Want to Keep and Verify ID4me User Credentials?

Check out what needs to be done to become an ID4me Identity Authority.

marcos-mayer-8_NI1WTqCGY-unsplash

Identity Authority

Since ID4me is based on OpenID Connect, if you want to run an Identity Authority basically you just have to set up an OpenID Connect Identity Provider. There is plenty of software available for it, here you can find the ones certified by the OpenID Foundation. If you want to be an Identity Agent at the same time, which is perfectly possible, then you should also check this page.

Afterwards you have then to set up your server properly, so you better read some of these before doing that:

Useful Documents

Reference Implementations

Name

Framework

Language

Repository & Documentation

Issuer

Comments

DENIC-ID

Connect2id

Java

ID4me GitLab

https://id.denic.de/

Reference implementation

Other Compatible Deployments

Name

Framework

Language

Website

Issuer

Comments

Mailbox

Keycloak

Java

mailbox.org

https://id4me.mailbox.org/auth/realms/mbo/

Authority and Agent combined

MojeID

pyoidc

Python

mojeid.cz

https://mojeid.cz/oidc/

Authority and Agent combined

Useful Frameworks

Name

Language

Webseite

Comments

Kopano Konnect

Go

Kopano Github

Open Source OIDC Server

Implementation tips and hints

Dynamic Client Registration

One of the ideas at the core of ID4me is the federation of identity providers. In such a scenario a Relying Party might need to contact an identity provider it hasn’t dealt with before at the beginning of an authentication workflow. Reciprocally, an ID4me identity authority needs to support the Dynamic Client Registration protocol and so you run an open registration endpoint.

Decissions about ID4me Identifier Registration

Being responsible for user authentication, it is up to you how you populate and maintain your database of users and their credentials, and whether they are traditional username and passwords, or more advanced mechanisms like 2FA or U2F.

For example, DENIC-ID only allows contracted partners (agents) to register ID4me identifiers and offers them a dedicated interface for all operations needed during the lifecycle of a DENIC-ID. DENIC-ID also requires those partners to solve a so-called DNS ACME challenge before registration to prove possession of the domain name behind the ID4me identifier.

Separation of roles: Authority and Agent

If you are not running an Authority and an Agent altogether, you most probably will make use of Distributed Claims at the Userinfo Endpoint of the Authority. There, for a given identifier, you have to return to the Relying Party the associated Agent Userinfo Endpoint and an Access Token.

Agent Userinfo Endpoint

The means to find out the Userinfo Agent Endpoint for a given ID4me identifier is open to you: you can hardcode it in your system (if, as an authority, you work only with one agent), you can use some offline mechanism (e.g. an identifier registration database, like DENIC-ID does), or an online convention mechanism (i.e. DNS-discovery as described in our documentation).

Access Token

For Agents to be able to consume/verify your access tokens, they have to be self-encoded JWTs following the ID4me conventions described here.

Identity-Agent implements only a small portion of OpenID Connect (Distributed Claims Provider), therefore most likely none of the off-shelf libraries would support this use case. It is however especially advised to use a well-established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must JWS (signed) tokens, optionally also support JWE (encrypted) tokens as well as offer handling for JWK and JWKSets.

 

Tools and testing end-points

Authority-Agent Interface

You can compare the behaviour of your endpoints with those of DENIC-IDs test instance of Identity Authority at https://id.test.denic.de/

Authorization Flow

For debugging purposes there is a Relaying Party instance at https://rp.test.denic.de which allows full flow through the login process and displays relevant tokens, as well as verbose view on requests and responses to/from Agent in the Authorization flow.

JOSE and JWT

If, for whatever reason, you need to peek at the content of JWTs, you can use the online service https://jwt.io/ for any of the libraries listed there.

 

Contact us

Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.

We are available for any questions you might have during your integration: support@id4me.org.

Want to Meet Us? Join Our ID4me Summit In Madrid!

Stay In Touch With ID4me!

Subscribe to always stay in touch with us and get the latest news about our company and all of your activities!