1. Identification Service
This section describes the technical integration with the Connective Identification Service.
The API for the Identification Service is based on the OpenID Connect protocol, specifically the Authorization Code Flow. The Connective implementation is a basic implementation of this protocol. The “OpenID Connect Basic Client Implementer’s Guide” can be consulted for more generic information about the protocol and its implementation as a protocol client. See section 10. References for the URL.
This document will describe the protocol as implemented for the Connective Identification Service.
The OpenID Connect protocol goes as follows:
- The customer application redirects the end user’s browser to the Identification Service’s Authorization Endpoint, indicating what user information will be requested.
- Browser scenario
- If not installed, the user is asked to install the Connective Browser Package or Connective SignID software (depending on the version).
- The requested data is fetched from the eID card and presented to the user in the eID readout page.
- The user either accepts or refuses to share his/her data with the customer application.
- Mobile scenario
- If not installed, the user is asked to install the Connective app.
- The Connective app opens and shows the eID readout page.
- The requested data is fetched from the eID card and presented to the user in the eID readout page.
- The user either accepts or refuses to share his/her data with the customer application.
- The user goes to the mobile browser to continue.
- Browser scenario
- The Identification Service redirects the user’s browser to customer application with a “code”.
- The customer application’s backend calls the Token Endpoint and authorizes itself, in exchange the customer application receives an “access token” (to get access to the user’s data) and an “id token” which mainly serves as an identifier for the user.
- The customer application’s backend calls the UserInfo endpoint to retrieve the requested user information formatted as claims.
The Identification Service also implements the Jwks Endpoint which lets the customer application retrieve all public keys necessary to verify JWT tokens which were issued by the service.
The OpenID Connect Discovery endpoint can be called to retrieve information of where all the other endpoints are located and what modes are supported.