5.2. Checking Data Validity

After a registration form is submitted, the registration server checks data validity and asks the user to correct any errors. In case the data is valid, the process of registration of a new account is initiated. The registration server saves all the necessary data in this account and adds your identification (service provider identifier, realm). Then, the identification of the user starts with sending PIN1 and PIN2.

The next step is informing your application of a successful registration.

In case of communication via OpenID 2.0, the server uses the URI that identifies your realm and tries to find an XRDS document with at least one <xrd:Service> element containing the following elements:

  • <xrd:Type> with a value of http://specs.nic.cz/registration/assert_url and

  • <xrd:URI> with a URL interface where the information about registration is sent.

During this process, there must not be any redirection and the URL interface must be within the service provider’s URI (realm) (see https://openid.net/specs/openid-authentication-2_0.html#realms).

In case of communication via OpenID Connect, the URL for sending information must be entered during the client registration process using the assertion_uris key that contains a list of addresses (encrypted in a JSON) to send the messages to.

Your application directly sends a HTTPS POST message to the interface determined by the URL. The message contains three parameters:

  • registration_nonce — a unique transaction identifier for matching with the original request,

  • mojeID user’s identifier based on the used protocol:

    • claimed_id – in case of the OpenID 2.0 protocol,

    • sub – in case of the OpenID Connect protocol,

    • status – status with the value REGISTERED.

Your application first has to verify this message:

  • it has to check if the message was delivered to one of the addresses listed in the Requesting Creation of a mojeID Account of a mojeID Account section,

  • it has to check if the registration_nonce transaction was really created,

  • it has to check if the client certificate used to create an SSL tunnel is valid and signed by the certificate authority, the CZ.NIC Association. This certificate is available at https://www.mojeid.cz/en/provider/getting-started/#download for both production and test environment. The certificate is needed for notification in both the production and test environment.

If you do not use HTTPS and you want to try logging in and creating accounts in the test environment, you do not need this certificate.

If you use HTTPS and you are in the test environment, you need this certificate to send notifications from registration. It is not needed for logging in (only general public data is transferred between mojeID and your server, so it is not necessary to check the “identity” of the requester).

The notifications are sent after registration, partial identification (PIN1 and PIN2) and identification (PIN3) to assert_url listed in the XRDS document in the realm. This works also in the test environment. If you want your application to be able to receive notifications, you need a realm with HTTPS. When the notification is received, it is necessary to response with a 'mode:accept\n' string, where the new lines are marked with \n.


The client certificate verification can be done by an HTTP server, e.g. Apache with the SSLVerifyClient configuration option.

If all the requirements are met, your application can match the mojeID identifier with its record of the user during the processing of this message for the purpose of authentication via mojeID.


If this message cannot be sent securely using HTTPS, the registration continues without sending this message.