Overview#OpenID Connect for Identity Assurance defines an extension to OpenID Connect OpenID to address the use case of strong identity verification of a natural person in accordance with certain laws. Examples include Anti Money Laundering Laws, Telecommunication Acts, Anti Terror Laws, and regulations on trust services, such as eIDAS eIDAS.
In such use cases, the Relying Parties (RPs) need to know the assurance level of the user Claims attested by the OpenID Connect Providers (OPs) along with evidences related to the identity verification process (identity assurance).
Identity assurance significantly differs from authentication assurance, which requires a different representation in the OpenID Connect protocol that is defined in this specification.
The assurance level for authentication is a property of a certain OpenID Connect transaction, determined by the authentication means employed and the underlying user account management processes. The acr Claim as defined in Section 2 of the OpenID Connect specification OpenID is sufficient to convey this information.
The identity assurance for user Claims, i.e. the binding of a certain Claim value to the person controlling the respective user account, typically varies among the different user Claims. For example, the assurance an OP typically will be able to attest for an e-mail address will be “self-asserted”, “verified by opt-in”, or “verified by the respective e-mail provider via an attribute exchange protocol”. The family name of a user, in contrast, might have been verified in accordance with the respective Anti Money Laundering Law by showing an ID Card to a trained employee of the OP operator.
Identity assurance therefore requires a way to convey assurance data along with and coupled to the respective user Claims. This specification proposes a suitable representation and mechanisms the RP will utilize to request verified person data and accompanying identity assurance data.