OpenID Connect for Identity Assurance – Overview & Call to Action

Published August 25, 2022

Introduction

At the start of 2020 a new workgroup was formed under the OpenID Foundation that was to continue on from activities that had been ongoing in the AB/Connect Working Group | OpenID for some months. That new working group came to be known as the eKYC & Identity Assurance Working Group.

The initiation of that activity was off the back of a IPR donation from yes.com of an extension to OpenID Connect that they had created.

What Is It?

OpenID Connect for Identity Assurance 1.0 (OIDC4IDA for short) is an extension to OpenID Connect Core

OpenID Connect for Identity Assurance 1.0 Current Status

Implementers Draft 4 is currently available for review – Fourth Public Review Period for OpenID Connect for Identity Assurance Specification Started.

There is a beta version of the Conformance testing suite that supports OIDC4IDA available on request that was developed through directed funding and will allow implementers to check their implementations conform to the specification, making implementation of interoperable solutions cheaper and easier.

The current spec is already being adopted in a number of places including Germany, UK, EU and being seriously considered for use in Australia.

What is OIDC4IDA Good For?

OpenID Connect for Identity Assurance is primarily focussed on addressing use-cases where the details of the assurance process used to verify and validate the end-users identity need to be explicitly communicated.

The working group believes it’s a good fit for account opening, staff on-boarding, account recovery and access to restricted services where communication of how the underlying identity was established is needed.

Who Built It?

The inspiration for OpenID Connect for Identity Assurance was from yes.com in Germany and donated to the OpenID Foundation in 2019. It has seen further development from a wide range of people from many countries and businesses of many types, including software vendors, services companies, network operators, consultancies, banks, and healthcare providers.

How Does It Work?

OpenID Connect for Identity Assurance is intended to be a lightweight extension to OpenID Connect and uses the authorization code flow of OpenID Connect Core including allowing for end user approval. It encourages the use of the claims request parameter where the relying party expresses which parts of the identity data and metadata it needs, and it defines a schema for communication of “verified claims”. The “verified claims” specification has two child elements one with information about “verification” (and validation), and the other containing the verified end-user claims themselves.

Security concerns relating to exchange of sensitive personal data via OIDC4IDA should be addressed simply through use of the output of the FAPI Working Group which you can read about in this white paper.

Implementations

OpenID Connect Identity Assurance / eKYC | Connect2id

GitHub – identityfirst/eKYC-Hub: This repository provides code for eKYC Hub application

OpenID Connect for Identity Assurance, explained by an implementer | by Takahiko Kawasaki | Medium

OpenID Connect for Identity Assurance 1.0 Roadmap

 

Call to Action

  1. Review the Implementers draft provide feedback (and vote if you have an OIDF membership)
  2. Review (and vote if you can) on the Final that is planned for Q4 2022
  3. Tell your peers about OIDC4IDA
  4. Implement for use cases where OpenID for IDA is a good fit
  5. Use the Conformance testing tool to check your implementation for conformance and interoperability