Identity Provision, assurance and eKYC with OpenID Connect

UserInfo

In addition to issuing ID tokens for users, the Connect2id server can also release consented information (claims) about the user to the client applications. The claims are made available for collection at a UserInfo endpoint, in exchange for an OAuth 2.0 access token encapsulating the consent. Upon request the claims can be alternatively delivered in the ID token.

OpenID Connect defines a standard UserInfo schema schema which covers a number of common claims:

  • The person's name, in various forms, with optional i18n.

  • Contact details, such as email, phone number and postal address, including a simple verification status.

  • Profile information, such as home page, picture, birth date and timezone.

The UserInfo can be extended to supply additional (custom) claims to applications, such as:

  • User roles and permissions, derived from LDAP group membership or some other data source.

  • Claims derived from analytics and business intelligence.

  • Location-based information.

JSON is the standard format for UserInfo:

{
   "sub"                     : "alice",
   "email"                   : "[email protected]",
   "email_verified"          : true,
   "name"                    : "Alice Adams",
   "phone_number"            : "+359 (99) 100200305",
   "profile"                 : "https://c2id.com/users/alice",
   "https://c2id.com/groups" : [ "audit", "admin" ]
}

Identity assurance / eKYC

Connect2id server 8.0 implemented a new OpenID Connect profile for Identity Assurance and eKYC.

Providers of verified identities can adopt the profile to establish a standard protocol for relying parties to obtain attributes compliant with a trust framework, which may involve the verification of an ID document, an eIDAS qualified electronic signature, or a utility bill.

The verified data is delivered in a clearly designated form, together with optional metadata for the applicable trust framework, at the UserInfo endpoint or included in the ID token.

Data sources

A Connect2id server API facilitates the sourcing of OpenID claims from one or multiple locations:

  • Enterprise LDAP / Active Directory

  • SQL databases

  • External identity providers

  • Web services

  • On-demand attribute provisioning