Messages -------- The AusweisApp2 (server) will send some proper messages (**msg**) to your application (client) during the whole workflow or as an answer to your :doc:`commands`. .. _access_rights: ACCESS_RIGHTS ^^^^^^^^^^^^^ This message will be send by AusweisApp2 once the authentication is started by :ref:`run_auth` and the AusweisApp2 got the certificate from the service. If your application receives this message you can call :ref:`set_access_rights` to change some optional access rights or you can call :ref:`get_access_rights` to get this message again. Also you can call :ref:`get_certificate` to get the certificate to show this to your user. The workflow will continue if you call :ref:`accept` to indicate that the user accepted the requested access rights or call :ref:`cancel` to abort the whole workflow. - **error**: This optional parameter indicates an error of a :ref:`set_access_rights` call if the command contained invalid data. - **aux**: Optional auxiliary data of the service provider. - **ageVerificationDate**: Optional required date of birth for AgeVerification as ISO 8601. - **requiredAge**: Optional required age for AgeVerification. It is calculated by AusweisApp2 on the basis of ageVerificationDate and current date. - **validityDate**: Optional validity date as ISO 8601. - **communityId**: Optional id of community. - **chat**: Access rights of the service provider. - **effective**: Indicates the enabled access rights of **optional** and **required**. - **optional**: These rights are optional and can be enabled or disabled by :ref:`set_access_rights`. - **required**: These rights are mandatory and cannot be disabled. - **transactionInfo**: Optional transaction information. .. code-block:: json { "msg": "ACCESS_RIGHTS", "error": "some optional error message", "aux": { "ageVerificationDate": "1999-07-20", "requiredAge": "18", "validityDate": "2017-07-20", "communityId": "02760400110000" }, "chat": { "effective": ["Address", "FamilyName", "GivenNames", "AgeVerification"], "optional": ["GivenNames", "AgeVerification"], "required": ["Address", "FamilyName"] }, "transactionInfo": "this is an example" } .. code-block:: json { "msg": "ACCESS_RIGHTS", "chat": { "effective": ["Address", "FamilyName", "GivenNames", "AgeVerification"], "optional": ["GivenNames", "AgeVerification"], "required": ["Address", "FamilyName"] } } The following access rights are possible: - Address - BirthName - FamilyName - GivenNames - PlaceOfBirth - DateOfBirth - DoctoralDegree - ArtisticName - Pseudonym - ValidUntil - Nationality - IssuingCountry - DocumentType - ResidencePermitI - ResidencePermitII - CommunityID - AddressVerification - AgeVerification .. seealso:: `TR-03110`_, part 4, chapter 2.2.3 `TR-03127`_, chapter 3.2.2 .. _TR-03110: https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110.html .. _TR-03127: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03127/tr-03127.html .. _api_level: API_LEVEL ^^^^^^^^^ This message will be send if :ref:`get_api_level` or :ref:`set_api_level` is called. It lists all **available** API levels that can be used and set by :ref:`set_api_level`. Also it indicates the **current** selected API level. - **error**: Optional error message if :ref:`SET_API_LEVEL` failed. - **available**: List of supported API level by this version. - **current**: Currently selected API level. .. code-block:: json { "msg": "API_LEVEL", "error": "optional error message like an invalid level", "available": [1,2,3,4], "current": 4 } Your application should always set the compatible API level. The AusweisApp2 will support multiple API levels to give you enough time to add support for the new API. Even if you added support for the new API, your application should still support the old API level in case the user updates your application but does not update the AusweisApp2. Otherwise you need to show a message to the user that they need to update the AusweisApp2. The API level will be increased for **incompatible** changes only. If we can add additional commands, messages or information without breaking the previous API you can check the application version with :ref:`get_info` to know if the current version supports your requirements. This documentation will mark every API change with a flag like the following: - New in version 1.10.0. - Changed in version 1.10.0. - Deprecated since version 1.10.0. .. _auth: AUTH ^^^^ This message will be send by AusweisApp2 if an authentication is initially started. The next message should be :ref:`access_rights` or :ref:`auth` again if the authentication immediately results in an error. If you receive an :ref:`auth` message with a parameter **error** your command :ref:`run_auth` was invalid and the workflow was not started at all. - **error**: Optional error message if :ref:`run_auth` failed. .. code-block:: json { "msg": "AUTH", "error": "error message if RUN_AUTH failed" } If the workflow is finished the AusweisApp2 will send a message with a result and an url parameter to indicate the end of an authentication. - **result**: The final result of authentication. - **major**: Major "error" code. - **minor**: Minor error code. - **language**: Language of description and message. AusweisApp2 will use "de" for German system locale or "en" as the fall back. - **description**: Description of the error message. - **message**: The error message. - **url**: Refresh url or communication error address. .. code-block:: json { "msg": "AUTH", "result": { "major": "http://www.bsi.bund.de/ecard/api/1.1/resultmajor#ok" }, "url": "https://test.governikus-eid.de/gov_autent/async?refID=_123456789" } .. code-block:: json { "msg": "AUTH", "result": { "major": "http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error", "minor": "http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#internalError", "language": "en", "description": "An internal error has occurred during processing.", "message": "The ID card has been removed. The process is aborted." }, "url": "https://test.governikus-eid.de/gov_autent/async?refID=_abcdefgh" } .. _bad_state: BAD_STATE ^^^^^^^^^ Indicates that your previous command was send in an invalid state. Some commands can be send to the server only if certain "state" is reached in the workflow to obtain the corresponding result. Otherwise the command will fail with :ref:`bad_state`. For example, you cannot send :ref:`get_certificate` if there is no authentication in progress. - **error**: Name of the received command that is invalid in this state. .. code-block:: json { "msg": "BAD_STATE", "error": "NAME_OF_YOUR_COMMAND" } .. _certificate: CERTIFICATE ^^^^^^^^^^^ Provides information about the used certificate. - **description**: Detailed description of the certificate. - **issuerName**: Name of the certificate issuer. - **issuerUrl**: URL of the certificate issuer. - **subjectName**: Name of the certificate subject. - **subjectUrl**: URL of the certificate subject. - **termsOfUsage**: Raw certificate information about the terms of usage. - **purpose**: Parsed purpose of the terms of usage. - **validity**: Validity dates of the certificate in UTC. - **effectiveDate**: Certificate is valid since this date. - **expirationDate**: Certificate is invalid after this date. .. code-block:: json { "msg": "CERTIFICATE", "description": { "issuerName": "Governikus Test DVCA", "issuerUrl": "http://www.governikus.de", "subjectName": "Governikus GmbH & Co. KG", "subjectUrl": "https://test.governikus-eid.de", "termsOfUsage": "Anschrift:\t\r\nGovernikus GmbH & Co. KG\r\nAm Fallturm 9\r\n28359 Bremen\t\r\n\r\nE-Mail-Adresse:\thb@bos-bremen.de\t\r\n\r\nZweck des Auslesevorgangs:\tDemonstration des eID-Service\t\r\n\r\nZuständige Datenschutzaufsicht:\t\r\nDie Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen\r\nArndtstraße 1\r\n27570 Bremerhaven", "purpose": "Demonstration des eID-Service" }, "validity": { "effectiveDate": "2016-07-31", "expirationDate": "2016-08-30" } } .. _enter_can: ENTER_CAN ^^^^^^^^^ Indicates that a CAN is required to continue workflow. If the AusweisApp2 sends this message, you will have to provide the CAN of the inserted card with :ref:`set_can`. The CAN is required to enable the last attempt of PIN input if the retryCounter is **1**. The workflow continues automatically with the correct CAN and the AusweisApp2 will send an :ref:`enter_pin` message. Despite the correct CAN being entered, the retryCounter remains at **1**. The CAN is also required, if the authentication terminal has an approved "CAN allowed right". This allows the workflow to continue without an additional PIN. If your application provides an invalid :ref:`set_can` command the AusweisApp2 will send an :ref:`enter_can` message with an error parameter. If your application provides a valid :ref:`set_can` command and the CAN was incorrect the AusweisApp2 will send :ref:`enter_can` again but without an error parameter. .. versionadded:: 1.14.2 Support of "CAN allowed right". - **error**: Optional error message if your command :ref:`set_can` was invalid. - **reader**: Information about the used card and card reader. Please see message :ref:`reader` for details. .. code-block:: json { "msg": "ENTER_CAN", "error": "You must provide 6 digits", "reader": { "name": "NFC", "attached": true, "keypad": false, "card": { "inoperative": false, "deactivated": false, "retryCounter": 1 } } } .. note:: There is no retry limit for an incorrect CAN. .. _enter_pin: ENTER_PIN ^^^^^^^^^ Indicates that a PIN is required to continue the workflow. If the AusweisApp2 sends this message, you will have to provide the PIN of the inserted card with :ref:`set_pin`. The workflow will automatically continue if the PIN was correct. Otherwise you will receive another message :ref:`enter_pin`. If the correct PIN is entered the retryCounter will be set to **3**. If your application provides an invalid :ref:`set_pin` command the AusweisApp2 will send an :ref:`enter_pin` message with an error parameter and the retryCounter of the card is **not** decreased. If your application provides a valid :ref:`set_pin` command and the PIN was incorrect the AusweisApp2 will send :ref:`enter_pin` again with a decreased retryCounter but without an error parameter. If the value of retryCounter is **1** the AusweisApp2 will initially send an :ref:`enter_can` message. Once your application provides a correct CAN the AusweisApp2 will send an :ref:`enter_pin` again with a retryCounter of **1**. If the value of retryCounter is **0** the AusweisApp2 will initially send an :ref:`enter_puk` message. Once your application provides a correct PUK the AusweisApp2 will send an :ref:`enter_pin` again with a retryCounter of **3**. - **error**: Optional error message if your command :ref:`set_pin` was invalid. - **reader**: Information about the used card and card reader. Please see message :ref:`reader` for details. .. code-block:: json { "msg": "ENTER_PIN", "error": "You must provide 6 digits", "reader": { "name": "NFC", "attached": true, "keypad": false, "card": { "inoperative": false, "deactivated": false, "retryCounter": 3 } } } .. _enter_puk: ENTER_PUK ^^^^^^^^^ Indicates that a PUK is required to continue the workflow. If the AusweisApp2 sends this message, you will have to provide the PUK of the inserted card with :ref:`set_puk`. The workflow will automatically continue if the PUK was correct and the AusweisApp2 will send an :ref:`enter_pin` message. Otherwise you will receive another message :ref:`enter_puk`. If the correct PUK is entered the retryCounter will be set to **3**. If your application provides an invalid :ref:`set_puk` command the AusweisApp2 will send an :ref:`enter_puk` message with an error parameter. If your application provides a valid :ref:`set_puk` command and the PUK was incorrect the AusweisApp2 will send :ref:`enter_puk` again but without an error parameter. If AusweisApp2 sends :ref:`enter_puk` with field "inoperative" of embedded :ref:`reader` message set true it is not possible to unblock the PIN. You will have to show a message to the user that the card is inoperative and the user should contact the authority responsible for issueing the identification document to unblock the PIN. You need to send a :ref:`cancel` to abort the workflow if card is operative. Please see the note for more information. - **error**: Optional error message if your command :ref:`set_puk` was invalid. - **reader**: Information about the used card and card reader. Please see message :ref:`reader` for details. .. code-block:: json { "msg": "ENTER_PUK", "error": "You must provide 10 digits", "reader": { "name": "NFC", "attached": true, "keypad": false, "card": { "inoperative": false, "deactivated": false, "retryCounter": 0 } } } .. note:: There is no retry limit for an incorrect PUK. But be aware that the PUK can only be used 10 times to unblock the PIN. There is no readable counter for this. The AusweisApp2 is not able to provide any counter information of PUK usage. If the PUK is used 10 times it is not possible to unblock the PIN anymore and the card will remain in PUK state. Also it is not possible to indicate this state before the user enters the correct PUK once. This information will be provided as field "inoperative" of :ref:`reader` message. .. _info: INFO ^^^^ Provides information about the AusweisApp2. Especially if you want to get a specific **Implementation-Version** to check if the current installation supports some additional :doc:`commands` or :doc:`messages`. Also you should check the :ref:`api_level` as it will be increased for **incompatible** changes. - **VersionInfo**: Structure of version information. - **Name**: Application name. - **Implementation-Title**: Title of implementation. - **Implementation-Vendor**: Vendor of implementation. - **Implementation-Version**: Version of implementation. - **Specification-Title**: Title of specification. - **Specification-Vendor**: Vendor of specification. - **Specification-Version**: Version of specification. .. code-block:: json { "msg": "INFO", "VersionInfo": { "Name": "AusweisApp2", "Implementation-Title": "AusweisApp2", "Implementation-Vendor": "Governikus GmbH & Co. KG", "Implementation-Version": "1.10.0", "Specification-Title": "TR-03124", "Specification-Vendor": "Federal Office for Information Security", "Specification-Version": "1.2" } } .. _insert_card: INSERT_CARD ^^^^^^^^^^^ Indicates that the AusweisApp2 requires a card to continue. If the AusweisApp2 needs a card to continue the workflow this message will be send as a notification. If your application receives this message it should show a hint to the user. After the user inserted a card the workflow will automatically continue, unless the eID functionality is disabled. In this case, the workflow will be paused until another card is inserted. If the user already inserted a card this message will not be sent at all. This message will also be send if there is no connected card reader. .. code-block:: json {"msg": "INSERT_CARD"} INTERNAL_ERROR ^^^^^^^^^^^^^^ Indicates an internal error. If your application receives this message you found a bug. Please report this issue to our support! - **error**: Optional detailed error message. .. code-block:: json { "msg": "INTERNAL_ERROR", "error": "Unexpected condition" } INVALID ^^^^^^^ Indicates a broken JSON message. If your application receives this message you passed a broken JSON structure to the AusweisApp2. Please fix your JSON document and send it again! - **error**: Detailed error message. .. code-block:: json { "msg": "INVALID", "error": "unterminated string (offset: 12)" } .. _reader: READER ^^^^^^ Provides information about a connected or disconnected card reader. This message will be send by the AusweisApp2 if a card reader was added or removed to the operating system. Also if a card was inserted into a card reader or removed from a card reader. Your application can explicitly check for card reader with :ref:`get_reader`. If a workflow is in progress and a card with disabled eID functionality was inserted, this message will still be sent, but the workflow will be paused until a card with enabled eID functionality is inserted. .. versionadded:: 1.16.0 Parameter **keypad** added. - **name**: Identifier of card reader. - **attached**: Indicates whether a card reader is connected or disconnected. - **keypad**: Indicates whether a card reader has a keypad. The parameter is only shown when a reader is attached. - **card**: Provides information about inserted card, otherwise null. - **inoperative**: True if PUK is inoperative and cannot unblock PIN, otherwise false. This can be recognized if user enters a correct PUK only. It is not possbible to read this data before a user tries to unblock the PIN. - **deactivated**: True if eID functionality is deactivated, otherwise false. - **retryCounter**: Count of possible retries for the PIN. If you enter a PIN with command :ref:`set_pin` it will be decreased if PIN was incorrect. .. code-block:: json { "msg": "READER", "name": "NFC", "attached": true, "keypad": false, "card": { "inoperative": false, "deactivated": false, "retryCounter": 3 } } .. _reader_list: READER_LIST ^^^^^^^^^^^ Provides information about all connected card readers. - **reader**: A list of all connected card readers. Please see message :ref:`reader` for details. .. code-block:: json { "msg": "READER_LIST", "reader": [ { "name": "Example reader 1 [SmartCard] (1234567) 01 00", "attached": true, "keypad": true, "card": null }, { "name": "NFC", "attached": true, "keypad": false, "card": { "inoperative": false, "deactivated": false, "retryCounter": 3 } } ] } UNKNOWN_COMMAND ^^^^^^^^^^^^^^^ Indicates that the command type is unknown. If your application receives this message you passed a wrong command to the AusweisApp2. Please fix your command and send it again! Be aware of case sensitive names in :doc:`commands`. - **error**: Name of the unknown command. .. code-block:: json { "msg": "UNKNOWN_COMMAND", "error": "get_INFo" }