Want to manage ID4me identities?
Check out what needs to be done to become an ID4me Identity Agent.
Identity Agent
The Identity-Agent is in direct contact with the End-User. It provides a service to manage identities and identity data. This identity data is provided to Login Partners upon requests with valid access rights. It is also responsible for ID4me registrations and setting/changing the ID4me password, which is securely realized by redirecting to the Identity Authority.
Useful Documents
- Technical overview – a very good document to start with and learn the principles of ID4me protocol (pdf)
- ID4me Technical Specification – detailed technical specification of all ID4me specific usage OpenID Connect as well as applied extensions independent of the role (pdf) (adoc)
- DENIC ID Implementation Guide – A description of Denic Agent/Authority API, which is to be integrated into the standard
Reference Implementations
Language | Name | Repository & Documentation | Demo | Comments |
Python | identity-agent-prototype | ID4me GitLab | https://identityagent.de/ | Reference implementation |
Additional Informations
Identity Agent in general interacts with 2 Parties:
Identity-Authority
- Provisioning, deprovisioning and management of IDs. In this process also domain ownership verification and DNS record setup needs to be assured by the Identity Agent. For this interaction AIM API is the right reference.
- (optional) Receive login notifications – as described in 2.2.3 of ID4me Technical Specification
Login Partners
- Provide claim information to relying parties based on access tokens – as described in 2.4 of ID4me Technical Specification
Identity-Agent also must expose a limited openid-configuration, which allows Identity-Authorities and Relying Partners discover the capabilities and technical properties of Identity Agent, such as supported claims or encryption schemas. More in 2.1.1 of ID4me Technical Specification.
Identity Agent may also implement a role of Login-Partner in order to allow its End-Users to log in into own identities. For this part please refer to Login Partner Developer Zone.
Implementation tips and hints
Identity-Agent implements only a small portion of OpenID Connect (Distributed Claims Provider), therefore most likely none of the off-shelf libraries would support this use case. It is however especially advised to use a well-established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must JWS (signed) tokens, optionally also support JWE (encrypted) tokens as well as offer handling for JWK and JWKSets.
Tools and testing end-points
Authority-Agent Interface
Full flow can be tested against Denic’s test instance of Identity Authority at https://id.test.denic.de/
Authorization Flow
For debugging purposes there is a Relaying Party instance at https://rp.test.denic.de which allows full flow through the login process and displays relevant tokens, as well as verbose view on requests and responses to/from Agent in the Authorization flow.
Contact us
Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.
We are available for any questions you might have during your integration: support@id4me.org.