Identity provision / eKYC

OpenID claims

In addition to issuing ID tokens for users, the Connect2id server can also release consented user information (claims) to client applications. These claims are made available for collection at the UserInfo endpoint, in exchange for an access token that encapsulates the user’s consent. Alternatively, the claims can be delivered directly in the ID token upon request.

OpenID Connect defines a standard UserInfo schema schema, which includes several common claims:

• The user’s name, in various forms, with optional internationalisation (i18n).

• Contact details, such as email, phone number and postal address, including a simple verification status.

• Profile information, such as homepage, picture, birth date and timezone.

The UserInfo schema can be extended to supply additional custom claims, such as:

• User roles and permissions, derived from LDAP group membership or other data sources.

• Claims based on analytics and business intelligence.

• Location-based information.

JSON is the standard format for UserInfo:

{
   "sub"                     : "alice",
   "email"                   : "alice@wonderland.net",
   "email_verified"          : true,
   "name"                    : "Alice Adams",
   "phone_number"            : "+359 (99) 100200305",
   "profile"                 : "https://c2id.com/users/alice",
   "https://c2id.com/groups" : [ "audit", "admin" ]
}

Identity assurance / eKYC

The OpenID Connect profile for Identity Assurance and eKYC has been supported since Connect2id server 8.0.

Institutions that are able to provide verified identities, such as banks, telcos and governments, can adopt this profile to establish a standard protocol for relying parties to obtain attributes that comply with a trust framework. The verification process may utilise an ID document, an eIDAS qualified electronic signature, a utility bill, or another recognised method.

Verified data is delivered along with metadata related to the applicable trust framework, either at the UserInfo endpoint or included in the ID token.

Data sources

The Connect2id server enables sourcing of OpenID claims from one or more locations, including:

• LDAP / Active Directory
• SQL databases
• Web services
• The user session
• Federated logins
• On-demand attribute provisioning

Upstream OpenID claims providers

OpenID claims from upstream, third-party providers, can be integrated and made available to client applications in a way that clearly indicates their origin and allows for verification:

• As aggregated claims – by passing the claims in a JWT signed by their provider; the client can verify the claims’ origin by validating the JWT signature.

• As distributed claims – by supplying the client with the endpoint URL of the external claims provider where it can fetch the claims directly, using a bearer access token.