Notification based flows

In general, notification based flows are similar to the flows from RP API v2 in the sense that they rely on the push notifications mechanism. The main differences with regard to RP API v2 are:

  • Verification codes are returned to the RP from server, not calculated by the RP;

  • There are changes to the signing protocols of authentication and signature requests;

Below, sequence diagrams are given along with explanations of the differences.

Flow diagrams

The following diagram describes the notification based flow for the authentication session.

flow

The following sequence diagram illustrates the notification based signing flow.

flow

Signature protocols

There are separate signing protocols for authentication and signature requests (see here for details).

Verification codes

In RP API v3, verification codes (VC) are not generated by RP based on the DTBS (data to be signed), but are returned from the server to RP. Verification codes are only relevant for the notification based flows.

Currently, there is only one supported verification code type:

  • alphaNumeric4

The returned verification code consists of 4 characters. It should be shown to the user as received from the server. Note that the type is "alphaNumeric4" to refer to the fact that in the future the 4-symbol code might also contain letters. For the time being, only numeric values are returned for technical reasons. This may change in the future, so RPs should make no assumptions about it containing numeric data only!

Motivation for adding non-numeric data in future: In the previous API versions the numeric only codes were similar to the users' PIN codes and caused confusion for some of the users. The inclusion of letters also improves the total number of possible combinations, thus strengthening it as a security measure.