OIDC
Open Identity Connect
OIDC is an open standard with wide adoption. This means it’s highly likely the code, in the form of a library, to integrate OneID with your service already exists. The OpenID Foundation provides lists of certified OIDC libraries for different programming languages and frameworks. For Shopify, we provide our own integration via app plug-in.
Supported Scopes
Each data we verify is called a scope. These scopes can be configured using the OneID API to return claims from the Userinfo end point.
Full list of supported scopes:
| Scope | Description and Returned Attributes |
|---|---|
openid | Subject identifier: a consistent unique identifier for an individual
|
profile | Full name
|
date_of_birth`` | Date of birth
|
address | Address information embedded in a separate structure
|
email |
|
phone | Phone number
|
age_over_18`` | Boolean for an individual if they are over 18
|
fraud | Fraud indicators: activityHistoryScore Values range from 0 to 4. 0 means there was no match. identityFraudScore Values range from 0 to 3. 0 means there is potential ID fraud. If the score is 0 then the reason will be indicated by the fields nationalSIRAFraud, nationalSIRAVictim, disclosureOfDeathRegistrationInformationMatch, amberhillMatch and noMatch. nationalSIRAFraud This is an indication that the supplied individual has previously attempted to commit fraud. nationalSIRAVictim This is an indication that the supplied individual's details have previously been used in impersonation fraud. amberhillMatch Amberhill is a database held by the Metropolitan Police Service relating to fraudulent identity documents. noMatch We have not been able to match the individual to any data sets. This is therefore an indication that it could be a synthetic ID.
|
OpenID Connect Client Configuration
Any relying party service (e.g. ecommerce website) with a server can use an OIDC confidential client. This is the most widely supported OIDC configuration.
We recommend that relying parties create a confidential client to access OneID. In most cases support for confidential OIDC clients already exists for common web frameworks and programming languages.
The Relying Party client configuration consists of:
- Client ID: a uuid which identifies this OIDC client to the OneID Platform.
- Client Secret: an opaque string used to authenticate the client to private API endpoints.
- Redirect URL: the URL users will be returned to once they have authenticated and shared data from their bank. The OneID platform maintains an allowlist of these redirect URLs so changes must be reflected in the platform before a new redirect_uri OIDC parameter can be used.
- Relying Party origins: a list of the origin server names used by the relying party.
State
The OAuth state parameter is required in order to help mitigate CSRF attacks by using a unique and non-guessable value associated with each authentication request about to be initiated. The state should be passing the regular expression ^[a-zA-Z0-9-_]+$ and should be kept in the backend, or browser’s local storage.
Upon the user’s redirection back to the return endpoint, the state found in the URL params should be compared against the one previously stored and the journey should fail if they do not match.
Confidential Clients
A confidential client is an application running in a server environment that is trusted to keep a client secret confidential. In this case the authorisation code is passed on to the backend server that is responsible to exchange it for a token. This is the preferred way to integrate with OneID.
Differences between Sandbox and Production
Client configurations are not shared between Sandbox and Production. New clients must be configured in the production environment.
OIDC Configuration URLs
The following URLs return our OpenID Connect Configuration. They can be used to discover where our authorization, token and userinfo endpoints are located.
- Sandbox: https://controller.sandbox.myoneid.co.uk/.well-known/openid-configuration
- Production: https://controller.myoneid.co.uk/.well-known/openid-configuration
How we use OIDC
What is OpenID Connect (OIDC)
OpenID Connect or OIDC is a popular identity protocol that utilises the authorisation and authentication mechanisms of OAuth 2.0. It simplifies the way to verify the identity of users based on the authentication performed by an Authorization Server and to obtain user profile information in an interoperable and REST-like manner.
For developers, it provides a secure and verifiable answer to the question “What is the identity of the person currently using the browser or mobile app that is connected?”.
What do we use OIDC for?
We use OpenID Connect (OIDC) protocol to securely transfer bank-verified user attributes to Relying Party (RP) services.
We support the OIDC authorization code flow. For developers familiar with OAuth this is sometimes referred to as the 3-legged OAuth journey. This is the most widely supported flow across different programming languages and technologies.
OIDC for Identity Assurance
OpenID Connect for Identity Assurance 1.0 (OIDC4IDA or IDA) is a technical specification that OAuth 2.0 and OpenID Connect (OIDC) as its base and defines a JSON structure that conveys verified claims of a natural person.
This specification defines an extension to OpenID Connect for providing our customers with identity information, i.e., Verified Claims, along with an explicit statement about the verification status of these Claims (what, how, when, according to what rules, using what evidence). This specification is aimed at enabling use cases requiring strong assurance, for example, to comply with regulatory requirements such as Anti-Money Laundering laws or access to health data, risk mitigation, or fraud prevention.
OIDC for Identity Assurance is an optional extension to the following products:
- ID Check
- ID Proof
- ID Assure
- ID Scan
- Sign Up
- Sign Up Plus
- Sign In Refresh
- Age Assure
The key data we return are shown in the table below:
| Element | Description | Example |
|---|---|---|
| Trust Framework | The trust framework under which we have assessed the data and its source. OneID is certified under the governments Digital Identity Trust Framework (DIATF). | uk_diatf |
| Assurance Level | The assurance level based on the Trust Framework. OneID Products meet Medium, High or Very High levels of assurance depending on the type of data requested and returned. | medium |
| Policy | The standard policy that was followed in assessment of the Assurance Level. The DIATF uses policies set out under the Good Practice Guide (45) (GPG45). | gpg45 |
| Procedure | The specific procedure from the policy (GPG45) that was followed in order to ascertain the Assurance level. | m1c |
| Transaction Type | The type of evidence that was used to prove the identity. (e.g. electronic records from a data source) | electronic_record |
| Record Type | For electronic_record .
The type of record that was used to prove the identity. | bank_account |
| Record Source | For electronic_record .
The source of the record that was used to prove the identity. | Bank Name |
| Document Type | For document .
The type of document used to perform identity verification. | passport |
| Check Method | What check was done in relation to the evidence. | auth |
The Assurance Level and Trust Framework for each product are shown in the table below. This applies where a UK bank account, passport or driving licence has been used to prove the identity of the subject.
| Product | Trust Framework | Assurance Level |
|---|---|---|
| ID Check | DIATF | Medium |
| ID Proof | DIATF | Medium |
| ID Assure | DIATF | Medium, High or Very High |
| ID Scan | DIATF | Medium, High or Very High |
| Sign Up | DIATF | Medium |
| Sign Up Plus | DIATF | Medium |
| Sign In Refresh | DIATF | Medium |
| Age Assure | DIATF | Medium |
A copy of the certification can be found here:
https://accscheme.com/wp-content/uploads/Certificate-11.06.24-V4-02.10.24-OneID-Ltd-DIAFT.pdf
More information on the response structure can be found in our OIDC for Identity Assurance Guide.