Cerca

Identity & Onboarding

Integration methodologies

EID Gateway (EIDG) is an openID connect Provider while tenant application acts as openID connect relying party.
With OIDC protocol, relying party (tenant) and OIDC Provider (EIDG) have shared a configuration that allows parties to communicate and share information. This configuration is composed by:
  • Client Id (provided by EIDG to tenant)
  • Client Secret (provided by EIDG to tenant)
  • Redirect URIs (provided by tenant to EIDG)
  • List of required authentication schemas and their configurations
Client Id and secrets are parameter to identify tenant and avoid uncontrolled accesses. Redirect URIs is list of tenant application URIs that are allowed to receive callback from OIDC Provider. Before using EIDG tenant has agreed about which authentication schemas is interested to use and with their specific configurations. For example in case tenant is interested to SPID authentication schema, it must provide list of SPID attributes it is interested to and also SPID livel (level 1 or level2) this complete configuration will be stored EIDG implements authorization code flow to start OIDC authentication session, with this authentication flow user is redirected from tenant application to OIDC provider frontend, and there user provides his credentials, when login succeeds user is redirected from OIDC Provider to tenant application and then authentication flow is correctly closed. With this integration method user does not provide his credentials outside OIDC Provider environment, tenant application and OIDC provider are separated environment.

User Interface customization

EIDG User interface can be configured for each Client Id with:
  • header
  • footer
  • Background color
Header can be an image, accepted formats are: png, jpg, svg; CSS rule is backgroud-size: cover and high is 180 pixels. Suggested size is: 4000x 180 pixels. Footer can be an image, accepted formats are: png, jpg, svg; CSS rule is backgroud-size: cover and high is 100 pixels. Suggested size is: 4000x 100 pixels. Background color can be any RGB color, note font color can’t be changed.

API details

Authorization code flow

The authorisation process on EIDG is initiated by redirecting the user to the following endpoint: <url_servizio>/authorize?client_id=<client_id>&state=<state>&redirect_uri=<redirect_uri>&acr_values=<acr_values>&response_type=<response_type>&scope=<scope>&ui_locales=<ui_locales>&code_challenge_method=<code_challenge_method>&code_challenge<code_challenge> The parameters in this URL are:
  • <url_servizio> URL at which EIDG is published, different depending on the environment to be targeted (TESTING https://eid-gatewaycl.infocert.it/oauth2 PRODUCTION https://eid-gateway.infocert.it/oauth2)
  • <client_id>: Client ID provided by EIDG during enrolment.
  • <state>: String for use by the client application, useful for saving a session ID or status before the authorisation flow is started. EIDG will return it as it is at the end of the process.
  • <redirect_uri>: Absolute URL that EIDG must redirect to at the end of the authentication process. This redirection occurs regardless of the outcome of the user authentication. This URL must match the one provided during enrollment.
  • <acr_values>: A space-separated list of method codes among the ones provided in the enrollment phase. It is possible to send methods pertaining to different channel (e.g. infocert:identification:method:SPID_LEVEL_2 infocert:identification:method:CIE ) while any request with multiple same-channel methods will be rejected (e.g. infocert:identification:method:SPID_LEVEL_1 infocert:identification:method: SPID_LEVEL_2 ).
  • <response_type>: Must be set to code
  • <scope>: Must be set to openid
  • <ui_locales>: Indicates a preferred language for EIDG’s user interface and any potential error descriptions. Must be set with the ISO two-letter code (e.g. it for Italian, en for English)
  • <code_challenge_method>: Optional but highly recommended. Verification method of the client according to the PKCE for OAuth2 Must be set to S256
  • <code_challenge>: Optional but highly recommended. Verification string of the client in SHA256 hash format according to the PKCE for OAuth2
The EIDG authorisation process is based on the OAuth2 protocol and involves a series of steps to authorise the client so that the requested user information can be retrieved. The various steps that make up a complete authorisation flow are detailed below. All endpoints listed are to be considered relative to the main URL of the service indicated as <url_servizio>.

STEP 1 – initial endpoint

Endpoint: /authorize Method: GET (redirect from client application) This is the first endpoint of the authorisation flow. See the previous section for the parameters to be appended to the address. By redirecting the user to this endpoint, they will be taken to the EIDG front end, where they will be able to select the desired authentication method as well as the provider, if any, from those associated with the requested <acr_values>.

STEP 2 – Authentication of the user by the identity provider

At this point, the user will have to authenticate using the credentials of the chosen service and complete any credential verification steps, such as providing an OTP token or confirming the operation via app. Once authentication is complete, regardless of the outcome, the Identity Provider (hereafter IDP) redirects the user to EIDG, which processes the response received and redirects the user to the callback URL of the client application.

STEP 3 – client callback

At this point, EIDG redirects the user to the client application. Depending on the outcome of the authentication, the composition of the URL is slightly different. Method: GET (redirect da EIDG) Endpoint:
  • <redirect_uri>?code=<authrorization_code>&state=<state> (authentication successful)
  • <redirect_uri>?error=<oauth_error>&errorCode=<eidg_error>&errorDescription=<error_description>&state=<state> (authentication failed)
The parameters of the URLs are as follows:
  • <redirect_uri> Absolute URL of the endpoint on the client application indicated in step 1, which EIDG must redirect to at the end of the authentication process. This redirection occurs regardless of the outcome of the user authentication.
  • <authorization_code> Code to be used in the next call to obtain access and refresh tokens.
  • <state> String of the client application indicated in step 1.
  • <oauth_error> Summary error code according to OAuth and OIDC
  • <eidg_error> Error code produced by EIDG identifying the specific problem encountered. See Error Handling chapter below.
  • <error_description> Description of the error. If available, the translated string according ti the requested starting localization will be provided, or Italian otherwise.

STEP 4 – Requesting access/refresh token

Endpoint: /token Method: POST Authentication: Basic base64(<client_id>:<client_secret>) (client_id and client_secret provided during enrolment) Content-type: application/x-www-form-urlencoded Parameters:
  • code Authorisation code returned by EIDG in the previous redirect.
  • grant_type Type of grant to be requested. In this case, pass “authorization_code”.
  • code_verifier Mandatory if PKCE was adopted during the /authorize call. Client verification string in plain format, accordin to the PKCE for OAuth2
  • redirect_uri Redirect URI provided during enrolment. This stage serves to validate the origin of the request.
With this endpoint, the authorisation code is exchanged for the first access and refresh tokens. Unless otherwise required, the access token is valid for 3 minutes, while the refresh token is valid for 24 hours. In the event of a successfully created token, a status code of 201 (Created) is returned and a JSON response consisting of the two tokens, the type of authentication to be used (always Bearer for now) and the expiration of the access token in seconds.
{
    "idToken": "eyJ....fg",
    "accessToken": "eyj....fg",
    "refreshToken": "eyJ....pb",
    "expiresIn": 360,
    "tokenType": "Bearer"
}
In the event of an error during token creation, EIDG will respond with the status code appropriate to the type of problem (e.g. 400, 403, 500) and a JSON response as follows:
{
    "error": "access_denied",
    "errorCode": "EIDG_5",
    "errorDescription": "Invalid client_id or client_secret"
}
For the error list, see the Error Handling chapter.

STEP 5 – User info retrivial

Endpoint: /user-info Method: GET Authentication: Bearer <access_token> (access_token obtained in the previous step) With this endpoint, the data of the authenticated user can be retrieved. EDIG will return a JSON that always has the same attributes. Depending on the dataset agreed to with the client, the respective attributes in the response will be valued, while the rest will be null. In the event of a successful call, EIDG will return a JSON with the user’s data, an excerpt of which is reproduced below. For a more detailed description of the complete data model, see the Data Model chapter.
{
    "version": "1.0",
    "givenName": "Ada",
    "familyName": "Lovelace",
    "birthPlace":
        {
            "address": 
                {
                    "streetAddress": "null",
                    "postalCode": "null",
                    "addressRegion": "PI",
                    "addressLocality": "PISA",
                    "addressCountry": "IT"
                }
            }
    "birthDate": "1985-12-10",
    "gender": "F",
    "taxID": "LVLDAA85T50G702B",
    "....": "....",
    "errorDescription": "Invalid client_id or client_secret"
}
In the event of an error during token creation, EIDG will respond with the status code appropriate to the type of problem (e.g. 400, 403, 500) and a JSON response as follows:
{
    "error": "access_denied",
    "errorCode": "EIDG_5",
    "errorDescription": "Invalid client_id or client_secret"
}
For the error list, see the Error Handling section.

STEP 6 – Request for new access token (optional)

Endpoint: /token Method: POST Authentication: Basic base64(<client_id>:<client_secret>) (client_id and client_secret provided during enrolment) Content-type: application/x-www-form-urlencoded Parameters:
  • grant_type Type of grant to be requested. In this case, pass “refresh_token”.
  • refresh_token Refresh token obtained with the first call to /token
With this endpoint, a new access token is provided if the one available has expired. In the event of a successfully created token, a status code of 201 (Created) is returned and a JSON response consisting of the two tokens, the type of authentication to be used (always Bearer for now) and the expiration of the access token in seconds.
{
    "idToken": "eyJ....fg",
    "accessToken": "eyj....fg",
    "refreshToken": "eyJ....pb",
    "expiresIn": 360,
    "tokenType": "Bearer"
}
In the event of an error during token creation, EIDG will respond with the status code appropriate to the type of problem (e.g. 400, 403, 500) and a JSON response as follows:
{
    "error": "access_denied",
    "errorCode": "EIDG_5",
    "errorDescription": "Invalid client_id or client_secret"
}
For the error list, see the Error Handling chapter.

STEP 7 – token revoke

Endpoint: /revoke Method: POST Authentication: Bearer <token_to_revoke> With this endpoint, an access or refresh token can be revoked to prevent further access to the user information associated with it. If an access token is passed, only this will be revoked. If a refresh token is passed, the corresponding access token will also be revoked and a new end-user authentication will be necessary in order to retrieve his personal data again.

Use Cases

Tenant wants to use SPID authentication

Tenant will sign a contract with InfoCert as “SPID soggetto aggregato” and must provide:
  • Redirect URIs
  • List of admitted origins for cors policy
  • List of desided SPID attributes
  • Desired SPID level
InfoCert must provide:
  • Client Id
  • Client Secret
  • List of identification methods
  • EIDG base url
With following info InfoCert will prepare a specific metadata for tenant and will communicate that metadata to AGID. After AGID checks metatada will be sent (byAGID) to all SPID IDPs to make it available. Tenant will start OIDC authorization code flow passing identification method(s) as arc values so EIDG will present proper User Interface. After user authenticated tenant application will call userInfo to get userInfo attributes.

Tenant wants to use CIE authentication

Tenant has already become “CIE Service Provider” and must provide:
  • Redirect URIs
  • List of admitted origins for cors policy
  • CIE Metadata that refers to EIDG CIE callback
  • its private key to sign requests
InfoCert must provide:
  • Client Id
  • Client Secret
  • List of identification methods
  • EIDG base url
With following info InfoCert will configure tenant metadata and key. Tenant will start OIDC authorization code flow passing identification method(s) as arc values so EIDG will present proper User Interface. After user authenticated tenant application will call userInfo to get userInfo attributes.

Tenant wants to use FranceConnect authentication

Tenant must provide:
  • Redirect URIs
  • Desired FranceConnect level (FranceConnect or FranceConnectPlus)
InfoCert must provide:
  • Client Id
  • Client Secret
  • List of identification methods
  • EIDG base url
Tenant will start OIDC authorization code flow passing identification method(s) as arc values so EIDG will present proper User Interface. After user authenticated tenant application will call userInfo to get userInfo attributes.

API Reference

User info model

The fields that make up the user data model are detailed below.
Attribute strong>Parent attribute Example Description
version 1.0 Data model version. There will be versions of this model to facilitate backward compatibility
givenName Marisa Subject’s name
familyName Italy Subject’s surname
birthPlace Birthplace attributes
address birthPlace Birthplace address. Not to be confused with the address attribute below
streetAddress BirthPlace.address Not used
postalCode BirthPlace.address Not used
addressRegion BirthPlace.address RM Birthplace province (only for those born in Italy)
addressLocality BirthPlace.address ROME Birthplace municipality (only for those born in Italy)
addressCountry BirthPlace.address IT Birthplace country code according to the ISO 3166 alpha-2 standard
birthDate 1930-01-01 Date of birth yyyy-mm-dd
gender F Subject’s gender
taxID TLIMRS30A41H501K Tax code (for individuals)
vatID IT12345678901 VAT number or equivalent (for companies)
telephone +393330000100 Phone number
email marisa.italia.cl@mailsac.com Email
digitalAddress marisa.italia.cl@pecmail.com PEC certified email
address Residence address. Not to be confused with the birthPlace.address attribute above
streetAddress address Via Delle Robe 20 Residence address (street, square, etc.)
postalCode address 10156 Residence postcode
addressRegion address TO Residence province
addressLocality address Turin Residence municipality
addressCountry address IT Residence country ISO 3166 alpha-2 standard
electronicId Digital identity attributes
name electronicId SPID Digital identity type
country electronicId IT Country of issue
id electronicId INFC0000012739 Unique ID of the provider relating to the subject.
expirationDate electronicId 2024-08-24 Identity expiry
physicalId Attributes relating to the physical identification document
name physicalId ID card Document type
documentNumber physicalId AV0639329 Document ID
issuer physicalId MunicipalityPianoro Document issuing body
issuerDate physicalId 2014-03-21 Issue date
expirationDate physicalId 2024-08-22 Expiry
_idp https://identity.infocert.it Identity provider used to retrieve the dataset
_rawRequest Base64 of the body of the request to the IDP
_rawResponse Base64 of the body of the IDP’s response

Error handling

List of error codes

Below is an up-to-date list of error codes handled by EIDG and any recommended actions.
errorCode error Error type Resolution owner Cause of error Suggested operation
SPID_19 access_denied ErrorCode SPID End user Authentication failed due to repeated submission of incorrect credentials Show the error to the end user asking them to try again
SPID_20 access_denied ErrorCode SPID End user User without credentials compatible with the level required by the service provider Show the error to the end user asking them to try again
SPID_21 or CIE_21 access_denied ErrorCode SPID/CIE End user Timeout during user authentication Show the error to the end user asking them to try again
SPID_22 or CIE_22 access_denied ErrorCode SPID/CIE End user Consent to submit data was denied by the user Show the error to the end user asking them to try again
SPID_23 or CIE_23 access_denied ErrorCode SPID/CIE End user User with suspended/revoked identity or blocked credentials Show the error to the end user asking them to try again
SPID_25 or CIE_25 access_denied ErrorCode SPID/CIE End user Authentication process cancelled by the user Show the error to the end user asking them to try again
SPID_OTHER_CODE or CIE_OTHER_CODE server_error ErrorCode SPID/CIE (other) EIDG (IDP) Incorrect response format – Contact Identity manager Show the end user a generic error. Contact EIDG to analyse the problem.
SPID_TECHNICAL or CIE_TECHNICAL server_error Server error EIDG An error occurred during the authentication process. Please try again. Show the end user a generic error. Contact EIDG to analyse the problem.
SPID_VALIDATION or CIE_VALIDATION server_error SAML validation error EIDG (IDP) Incorrect response format – Contact Identity manager Show the end user a generic error. Contact EIDG to analyse the problem.
SPID_PARSING or CIE_PARSING server_error SAML parsing error EIDG (IDP) Incorrect response format – Contact Identity manager Show the end user a generic error. Contact EIDG to analyse the problem.
EIDG_1 invalid_request Error in the parameters Client application No client_id provided Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_2 invalid_request Error in the parameters Client application The client_id provided is not valid Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_3 invalid_request Error in the parameters Client application The redirect URL does not match the one agreed to Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_4 invalid_request Error in the parameters Client application The requested identification_method is not valid or not available for this client Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_5 access_denied Error in the parameters Client application The client_id or client_secret is not valid Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_6 access_denied Error in the parameters Client application The client_secret provided is not valid Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_7 access_denied Error in the parameters Client application No grant_type provided Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_8 access_denied Error in the parameters Client application The grant_type provided is not valid Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_9 invalid_request Error in the parameters Client application Error during request validation Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_10 access_denied Server error EIDG Error during token generation Show the end user a generic error. Contact EIDG to analyse the problem.
EIDG_11 server_error Server error EIDG Error communicating with LegalDoc Show the end user a generic error. Contact EIDG to analyse the problem.
EIDG_12 server_error Request missing Client application Request config not found Request expired. Invite the user to log in again with EIDG.
EIDG_13 server_error Request missing EIDG Error while retrieving request config Show the end user a generic error. Contact EIDG to analyse the problem.
EIDG_14 access_denied Error in the parameters Client application Access or refresh token not found Request expired. If the token in question is access then refresh the new token, otherwise invite the user to log in again with EIDG.
EIDG_15 invalid_request Error in the parameters Client application Access or refresh token not valid Show the end user a generic error. Check the correctness of the call to EIDG.
EIDG_16 server_error Server error EIDG Error while parsing access or refresh token Show the end user a generic error. Contact EIDG to analyse the problem.

Scenario of usage

  1. Application (Client) within its own navigation flow needs to authenticate a user or receive a series of related attributes.
  2. Application is exposing to user “Log in with EID Gateway” button. User clicks that button, this activity produces a call to /authorize endpoint with following url params: client_id, state, id_methods (optional) and redirect_uri.
    curl -k --request GET \
    --url 'https://eid-gateway.infocert.it/oauth2/authorize?client_id=demo-web-app&redirect_uri=https%3A%2F%2Finternal-pr-eks-factory-private-alb-1996065579.eu-west-1.elb.amazonaws.com%2Feidgateway-testclient%2Flogin&state=examplestate' \
    --header 'accept: */*'
    
  3. A success result of previous step the user-agent (browser) is redirected to the EID Gateway page in which the user can choose an identification method (for now only SPID) and IDP.
  4. When IDP is chosen user-agent (browser) is redirected to IDP site when user has to pass credentials and agree for sharing his data with EID Gateway and Client Application.
  5. When everything went well EID Gateway is redirecting browser to redirect uri passed in step 2 with authorization code, otherwise is redirecting browser to the same uri but with error message.
  6. Now Client Application can exchange authorization code for set of access and refresh tokens by calling /token endpoint with authorization header with Application Client’s credentials and following url params: code, grant_type (“code” as a value) and redirect_uri.
    curl -k --request POST \
      --url https://eid-gateway.infocert.it/oauth2/token \
      --header 'Authorization: Basic h10823g81bAHSDVV123H812G3971AJSD' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --header 'accept: application/json' \
      --data 'code=07b41735-1537-43db-876c-d0da1f178115&grant_type=code&redirect_uri=https%3A%2F%2Finternal-pr-eks-factory-private-alb-1996065579.eu-west-1.elb.amazonaws.com%2Feidgateway-testclient%2Flogin'
    
    Example json result:
    {
       "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJuYmYiOjE2NTI4ODM0NDIsImlzcyI6ImRlbW8td2ViLWNsaWVudCIsImV4cCI6MTY1Mjg4MzYyMiwiaWF0IjoxNjUyODgzNDQyLCJqdGkiOiIwOWNmM2YxMS00YmZmLTQ2NWYtYjBiZS0xOWQ0NDRmODM3OGYifQ.PntT3TJWOETPY1MBq9ld8bb0jeaLi-ub3_PhLLqINiWWMRxnlM0SkvdzEdptPGX4CNrBG_QPYdBgoH9ru63qjolXHZivGjAzfQrTz6Hyw8O_kaYnjLAW6hI0Ph_3MdeM84T6wpY9Gj--gp1oOyo12PIiH5bSOsNLO6d-IofHSVwkfyaepHhTUfieAEeWWXvHgsvVC3YviDOXO-5NouQRNO5ZFbLf0Wgd52N35U8jxIIiM2jzsaCgh5Dr6okY3O4CdQBMl7Xw2GFpjByc-a5Tv3DZNebIOVe-rw-jTQkNcLihNZv3VWCcHhYpQ5Ql4vQ9oMb730jilpA5r8rzhwi4Qw",
       "expires_in": 360,
       "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2NTI5Njk4NDIsImNsaWVudF9pZCI6ImRlbW8td2ViLWNsaWVudCJ9.swW_g6pCVBb_tID_Q-AJZwc44h5lWLJGA2h7qQcfOpGMql35s8XMjoTdrqf0WNbWTsGf7P8D1u7hWQRfr-uAbXQNQh1rQHjZEfMrY7AOWlmJBefjnXxaD-GUxi7RM2GwbrUhV14i8-bUZUPdywPiqYElL5T_x3Y2Pfptp6uaJK2mc_EjxzArwiX5uPzVy5BNVw3NmAvoOhhXle606k1QjYeMIPFi9LZDvU5Ud5lDBv5beV0OZog55ZzF6qTblddgU5f6zs87vvWZtAjDALvoAyIyIvH7yTjThvgGr05WVWUQrCLEeBShXsVj-4ZWCmbXcyhw9eP66cNClPxIXbfpvg",
       "token_type": "Bearer"
    }
    
  7. Now Client Application can get user attributes by calling /user-info endpoint, passing in authorization header access token value.
    curl -k --request GET \
    --url https://eid-gateway.infocert.it/oauth2/user-info \
    --header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJuYmYiOjE2NTI4ODM0NDIsImlzcyI6ImRlbW8td2ViLWNsaWVudCIsImV4cCI6MTY1Mjg4MzYyMiwiaWF0IjoxNjUyODgzNDQyLCJqdGkiOiIwOWNmM2YxMS00YmZmLTQ2NWYtYjBiZS0xOWQ0NDRmODM3OGYifQ.PntT3TJWOETPY1MBq9ld8bb0jeaLi-ub3_PhLLqINiWWMRxnlM0SkvdzEdptPGX4CNrBG_QPYdBgoH9ru63qjolXHZivGjAzfQrTz6Hyw8O_kaYnjLAW6hI0Ph_3MdeM84T6wpY9Gj--gp1oOyo12PIiH5bSOsNLO6d-IofHSVwkfyaepHhTUfieAEeWWXvHgsvVC3YviDOXO-5NouQRNO5ZFbLf0Wgd52N35U8jxIIiM2jzsaCgh5Dr6okY3O4CdQBMl7Xw2GFpjByc-a5Tv3DZNebIOVe-rw-jTQkNcLihNZv3VWCcHhYpQ5Ql4vQ9oMb730jilpA5r8rzhwi4Qw' \
    --header 'accept: application/json'
    
    Example json result:
       {
           "givenName": "Ada",
           "familyName": "Lovelace",
           "birthPlace": {
               "address": {
                   "streetAddress": null,
                   "postalCode": null,
                   "addressRegion": "G702",
                   "addressLocality": null,
                   "addressCountry": null
               }
           },
           "birthDate": null,
           "gender": "F",
           "taxID": "TINIT-LVLDAA85T50G702B",
           "vatID": null,
           "telephone": "3939393939",
           "email": "aabyron@hotmail.com",
           "address": {
               "streetAddress": "Via Listz 21",
               "postalCode": "00144",
               "addressRegion": "Roma",
               "addressLocality": "RM",
               "addressCountry": "IT"
           },
           "_idp": "https://demo.spid.gov.it",
           "_rawRequest": 
             "nVNbb9owFP4rlt9zhUKwCBUDVUPqNlbSPexlMonTWkrszOcE6L+vc2kXpA6xvUX25/Ndzpf57aksyEEYkFrFNHB9SoRKdSbVU0wfkzsnoreLOfCyqNiyxmf1IH7XApDYdwpYexHT2iimOUhgipcCGKZst/xyz0LXZ5XRqFNdULIEEAYt0UorqEthdsIcZCo2KhOnmIYWgWjkvkbRIayIc0hAydqSS8Wx1fuMWAHzvEyU2oVKZu6TPrgSvUYXgKZks47pr/3ID/b5ZObkk3zmjKNw6kTTdOLM/GA0zbKbbDyxkzcAtSUC5AqtGj8MHT9ywnHiR8yfspHv3kSzn5Rse0OfpOpiuuR+34GAfU6SrbP9tkso+fEWtwXQLtyQtexmEGt4eTB/C5OSO21KjpfhzYnMnLyFMqFQ4gslX+3p95oXMpfC/IkTdZUWrlS5Ti1Hk6d96xkBlV2LoIvrcHNv6Kz3WbGGc7Pe6kKmL0O7V9fo3+2i4QqkNU29dxl9j0XWttr2DcUJ/0vPSpcVNxKajdrKyrIu+62y4exVYVf2IPIBx7Ubfg/8eDye1Xxnv++DLugPyRb9Ev7it78+/7UXrw=="
           
           "_rawResponse": "PHNhbWxwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL2ludGVybmFsLXN2dHMtZWtzLWZhY3RvcnktcHJpdmF0ZS1hbGItMTQzMDY4MzgxMi5ldS13ZXN0LTEuZWxiLmFtYXpvbmF3cy5jb20vaWRicm9rZXItc3BpZC9yZXNwb25zZSIgSUQ9Il9jMTc0M2JjNC1lMDBhLTRiYmEtYjRlMS1kZDdlMjk2NjRiZDciIEluUmVzcG9uc2VUbz0iXzQ4Njk0OTU2LTk5MTktNDdiOC05ZDAzLWFlYWU1NGE1OTg0ZCIgSXNzdWVJbnN0YW50PSIyMDIyLTA1LTE4VDE0OjI1OjA3WiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4NCiAgICA8c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vZGVtby5zcGlkLmdvdi5pdDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2MxNzQzYmM0LWUwMGEtNGJiYS1iNGUxLWRkN2UyOTY2NGJkNyI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzOkRpZ2VzdFZhbHVlPjJoSUZGcXRrOXJMUDZZbzcvd0pHYUpmaVJsS1NUOGhKbms3Z2xpN3E0OTQ9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkRJbms2NVNINHBXdDg5dVBORVRlMzZEbC94Y3hCWjg1dFdWNGk0Rmd5OHEvOVN6TSt5cjM5cGJSQVZUbU9TN214a1lMaFdaMlVPSmRaZkhic2tzdFpReWRYNVZ6L29HS0FwVlBwNmtMLzNrRmcwckg0RXZsQjY3R3RqbXI2QlBQSzVCOVo1SUdjVEdRYk9xMkQxSG9NclBieER1WUxzVHVQZmZycmRZMWs1RUk2YWpod1piM2lPaE52SisxNEFVSzU1RExwczJNMnJzWmRXMUtpUVpNdGx1cy9EdVc3cTVDQjlrSWlQcU4yUWFDUE5ibXJnamVickNJb2RybG11S2RPUzR6NmxlU3pkT0VDcEtsOWZZUndqdVdxZWdEdnRTT2oyK0VZeVJvK1YxWEVkcGM4cGRFcE5rbDA0RnNObFhmNG9aaXF3M25ySXEvSHlwUkNsVDdSQT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlFR0RDQ0F3Q2dBd0lCQWdJSkFPcllqOW9MRUpDd01BMEdDU3FHU0liM0RRRUJDd1VBTUdVeEN6QUpCZ05WQkFZVEFrbFVNUTR3REFZRFZRUUlFd1ZKZEdGc2VURU5NQXNHQTFVRUJ4TUVVbTl0WlRFTk1Bc0dBMVVFQ2hNRVFXZEpSREVTTUJBR0ExVUVDeE1KUVdkSlJDQlVSVk5VTVJRd0VnWURWUVFERXd0aFoybGtMbWR2ZGk1cGREQWVGdzB4T1RBME1URXhNREF5TURoYUZ3MHlOVEF6TURneE1EQXlNRGhhTUdVeEN6QUpCZ05WQkFZVEFrbFVNUTR3REFZRFZRUUlFd1ZKZEdGc2VURU5NQXNHQTFVRUJ4TUVVbTl0WlRFTk1Bc0dBMVVFQ2hNRVFXZEpSREVTTUJBR0ExVUVDeE1KUVdkSlJDQlVSVk5VTVJRd0VnWURWUVFERXd0aFoybGtMbWR2ZGk1cGREQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUs4a0pWbyt1Z1JyYmJ2OXhoWEN1VnJxaTRCNy9NUXpRYzYyb2N3bEZGdWpKTmQ0bTFtWGtVSEZiZ3Z3aFJrUXFvMkRBbUZlSGl3Q2tKVDNLMWVlWElGaE5GRnJvRXpHUHpPTnlla0xwak52bVlJczFDRnZpckdPajBia0VpR2FLRXMrL3VtekdqeEloeTVKUWxxWEU5NnkxK0l6cDJRaEppbURLMC9LTmlqOEkxYnp4c2VQMFlnYzRTRnZlS1MrN1FPK1ByTHpXa2xFV0dNczRETTVaYzNWUks3ZzRMV1BXWmhLZEltQzFyblMrL2xFbUhTdkhpc2RWcC9ESnRiU3Jad1NZVFJ2VFR6NUlaRFNxNGtBenJEZnBqMTZoN2IzdDNuRkdjOFVvWTJSbzR0UlozYWhKMnIzYjc5eUs2QzVwaFk3Q0FBTnVXM2dEZGhWamlCTllzMENBd0VBQWFPQnlqQ0J4ekFkQmdOVkhRNEVGZ1FVMy83a1YydGJkRnRwaGJTQTRMSDcrdzhTa2N3d2daY0dBMVVkSXdTQmp6Q0JqSUFVMy83a1YydGJkRnRwaGJTQTRMSDcrdzhTa2N5aGFhUm5NR1V4Q3pBSkJnTlZCQVlUQWtsVU1RNHdEQVlEVlFRSUV3VkpkR0ZzZVRFTk1Bc0dBMVVFQnhNRVVtOXRaVEVOTUFzR0ExVUVDaE1FUVdkSlJERVNNQkFHQTFVRUN4TUpRV2RKUkNCVVJWTlVNUlF3RWdZRFZRUURFd3RoWjJsa0xtZHZkaTVwZElJSkFPcllqOW9MRUpDd01Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUpORnFYZy9WM2FpbUpLVW1VYXFtUUVFb1NjM3F2WEZJVHZUNWY1Ykt3OXlrL05WaFI2d25kTCt6LzI0aDFPZFJxczc2YmxnSDhrMTE2cVdOa2tEdHQwQWxTalFPeDVxdkZZaDFVdmlPak5kUkk0V2tZT05Tdyt2dWF2Y3grZkI2TzVKREhObU1oTXlTS1RubVJxVGt5aGpyY2g3emFGSVdVU1Y3aHNCdXhwcW1yV0RvTFdkWGJWM2VGSDNtSU5BNUFvSVkvbTBiWnR6WjdZTmdpRld6eFFnZWtweGQwdmNUc2VNbkNjWG5zQWxjdGRpcjBGb0NaenR4TXVaamxCandMVHRNNlJ5My80OExNTThaK2x3N05NY2lLTExUR1F5VThYbUtLU1NPaDBkR2g1THJsdDVHeElJSmtIODFDMFlpbVdlYno4NDY0UVBMM1JiTG5US2crYz08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT4NCg0KICAgIDxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPg0KICAgIDxzYW1sOkFzc2VydGlvbiBJRD0iX2IyYjk1ZmM4LTIxM2ItNDA2NC05OTcxLTJlZmRkZWJlZTM4MSIgSXNzdWVJbnN0YW50PSIyMDIyLTA1LTE4VDE0OjI1OjA3WiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPg0KICAgICAgICA8c2FtbDpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vZGVtby5zcGlkLmdvdi5pdDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2IyYjk1ZmM4LTIxM2ItNDA2NC05OTcxLTJlZmRkZWJlZTM4MSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzOkRpZ2VzdFZhbHVlPjdRd3F1MjlnRnhnS1laME42UGVvb2xjM0g3RmN5dEVabjU1U2ZnbStPcW89PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkd0RmtzT2Z2akE1L0hMWnZLSVFFT3dsRWVpNEVSTU5ZUHQ5OFUxbmFVdjZFQkRpdkZlZHBqb3BPQm81VEs0NnFYZm0zbGYvYjNKV2EyV3dVdTFGUkljdVZRdWNaOEVRVlNZK2JkUUVoTUw4cFVHRTFiTlJ0TUNJMUdvbm5mQXhTOWNYcHEzbWc0SjFjWUMrYTBBSWNyL1ZmYkFxckNvTGcxQUhwV1pWcGdPNHpTZVRaVzBUdWVybWhjQnRQblFyMzJMNEMrVjFaUnNvVHovMHcvY1hsa1I4KytUMHFBWVdSVE9ycUt2Rzc2UjlTbGIycTVLS0M1c0dzUmZTTHNEeXNLdElCL2MrdlFvYmcrZXhFalVKemRLQmdLSXRxMGJMcUtMMFJqZjhIMXp5L3ZSZHVWaVkwYy9hM2ZRM0tpMEpITUxSdHNPRDhuNnZ2eTBMVldzZGIwUT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlFR0RDQ0F3Q2dBd0lCQWdJSkFPcllqOW9MRUpDd01BMEdDU3FHU0liM0RRRUJDd1VBTUdVeEN6QUpCZ05WQkFZVEFrbFVNUTR3REFZRFZRUUlFd1ZKZEdGc2VURU5NQXNHQTFVRUJ4TUVVbTl0WlRFTk1Bc0dBMVVFQ2hNRVFXZEpSREVTTUJBR0ExVUVDeE1KUVdkSlJDQlVSVk5VTVJRd0VnWURWUVFERXd0aFoybGtMbWR2ZGk1cGREQWVGdzB4T1RBME1URXhNREF5TURoYUZ3MHlOVEF6TURneE1EQXlNRGhhTUdVeEN6QUpCZ05WQkFZVEFrbFVNUTR3REFZRFZRUUlFd1ZKZEdGc2VURU5NQXNHQTFVRUJ4TUVVbTl0WlRFTk1Bc0dBMVVFQ2hNRVFXZEpSREVTTUJBR0ExVUVDeE1KUVdkSlJDQlVSVk5VTVJRd0VnWURWUVFERXd0aFoybGtMbWR2ZGk1cGREQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUs4a0pWbyt1Z1JyYmJ2OXhoWEN1VnJxaTRCNy9NUXpRYzYyb2N3bEZGdWpKTmQ0bTFtWGtVSEZiZ3Z3aFJrUXFvMkRBbUZlSGl3Q2tKVDNLMWVlWElGaE5GRnJvRXpHUHpPTnlla0xwak52bVlJczFDRnZpckdPajBia0VpR2FLRXMrL3VtekdqeEloeTVKUWxxWEU5NnkxK0l6cDJRaEppbURLMC9LTmlqOEkxYnp4c2VQMFlnYzRTRnZlS1MrN1FPK1ByTHpXa2xFV0dNczRETTVaYzNWUks3ZzRMV1BXWmhLZEltQzFyblMrL2xFbUhTdkhpc2RWcC9ESnRiU3Jad1NZVFJ2VFR6NUlaRFNxNGtBenJEZnBqMTZoN2IzdDNuRkdjOFVvWTJSbzR0UlozYWhKMnIzYjc5eUs2QzVwaFk3Q0FBTnVXM2dEZGhWamlCTllzMENBd0VBQWFPQnlqQ0J4ekFkQmdOVkhRNEVGZ1FVMy83a1YydGJkRnRwaGJTQTRMSDcrdzhTa2N3d2daY0dBMVVkSXdTQmp6Q0JqSUFVMy83a1YydGJkRnRwaGJTQTRMSDcrdzhTa2N5aGFhUm5NR1V4Q3pBSkJnTlZCQVlUQWtsVU1RNHdEQVlEVlFRSUV3VkpkR0ZzZVRFTk1Bc0dBMVVFQnhNRVVtOXRaVEVOTUFzR0ExVUVDaE1FUVdkSlJERVNNQkFHQTFVRUN4TUpRV2RKUkNCVVJWTlVNUlF3RWdZRFZRUURFd3RoWjJsa0xtZHZkaTVwZElJSkFPcllqOW9MRUpDd01Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUpORnFYZy9WM2FpbUpLVW1VYXFtUUVFb1NjM3F2WEZJVHZUNWY1Ykt3OXlrL05WaFI2d25kTCt6LzI0aDFPZFJxczc2YmxnSDhrMTE2cVdOa2tEdHQwQWxTalFPeDVxdkZZaDFVdmlPak5kUkk0V2tZT05Tdyt2dWF2Y3grZkI2TzVKREhObU1oTXlTS1RubVJxVGt5aGpyY2g3emFGSVdVU1Y3aHNCdXhwcW1yV0RvTFdkWGJWM2VGSDNtSU5BNUFvSVkvbTBiWnR6WjdZTmdpRld6eFFnZWtweGQwdmNUc2VNbkNjWG5zQWxjdGRpcjBGb0NaenR4TXVaamxCandMVHRNNlJ5My80OExNTThaK2x3N05NY2lLTExUR1F5VThYbUtLU1NPaDBkR2g1THJsdDVHeElJSmtIODFDMFlpbVdlYno4NDY0UVBMM1JiTG5US2crYz08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT4NCiAgICAgICAgPHNhbWw6U3ViamVjdD4NCiAgICAgICAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9kZW1vLnNwaWQuZ292Lml0Ij4NCiAgICAgICAgICAgICAgICAgICAgXzY3ZGFiNDhiLTEzZTAtNDEwNi1hMzRkLTMwOTk0OTE3Njk3Ng0KICAgICAgICAgICAgPC9zYW1sOk5hbWVJRD4NCiAgICAgICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il80ODY5NDk1Ni05OTE5LTQ3YjgtOWQwMy1hZWFlNTRhNTk4NGQiIE5vdE9uT3JBZnRlcj0iMjAyMi0wNS0xOFQxNDoyOTo1NloiIFJlY2lwaWVudD0iaHR0cHM6Ly9pbnRlcm5hbC1zdnRzLWVrcy1mYWN0b3J5LXByaXZhdGUtYWxiLTE0MzA2ODM4MTIuZXUtd2VzdC0xLmVsYi5hbWF6b25hd3MuY29tL2lkYnJva2VyLXNwaWQvcmVzcG9uc2UiLz4NCiAgICAgICAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgICAgICA8L3NhbWw6U3ViamVjdD4NCiAgICAgICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjItMDUtMThUMTQ6MjU6MDdaIiBOb3RPbk9yQWZ0ZXI9IjIwMjItMDUtMThUMTQ6Mjk6NTZaIj4NCiAgICAgICAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgICAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9zcGlkc3AuaW5mb2NlcnQuaXQ8L3NhbWw6QXVkaWVuY2U+DQogICAgICAgICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPC9zYW1sOkNvbmRpdGlvbnM+IA0KICAgICAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjItMDUtMThUMTQ6MjU6MDdaIiBTZXNzaW9uSW5kZXg9Il85MmMxNTExMC1kMGEzLTQ1MzgtYmI3OC1jNTVhMDliYjU2ZjEiPg0KICAgICAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L1NwaWRMMTwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgICAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibmFtZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFkYTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImZhbWlseU5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5Mb3ZlbGFjZTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImZpc2NhbE51bWJlciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPlRJTklULUxWTERBQTg1VDUwRzcwMkI8L3NhbWw6QXR0cmlidXRlVmFsdWU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJkb21pY2lsZVN0cmVldEFkZHJlc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5WaWEgTGlzdHogMjE8L3NhbWw6QXR0cmlidXRlVmFsdWU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJkb21pY2lsZVBvc3RhbENvZGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4wMDE0NDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImRvbWljaWxlTXVuaWNpcGFsaXR5IiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Um9tYTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImRvbWljaWxlUHJvdmluY2UiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5STTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImRvbWljaWxlTmF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+SVQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJpZENhcmQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5wYXNzYXBvcnRvIEtLMTIzNDU2NyBxdWVzdHVyYUxpdm9ybm8gMjAxNi0wOS0wNCAyMDI2LTA5LTAzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3NhbWw6QXR0cmlidXRlPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0icGxhY2VPZkJpcnRoIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+RzcwMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9Im1vYmlsZVBob25lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+MzkzOTM5MzkzOTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImdlbmRlciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkY8L3NhbWw6QXR0cmlidXRlVmFsdWU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFhYnlyb25AaG90bWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJzcGlkQ29kZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNQSUQtMDAyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3NhbWw6QXR0cmlidXRlPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+"
    }
    

Use refresh token to get new valid access code

Access token has short time to live (usually few minutes), when Application needs to ask for user attributes and access token is no loger valid it can use /token endpoint again but this time with following params: refresh_token(with refresh_token value received in previous /token call), grant_type (“refresh_token” as a value) and redirect_uri.
   curl -k --request POST \
  --url https://eid-gateway.infocert.it/oauth2/token \
  --header 'Authorization: Basic h10823g81bAHSDVV123H812G3971AJSD' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'accept: application/json' \
  --data 'refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2NTI5Njk4NDIsImNsaWVudF9pZCI6ImRlbW8td2ViLWNsaWVudCJ9.swW_g6pCVBb_tID_Q-AJZwc44h5lWLJGA2h7qQcfOpGMql35s8XMjoTdrqf0WNbWTsGf7P8D1u7hWQRfr-uAbXQNQh1rQHjZEfMrY7AOWlmJBefjnXxaD-GUxi7RM2GwbrUhV14i8-bUZUPdywPiqYElL5T_x3Y2Pfptp6uaJK2mc_EjxzArwiX5uPzVy5BNVw3NmAvoOhhXle606k1QjYeMIPFi9LZDvU5Ud5lDBv5beV0OZog55ZzF6qTblddgU5f6zs87vvWZtAjDALvoAyIyIvH7yTjThvgGr05WVWUQrCLEeBShXsVj-4ZWCmbXcyhw9eP66cNClPxIXbfpvg&grant_type=refresh_token&redirect_uri=https%3A%2F%2Finternal-pr-eks-factory-private-alb-1996065579.eu-west-1.elb.amazonaws.com%2Feidgateway-testclient%2Flogin'
Example json result:
   {
      "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJuYmYiOjE2NTI4ODUwMzYsImlzcyI6ImRlbW8td2ViLWNsaWVudCIsImV4cCI6MTY1Mjg4NTIxNiwiaWF0IjoxNjUyODg1MDM2LCJqdGkiOiI2OWFkZDZmOS02ZmIwLTRhZTEtOWFkNC1iMjk0OGMxNDgzOTQifQ.h_-1u2lu4XMUB1YeD2yEkmxcxi_26zrNJsPKMjL6t1klr_BM9ervNc6mQTF1c7q8fBqicSMBL0lamNDkUd6PbbfIwHfyG1ghuakDnH18zdlIUdfdHRC6h9iwFV73OcSuuwBGA9GlAyJc2LSCWyek-vPBcmb1jWbzyjlz5LOnA4L4bgRx5cTLIki9GlsxXwmc7mneYJDcbWzO4yVhTft_U0x01n_1MU0aXGEKEw30RPdwr-SPiycAUVGkEl3XhANtOTo_tywU5oZL7Dwrq8HyTuIsMW_oh5KPKMez3q9zAF3Tzo6tJzu5TuCsS37c8EHI14HoACWcvwkgU4o8hITtIw",
      "expires_in": 360,
      "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2NTI5Njk4NDIsImNsaWVudF9pZCI6ImRlbW8td2ViLWNsaWVudCJ9.swW_g6pCVBb_tID_Q-AJZwc44h5lWLJGA2h7qQcfOpGMql35s8XMjoTdrqf0WNbWTsGf7P8D1u7hWQRfr-uAbXQNQh1rQHjZEfMrY7AOWlmJBefjnXxaD-GUxi7RM2GwbrUhV14i8-bUZUPdywPiqYElL5T_x3Y2Pfptp6uaJK2mc_EjxzArwiX5uPzVy5BNVw3NmAvoOhhXle606k1QjYeMIPFi9LZDvU5Ud5lDBv5beV0OZog55ZzF6qTblddgU5f6zs87vvWZtAjDALvoAyIyIvH7yTjThvgGr05WVWUQrCLEeBShXsVj-4ZWCmbXcyhw9eP66cNClPxIXbfpvg",
      "token_type": "Bearer"
   }

Logout particular user -> Delete access and refresh tokens

To logout user /logout endpoint has to be called with access token value in authorization header.
   curl -k --request DELETE \
  --url https://eid-gateway.infocert.it/oauth2/logout \
  --header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJuYmYiOjE2NTI4ODM0NDIsImlzcyI6ImRlbW8td2ViLWNsaWVudCIsImV4cCI6MTY1Mjg4MzYyMiwiaWF0IjoxNjUyODgzNDQyLCJqdGkiOiIwOWNmM2YxMS00YmZmLTQ2NWYtYjBiZS0xOWQ0NDRmODM3OGYifQ.PntT3TJWOETPY1MBq9ld8bb0jeaLi-ub3_PhLLqINiWWMRxnlM0SkvdzEdptPGX4CNrBG_QPYdBgoH9ru63qjolXHZivGjAzfQrTz6Hyw8O_kaYnjLAW6hI0Ph_3MdeM84T6wpY9Gj--gp1oOyo12PIiH5bSOsNLO6d-IofHSVwkfyaepHhTUfieAEeWWXvHgsvVC3YviDOXO-5NouQRNO5ZFbLf0Wgd52N35U8jxIIiM2jzsaCgh5Dr6okY3O4CdQBMl7Xw2GFpjByc-a5Tv3DZNebIOVe-rw-jTQkNcLihNZv3VWCcHhYpQ5Ql4vQ9oMb730jilpA5r8rzhwi4Qw' \
  --header 'accept: application/json'

UI Customization

The customization of the user interface of Eid-Gateway allows modifying the graphical aspect of the web page at the level of tenant clients. In particular, the following properties can be customized:
  • Header color: background color of the header
  • Footer color: background color of the footer
  • Body color: background color of the page
  • Header image: background image of the header of the web page
  • Body image: background image of the body of the web page
  • Footer image: background image of the footer of the web page
The following image formats are allowed: png, jpg, or svg.

Rules applied to the web page

Header
The header has a CSS rule of min-height: 180px, which indicates the minimum height of the element. Additionally, the background image of the header is adapted to the size of the element using the CSS rule background-size: cover. It is recommended to provide an image with a height of 180px and a width that fills the entire width of the header (Example: 4000×180).
Footer
The footer has a CSS rule of min-height: 100px. In this case too, the background image of the footer is adapted to the size of the element using the CSS rule background-size: cover. It is recommended to provide an image with a height of 100px and a width that fills the entire width of the footer (Example: 4000×100).
Body
The body has a CSS rule of background-size: auto.

EID Gateway

Fill the form to request information



Furthermore, for the purposes referred to in paragraph 4, letter e), f) and g) of the information notice:

  1. I agree to the processing of Data in relation to the sending by the Data Controller of commercial and/or promotional communications relating to own products/services of any kinds or products/services of other companies
  2. I agree to the communication or transfer of Data to other companies who will use them for their own commercial and / or promotional purposes as autonomous Data Controller