3.3.2. Communication via OpenID 2.0

The process of logging in via mojeID consists of several steps, as shown in the following schema:

img-2

  1. Establishing association – Agreeing on a shared secret to be used to verify messages from the OpenID provider.

  2. Requesting login using mojeID – The user clicks the Log in via mojeID button.

  3. Initiation – Initiation serves for getting metadata about OpenID providers.

  4. Requesting identity authentication – The service provider creates an authentication request and sends it (indirectly by redirecting the user’s browser) to the OpenID provider’s endpoint where the user authenticates.

  5. Performing authentication – The user logs in at the mojeID login page using one of the login methods to verify their identity. At this moment, we support login with password, digital certificate, one-time password, or a security key (FIDO 2).

  6. Response with the identity authentication outcome – If the service provider requests it during the identity authentication process, the user is redirected back to the service provider’s website and receives a response with the outcome of the identity authentication.

  7. Response verification – Each message the service provider receives from the OpenID provider indirectly via the user’s browser has to be verified to confirm it really comes from the OpenID provider and it has not been changed. This is done either via association in most cases (see item 0), or by explicitly requesting the verification.

  8. Response processing – Based on whether the login is successful or not, the service provider’s application has to react, and if necessary, process more data received from this response.