Want to Keep and Verify ID4me User Credentials?
Check out what needs to be done to become an ID4me Identity Authority.
Since ID4me is based on OpenID Connect, if you want to run an Identity Authority basically you just have to set up an OpenID Connect Identity Provider. There is plenty of software available for it, here you can find the ones certified by the OpenID Foundation. If you want to be an Identity Agent at the same time, which is perfectly possible, then you should also check this page.
Afterwards you have then to set up your server properly, so you better read some of these before doing that:
- Technical overview – a very good document to start with and learn the principles of ID4me protocol (pdf)
- ID4me Technical Specification – detailed technical specification of all ID4me specific usage OpenID Connect as well as applied extensions independent of the role (pdf) (adoc)
- DENIC ID Implementation Guide – A description of Denic Agent/Authority API, which is to be integrated into the standard
Repository & Documentation
Other Compatible Deployments
Authority and Agent combined
Authority and Agent combined
Open Source OIDC Server
Implementation tips and hints
Dynamic Client Registration
One of the ideas at the core of ID4me is the federation of identity providers. In such a scenario a Relying Party might need to contact an identity provider it hasn’t dealt with before at the beginning of an authentication workflow. Reciprocally, an ID4me identity authority needs to support the Dynamic Client Registration protocol and so you run an open registration endpoint.
Decissions about ID4me Identifier Registration
Being responsible for user authentication, it is up to you how you populate and maintain your database of users and their credentials, and whether they are traditional username and passwords, or more advanced mechanisms like 2FA or U2F.
For example, DENIC-ID only allows contracted partners (agents) to register ID4me identifiers and offers them a dedicated interface for all operations needed during the lifecycle of a DENIC-ID. DENIC-ID also requires those partners to solve a so-called DNS ACME challenge before registration to prove possession of the domain name behind the ID4me identifier.
Separation of roles: Authority and Agent
If you are not running an Authority and an Agent altogether, you most probably will make use of Distributed Claims at the Userinfo Endpoint of the Authority. There, for a given identifier, you have to return to the Relying Party the associated Agent Userinfo Endpoint and an Access Token.
Agent Userinfo Endpoint
The means to find out the Userinfo Agent Endpoint for a given ID4me identifier is open to you: you can hardcode it in your system (if, as an authority, you work only with one agent), you can use some offline mechanism (e.g. an identifier registration database, like DENIC-ID does), or an online convention mechanism (i.e. DNS-discovery as described in our documentation).
For Agents to be able to consume/verify your access tokens, they have to be self-encoded JWTs following the ID4me conventions described here.
Identity-Agent implements only a small portion of OpenID Connect (Distributed Claims Provider), therefore most likely none of the off-shelf libraries would support this use case. It is however especially advised to use a well-established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must JWS (signed) tokens, optionally also support JWE (encrypted) tokens as well as offer handling for JWK and JWKSets.
Tools and testing end-points
You can compare the behaviour of your endpoints with those of DENIC-IDs test instance of Identity Authority at https://id.test.denic.de/
For debugging purposes there is a Relaying Party instance at https://rp.test.denic.de which allows full flow through the login process and displays relevant tokens, as well as verbose view on requests and responses to/from Agent in the Authorization flow.
JOSE and JWT
If, for whatever reason, you need to peek at the content of JWTs, you can use the online service https://jwt.io/ for any of the libraries listed there.
Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.
We are available for any questions you might have during your integration: firstname.lastname@example.org.
Meet the ID4me team at industry events!
Subscribe to always stay in touch with us and get the latest news about our company and all of your activities!