visit the Digidentity web page. Once logged in, the client can retrieve the user's personal details via either:

• OIDC (OpenID Connect): A summary of the user's primary personal details.
• Identity verification report: A report containing more extensive personal details (eg. results of background checks, or photos of the user's identity documents).

Passwordless login with OIDC

sequenceDiagram
    participant USR as End-user
    participant CFE as Client<br>webpage
    participant CBE as Client<br>backend
    participant DBE as Digidentity<br>backend

    USR -->> CFE: User requests access<br>to client resource
    CFE -->> CBE: Log in with Digidentity
    CBE ->>+ DBE: Authorisation request (1)
    DBE ->>- CBE: Login URL and<br>authorisation code
    CBE -->> CFE: Display Login URL<br>as QR code
    CBE ->>+ DBE: Poll for access token<br>with authorisation code (2)
    USR -->> CFE: Scan QR code
    USR -->> USR: Register/Enter PIN<br>in Digidentity app
    DBE ->>- CBE: Access token
    CBE ->>+ DBE: Request user info<br>with access token (3)
    DBE ->>- CBE: User info
    CBE -->> CFE: Update webpage

---

• (1) /oauth2/authorize.json
• (2) /oauth2/token
• (3) /user_info.json

Passwordless login with identity verification report

sequenceDiagram
    participant USR as End-user
    participant CFE as Client<br>webpage
    participant CBE as Client<br>backend
    participant DBE as Digidentity<br>backend

    loop Once per day
        CBE ->>+ DBE: Request application token (1)
        DBE ->>- CBE: Application token
    end

    USR -->> CFE: User requests access<br>to client resource
    CFE -->> CBE: Log in with Digidentity
    CBE ->>+ DBE: Authorisation request (2)
    DBE ->>- CBE: Login URL and<br>authorisation code
    CBE -->> CFE: Display Login URL<br>as QR code
    CBE ->>+ DBE: Poll for access token<br>with authorisation code (3)
    USR -->> CFE: Scan QR code
    USR -->> USR: Register/Enter PIN<br>in Digidentity app
    DBE ->>- CBE: Access token
    CBE -->> CBE: Retrieve user pseudonym<br>from access token
    CBE ->>+ DBE: Request identity report<br>with application token<br>and user pseudonym (4)
    DBE ->>- CBE: Identity report
    CBE -->> CFE: Update webpage

---

• (1) /oauth2/token.json
• (2) /oauth2/authorize.json
• (3) /oauth2/token
• (4) /api/v1/reports.json