Identity Provision with OpenID Connect

UserInfo

Besides asserting the user's identity with an ID token, the Connect2id server can release consented information (claims) about the user to client applications. The claims can be included in the ID token, or made available for collection at a UserInfo endpoint, in exchange for an OAuth 2.0 access token.

OpenID Connect defines a standard UserInfo schema schema which covers a number of commonly used attributes:

  • The person's name, in various forms, with optional i18n.

  • Contact details, such as email, phone number and postal address, including a simple verification status.

  • Profile information, such as home page, picture, birth date and timezone.

The UserInfo can be extended to supply additional (custom) claims to client apps, such as:

  • User roles and permissions, derived from LDAP group membership or some other data source.

  • Claims derived from analytics and business intelligence.

  • Location-based information.

JSON is the standard format for UserInfo:

{
   "sub"                     : "alice",
   "email"                   : "[email protected]",
   "email_verified"          : true,
   "name"                    : "Alice Adams",
   "phone_number"            : "+359 (99) 100200305",
   "profile"                 : "https://c2id.com/users/alice",
   "https://c2id.com/groups" : [ "audit", "admin" ]
}

Identity assurance / KYC

Connect2id server 8.0 implemented a new OpenID Connect profile for Identity Assurance.

Providers of verified identities can adopt the profile to establish a standard protocol for relying parties to obtain attributes compliant with a trust framework, which may involve the verification of an ID document, an eIDAS qualified electronic signature, or a utility bill.

The verified data is delivered in a clearly designated form, together with metadata explaining the verification process, at the UserInfo endpoint or included in the ID token.

Data sources

A Connect2id server API facilitates the sourcing of OpenID claims from one or multiple locations:

  • Enterprise LDAP / Active Directory

  • SQL databases

  • External identity providers

  • Web services

  • On-demand attribute provisioning