Skip to content

Overview

Ver.iD Authentication is an advanced OpenID Connect Identity Provider (IdP) designed to streamline secure authentication processes for modern web applications that want to incorporate identity apps into their authentication flows. This service utilizes OpenID Connect Core 1.0 (errata set 2) as its primary protocol, with OAuth 2.1 as the underlying authorization protocol. These established protocols enable seamless integration of decentralized identity apps into your platform, leveraging standards that have reliably and securely served the online community for years.

Below is a list of features, sequence diagrams, standards, protocols, and recommendations to provide a comprehensive overview of all technical options available in this service.

Features

  • Client Types: Supports both confidential and public clients, providing flexibility to meet diverse application needs.
  • Access Tokens: Generates JSON-Web-Tokens (JWTs) that are fully compliant with OpenID Connect specifications, ensuring secure and standard-compliant access tokens.
  • Security: Enhances security for public clients by implementing Proof Key for Code Exchange (PKCE).
  • Discovery: All IdP metadata is published and available through OpenID Connect Discovery.
  • Interoperability: Seamlessly integrates with on-premise providers like Keycloak and Ory Hydra, as well as third-party IAM providers such as Auth0 and Ping Identity, or identity brokers such as Signicat.
  • Stateless: Designed for ease of integration into web applications without requiring any backend, including popular frontend frameworks like React and VueJS.

Sequence diagram

The sequence diagram below provides a detailed walkthrough of a standard OpenID Connect interaction, between your customer, your platform, our IdP and the identity app. The diagram offers a basic understanding of all technical steps involved in the authentication process.

Diagram

Actors

  • Customer: This is your customer.
  • Client: This is your platform.
  • Ver.iD: This is our IdP.
  • App: This is an identity app in control of the Customer.

Steps

  1. The customer initiates the login process by clicking the login button on your website.
  2. The client application (your front-end or back-end) receives the login request and begins an OAuth authorization request by redirecting the customer to the authorization_endpoint of the IdP.
  3. The IdP presents the customer with a secure hosted page and provides options such as a QR code, Universal Link (iOS), or App Link (Android) for different identity apps.
  4. The customer selects an identity app and gets forwarded to the app by QR code, Universal Link or App Link.
  5. The identity app guides the customer through the authentication process:
    • If necessary, the identity app will obtain missing credentials from appropriate issuers.
  6. The identity app sends the authentication result back to the customer's browser.
  7. The customer provides consent for data sharing and optionally agrees with additional data policies of the client.
  8. The IdP returns an authorization code or an error to the client application.
  9. The client application (either front-end or back-end) requests an access token by initiating an OAuth grant request.
  10. The IdP verifies either the client_secret for confidential clients or the PKCE code_verifier for public clients in conjunction with the authorization_code.
  11. The IdP responds with an access_token or an error to the client application.

Supported web specifications

The following web specifications are implemented in this service:

Supported OAuth clients

The following OAuth client types are available:

Client typesupportedadditional constraints
Public clientYesPKCE
Confidential clientYes

Supported OAuth responses

The following OAuth response types are available:

Response typesupportedadditional constraintsclient type
authorization codeYesPKCEPublic
authorization codeYesConfidential

Supported OAuth scopes

The following OAuth scopes are available:

ScopesupportedDescription
openidMandatory
profileDepends*A custom scope that includes family_name, given_name, middle_name and name claims from the BRP.
phoneDepends*Follows the OpenID Connect Core 1.0 specification section 5.1
emailDepends*Follows the OpenID Connect Core 1.0 specification section 5.1
addressDepends*Follows the OpenID Connect Core 1.0 specification section 5.1.1
companyDepends*A custom scope that includes identifier, identifier_type and name claims from the Chamber of Commerce (KVK) credential.
test-profileDepends*A custom profile scope that uses the Municipality Personal Data from the BRP test scheme instead of the production scheme.
ninDepends*A custom scope that includes the identifier and identifier_type claim from the Dutch National identification (BSN) credential.
birthdateDepends*Follows the OpenID Connect Core 1.0 specification section 5.1
birth-countryDepends*A custom scope that includes the birth_country claim.

*: See supported apps section in the navigation for detailed information if this scope is available for the designated identity app.

Supported OAuth grants

The following OAuth grant types are available:

Grantsupportedadditional constraintsclient type
authorization codeYesPKCEPublic
client credentialsYesConfidential
implicitNo

Supported OAuth tokens

Below is a list of supported access tokens:

media typekey typesupported algorithmsusesoptsdefault
ver‑id/ssi/output/openid/v1+JWTECES384, ES512sig encsign verify encrypt decryptyes

Compliance recommendations

Following the following recommendations are applied.

StandardsAppliedDescription
NIST FIPS PUB 186-5cryptographyRecommendations in algorithms that are used to sign the access tokens.

Ver.iD