4.1.6. Requesting Identity Authentication

Once you know the OCP endpoint, your application sends an identity authentication request using the user’s browser redirection. The request includes special parameters for its realization. Correct use of these parameters is done by the OpenID Connect library used for implementation.

Identity authentication request usually includes the following parameters:

  • Return address (URL) of the application – The address to which the user returns after logging in from the OpenID Connect provider’s website and where the outcome of the login is processed.

  • Required groups of data from MojeID – An identity authentication request has to contain at least openid as a required group of data.

  • Required data from MojeID – An identity authentication request can also include a list of individual data from the MojeID identity which your application requires and which are handed over to your application with the user’s consent after a successful login. For each piece of data, its identifier needs to be presented. The data and its identifiers are listed in Appendix 1 – List of Data to be Handed Over (OpenID Connect). This list has a JSON format specified in the OpenID Connect documentation. Any item can be marked as required using an expression "essential": true.

Examples of items that can be included in the identity authentication request are listed in the following table:

Parameter (key)

Description and value

scope

List of required groups of data
openid address

response_type

Determining the required authentication schema
id_token

client_id

Unique service provider’s identifier
test_clienti

redirect_uri

Return address from MojeID.
http://www.poskytovatel-example.cz/

claims

More detailed specification of the required data.

{"userinfo":
  {"name": null,
   "nickname": {"essential": true}}
}

Example of an authentication request:

sid, location = client.begin(path=URL, scope=SCOPE)
HttpResponseRedirect(location)

Example of an authentication request query:

Example of requesting data via “scope” (group of data)
GET /oidc/authorization/?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
Host: mojeid.cz
Example of requesting data via “claims” (individual data)
GET /oidc/authorization/?state=950ba54cb302a7c6a814f22a4e5c5445&redirect_uri=https%3A%2F%2Fmojeid.cz%3A8000%2Fconsumer%2Foic%2Ffinish%2F&response_type=code&client_id=8ol68PATaSpA&scope=openid&claims=%7B%22userinfo%22%3A+%7B%22name%22%3A+null%2C+%22nickname%22%3A+%7B%22essential%22%3A+true%7D%7D%7D&ui_locales=off HTTP/1.1
Host: mojeid.cz

The response from the server comes only after the authetication is performed. Example of the response can be found in the Response to Authentication section.