4.1.2. Implementation Process Overview

This overview includes organizational and technical steps you have to take to implement logging in to your service via mojeID using the OpenID Connect protocol. The individual steps are brief and say what to do, while the link targets provide more details on how to do that, or they contain additional information. The overview can serve as a checklist.

Preparing the test environment

  1. Register your service (client) at the test Registration Endpoint – this way you will get test metadata of your service (Client ID, Client Secret) and an opportunity to set up certain parameters of the communication.


    In case of the Automatic Registration, the Client Secret’s validity ends after a certain time period. If you decide to opt for Automatic Registration, it is important to set up registration renewal.

  2. Send the service’s test metadata (Client ID) to support (techsupport@mojeid.cz). The support sets up accesses.

  3. Create and set up mojeID test accounts.

Implementation and debugging

You will need: text editor, browser, access to hosting, OIDC specifications

You might find our recommendations for debug tools. useful for implementation debugging. During the debugging, you might come accross various error messages. Appendix 6 – Examples and Solution of Error Messages might help you with them.

  1. Add mojeID button and links to the (template/sites of the) service the user will use to request login. Follow correct implementation procedure!

  2. Get test OIDC provider configuration (webfinger).

  3. Library configuration – enter test Client ID and Client Secret, or also test endpoints, if the library cannot retreive this information automatically from the OIDC provider’s configuration.

  4. Create and send an authentication request to the Authorization Endpoint.


    The request should also include the information about the chosen authentication schema </SeznameniSMojeid/ProcesKomunikacePresMojeid/OpenIDConnect/index>. The following steps correspond to the Access Code schema.

  5. Process the authentication response at the return address stated in the request which receives an access code (code).

  6. Create and send a token request to the Token Endpoint. You will use the received access code in the request.

  7. Process the response from which you get an Access Token (access_token) and an ID Token (id_token, What does ID Token contain?), whose validity has to be verified by the implementation (see ID Token Validation).

  8. If the ID Token is valid, create and send a user data request to UserInfo Endpoint. Use the received access code in the request.

  9. Process the response with the user’s data according to the needs of your service.

Implementation verification

If you want to operate the service with a full access, we have to perform user test of your implementation before your service transitions to production environment.

  1. When you finish debugging your implementation, send a notification to the support team (techsupport@mojeid.cz) that your implementation is ready for user test and attach the address of your service’s test instance.

  2. When we finish debugging the last details together, your implementation will be ready for the transition to the production environment.

Transition to the production environment

  1. To get the full access, you first need to sign a contract.

  2. Register your service (client) at the production Registration Endpointu – this way you will get production metadata of your service and set up certain parameters of the communication.

  3. Send the service’s production metadata (Client ID) to the support team (techsupport@mojeid.cz), also in case of a partial access.
    The support team will add the service into the catalog.

  4. Get a production OIDC provider configuration (webfinger).

  5. Reconfigure the implementation with production metadata, or also endpoints.

That is all.