OpenID Connect

Configuration

Prerequisites

You must have the following to proceed with configuration:

  • An established relationship with ID.me
  • An understanding of the OIDC protocol
  • Access to the appropriate development environment and resources on the partner’s side
  • System’s ability to make HTTPS calls i.e. POST

Required Information

Your organization will provide:

  • redirect_URI – a safe public URI where ID.me will redirect the user along with an authorization code. We support multiple URLs if needed.

Your ID.me team will add these to your Sandbox and Production Environments. Multiple redirects are supported. Localhost redirects are supported within Sandbox.

ID.me does not support dynamic URLs

  • Certificate– To protect PII during transit, we encrypt the JSON payload using Public Certificate Base64 value RSA 2048 bit
Important

All certificats must begin with “ -----BEGIN CERTIFICATE-----”

Please discuss encryption and certificate needs with your ID.me team in order to determine the appropriate path forward.

ID.me will provide:

  • authorization endpoint – a public URL to be used to start the authorization flow
  • token URL – a protected URL to be used to retrieve access tokens
  • attributes URL – a protected URL to be used to retrieve API responses
  • client_id – a public identifier for the OAuth integration
  • client_secret – a secretly held, private string used to authenticate your integration
  • scope – a value to identify the authentication/verification policy on the server

Environments

ID.me offers two separate environments:

Sandbox

idmelabs.com
Does not contain any PII or user data

Production

id.me
Does not contain any test identities

Your ID.me team can walk you through the differences and how to work with both options.