iDIN

API

iDIN API is for businesses that want to identify their users through the iDIN scheme. With iDIN, users can Log in, Identify themselves, and Confirm their age.

The user has an advantage in the online banking environment of their own issuing bank, because the banks can provide certainty about their identity as they have identified the user when it became a customer.

The iDIN scheme supports the following methods:

Full identification of the user - All attributes known to the issuing bank are shared with the merchant, including a Bank Identification Number (BIN) for use in recurring authentications.
Recurring authentication of the user - Only the BIN is shared. This can be linked to a previous identification.
Age verification - Determine if the user is 18+ (either true or false).

Attribute overview

Depending on the chosen method, different attributes are available in the API response.

iDIN supports the following methods:

Consumer ID (“BIN”) – Bank Identification Number (unique for each Merchant)
First name initial
Last name
Address
Date of birth
Gender
Email
Telephone
Age confirmation (18 years old: yes/no) – only available through the age check transaction.

Using the API

After your account set up is complete, subscribe the iDIN API to your application.

With iDIN, users can Log in, Identify themselves, and Confirm their age. Various iDIN methods (identification, authentication and age verification) can be consumed through the one iDIN API with the same flow.

Create a session

Start a session to receive an authentication URL to redirect the user with a POST sessions request.

POST https://api.rabobank.nl/openapi/ris/auth/idin/sessions

To view full list of POST parameters, go to:

POST/ris/auth/idin/sessions

The values provided in the requestedAttributes field determine which iDIN flow is initiated (Identification, Authentication or Age verification). Please read through the section at the end of this page to understand how this works, to avoid invoking the wrong method. This can have commercial impact.

POST iDIN session

You can start an iDIN session by using the POST /sessions request.

Use the following example request body to start an iDIN Identification flow:

{
    "callbackUrls": {
        "success": "https://api.rabobank.nl/success",
        "abort": "https://api.rabobank.nl/abort",
        "error": "https://api.rabobank.nl/error"
    },
    "language": "nl",
    "requestedAttributes": [
        "idpId",
        "initials",
        "name",
        "lastName",
        "gender",
        "dateOfBirth",
        "address"
    ],
    "externalReference": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "sessionLifetime": 1200
}

This results in the following example response body with status Created:

{
  "id": "472b1cf0-2c2e-1647-9dcc-035f11643943",
  "authenticationUrl": "https://api.rabobank.nl/broker/sp/external-service/login?messageId=68a7d453-39f2-e248-a099-0bf80a496066&transactionId=472b1cf0-2c2e-1647-9dcc-035f11643943",
  "status": "CREATED",
 "callbackUrls": {
        "success": "https://api.rabobank.nl/success&sessionId=472b1cf0-2c2e-1647-9dcc-035f11643943",
        "abort": "https://api.rabobank.nl/abort&sessionId=472b1cf0-2c2e-1647-9dcc-035f11643943",
        "error": "https://api.rabobank.nl/error&sessionId=472b1cf0-2c2e-1647-9dcc-035f11643943"
    },
  "language": "nl",
  "requestedAttributes": [
    "idpId",
    "initials",
    "name",
    "lastName",
    "gender",
    "dateOfBirth",
    "address"
  ],
  "externalReference": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "sessionLifetime": 1200
}

📘
For each session, a unique sessionId is generated to identify the session.

After the user has completed the authentication flow (regardless of the method), the user is redirected to your own application (redirect URLs should be provided in HTTPS in the request body) and the status changes to a final state.

This should trigger your application to make a request to the GET endpoint and fetch the final result.

Retrieve a session

When the user is being redirected back to your own application, the session reaches a final state and the result can then be fetched using a GET /session/:sessionId request.

GET iDIN session result

GET https://api.rabobank.nl/openapi/ris/auth/idin/sessions/472b1cf0-2c2e-1647-9dcc-035f11643943

To view the GET parameters, read the endpoint description for GET /ris/auth/idin/sessions/:sessionId

{
    "id": "472b1cf0-2c2e-1647-9dcc-035f11643943",
    "authenticationUrl": "https://api.rabobank.nl/broker/sp/external-service/login?messageId=43b6075c-924f-aa4d-98f7-05aba9ff2881&transactionId=472b1cf0-2c2e-1647-9dcc-035f11643943",
    "status": "SUCCESS",
    "provider": "idin",
    "subject": {
        "id": "pmJq-1hCBdYqcYPIwz3i7KKcg4wMcyWq00LA-kQofiw=",
        "idpId": "FANTASYBANK1234567890",
        "initials": "VJ",
        "name": "VJ de Vries",
        "lastName": "de Vries",
        "gender": "1",
        "dateOfBirth": "19750725",
        "address": "Croeselaan 18, 3521CB, Utrecht, NL",
        "addressFormatted": {
          "fullAddress": "Croeselaan 18, 3521CB, Utrecht, NL",
          "street": "Croeselaan",
          "houseNumber": "18",
          "city": "Utrecht",
          "postalCode": "3521CB",
          "country": "NL"
        }
    },
    "callbackUrls": {
        "success": "https://api.rabobank.nl/success&sessionId=472b1cf0-2c2e-1647-9dcc-035f11643943",
        "abort": "https://api.rabobank.nl/abort&sessionId=472b1cf0-2c2e-1647-9dcc-035f11643943",
        "error": "https://api.rabobank.nl/error&sessionId=472b1cf0-2c2e-1647-9dcc-035f11643943"
    },
    "allowedProviders": [
        "idin"
    ],
    "flow": "redirect",
    "requestedAttributes": [
        "idpId",
        "initials",
        "name",
        "lastName",
        "gender",
        "dateOfBirth",
        "address",
    ],
    "externalReference": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "sessionLifetime": 1200
}

🚧

Each response contains a X-Trace-Id header which can be used for troubleshooting failed transactions

Certain fields may not be available in the response body, this depends on the availability in the source and the type of request. Read the response schema object to understand which fields can be part of the response body.

All responses are signed by Rabobank, to validate the response read Validate signed responses

iDIN Directory Service

The iDIN API supports an endpoint to help retrieve the list of participating issuing banks, called the Directory Service. This list can be retrieved using the following endpoint GET /ris/auth/idin/issuers

By default, the issuing banking selection screen facilitated by Rabobank is displayed. You can personalize the page by:

Background colour
Button colours
Company logo

If you want to use in you own UI to request the issuing bank from the user, it's possible to retrieve the list of issuing banks and display the full list in your environment.

After the user selects one of the issuing banks, add the following object the request body while creating a session to redirect the user to the Rabobank iDIN flow using the authenticationUrl.

    "additionalParameters": {
        "idin_idp": "RABONL2U"
    },

Populating the requestedAttribute field

The authentication method and age verification method can also be invoked through the iDIN API. This can be achieved by populating the requestedAttributes field as illustrated below. In case more values are requested in the requestedAttributes field, automatically the iDIN Identification method will be invoked.

Scenario	Example
iDIN Authentication	`"requestedAttributes": ["idpId"]`
iDIN Age verification	`"requestedAttributes": ["idpId","18OrOlder"]`