The Relying Party is a service which wants to accept ID4me identifiers to allow users easier login and hand-over of the data.
Implementing Relying Party role can be very different depending on used platform, framework or programming language. This page summarizes useful material and resources for most common approaches to Relying Party implementation.
- Technical overview – a very good document to start with and learn the principles of ID4me protocol (pdf)
- ID4me Technical Specification – detailed technical specification of all ID4me specific usage OpenID Connect as well as applied extensions independent of the role (pdf) (adoc)
- ID4me Relying Party Implementer’s Guide – step-by-step guide with full examples of the whole flow from the perspective of Relying Party (pdf) (adoc)
|Language||Name||Release||Repository & Documentation||Comments|
|Java||org.id4me:relying-party-api||maven.org||ID4me GitLab||Reference implementation|
|Python||id4me-rp-client||PyPi||ID4me GitLab||Reference implementation|
|PHP||id4me/id4me-rp||Packagist||ID4me GitLab||Only Authentication|
|NuGet||ID4me GitLab||Reference implementation in C#|
Framework Libraries / Extensions
|Framework||Name||Release||Repository & Documentation||Comments|
|Django||django-allauth-id4me||PyPi||ID4me GitLab||ID4me Extension to django-allauth.|
|WordPress||ID4me||GitLab||ID4me GitLab||Based on id4me/id4me-rp, only Authentication|
Reference designs for the login Button in various formats and sizes are available here: Login_Button.zip.
Implementation tips & hints
As ID4me is based on Open ID Connect, a well established standard, there are many libraries available which cover a big portion of the protocol saving precious implementation time. Many frameworks have already built in support or available APIs to utilize functionalities of Single-Sign-On. The support can be either native or through already available plugins or extensions. Before implementing a library from the scratch or heading for very custom implementation it’s worth a while to do a research of available options for your purpose.
ID4me utilizes some features of OpenID Connect, which are not always implemented by available libraries. Common suspects are Dynamic Client Registration and Distributed Claims. Please make sure the library of your choice have it covered or allows easy extension of the missing part. If planning to use ID4me’s unique feature to specify reasons for data requirements, which is not a part of OpenID Connect, most likely a custom implementation would be needed.
Heading for own implementation of OpenID Connect it is especially advised to use a well established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must support JWE (encrypted) and JWS (signed) tokens, as well as offer handling for JWK and JWKSets.
Tools and testing end-points
Getting a new ID4me Identifier
In order to test your integration you would of course need an own ID4me identifier. You can register one very easily, assuming you have a domain name you can set DNS records on. There is an open instance of an agent working with Identity Authority instance of DENIC – DENIC ID available at https://identityagent.de.
Register your ID: https://identityagent.de/register
Debugging Relying Party flow
For debugging purposes there is a Relaying Party instance at https://shop.freedom-id.de/ which allows full flow through the login process and displays relevant tokens.
In order to debug particular calls Relying Party would need to do you can use this Postman collection and just adjust end-points or values
DNS Records resolver
This service concludes the discovery step to get an Identity Authority URL behind an ID as well as verification of required DNSSEC signatures of the corresponding DNS zones. Source code>.
Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.
We are available for any questions you might have during your integration: email@example.com
You can also just post a comment.
Come hack with us
ID4me will be one of the featured projects during CloudFest 2019 Hackathon. Maybe we need YOU there?