OpenID Connect for Identity Assurance

Overview#

OpenID Connect for Identity Assurance (OIDC4IDA) defines an extension to OpenID Connect to address the use case of strong Identity Verification of the Digital Identity of a "Natural Person".

OpenID Connect for Identity Assurance was initiated from an Intellectual Property Rights donation from yes.com of an extension to OpenID Connect that they had created.

OpenID Connect for Identity Assurance is primarily focussed on addressing use-cases where the details of the assurance process used to verify and validate the end-users identity need to be explicitly communicated.

The working group believes it’s a good fit for account opening, staff on-boarding, account Credential Recovery and access to restricted services where communication of how the underlying Identity Proofing was established is needed.

Examples include

OpenID Connect for Identity Assurance fulfills the criteria for portability and interoperability mechanisms of Digital ID systems as defined in FATF-Digital-Identity.

In such use cases, the Relying Parties (RPs) need to know the Assurance Level of the user Claims attested by the OpenID Connect Providers (OPs) along with evidences related to the identity verification process (Identity Assurance).

Identity assurance significantly differs from Authentication Assurance, which requires a different representation in the OpenID Connect protocol that is defined in this specification.

The Authentication Assurance level for authentication is a property of a certain OpenID Connect transaction, determined by the Authentication Mechanism employed and the underlying user account management processes. The acr Claim as defined in Section 2 of the OpenID Connect specification OpenID is sufficient to convey this information.

The Identity Assurance for user Claims, i.e. the binding of a certain Claim value to the person controlling the respective user account, typically varies among the different user Claims. For example, the assurance an OpenID Connect Provider typically will be able to attest for an e-mail address will be "Self-Asserted", "verified by opt-in", or "verified by the respective e-mail provider via an attribute exchange protocol". The family name of a user, in contrast, might have been verified in accordance with the respective Anti-Money Laundering Law by showing an Identity Card to a trained employee of the OpenID Connect Provider operator.

Identity assurance therefore requires a way to convey a Level Of Assurance data along with and coupled to the respective user Claims. This specification proposes a suitable representation and mechanisms the Relying Party will utilize to request verified person data and accompanying Identity Assurance data.

How does OpenID Connect for Identity Assurance Work?#

OpenID Connect for Identity Assurance is intended to be a lightweight extension to OpenID Connect and uses the Authorization Code flow of OpenID Connect Core 1.0 including allowing for end user approval. OpenID Connect for Identity Assurance encourages the use of the claims request parameter where the Relying Party expresses which parts of the identity data and metadata it needs, and it defines a schema for communication of “Verified Claims”. The “verified claims” specification has two child elements one with information about “verification” (and validation), and the other containing the verified end-user claims themselves.

Security concerns relating to exchange of sensitive personal data via OIDC4IDA should be addressed simply through use of the output of the FAPI Working Group which you can read about in this white paper.

More Information#

There might be more information for this subject on one of the following:

Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!