2. Terminology

The following terminology is used in the next chapters regarding the implementation of mojeID:

Service provider

provider of a web application (or simply an application, because it manages everything automatically without any manual setting) that requires verification of user’s identity via mojeID

Full access

mojeID implementation variant at the service provider, more details at https://www.mojeid.cz/en/provider/options-and-prices/

Limited access

mojeID implementation variant at the service provider, more details at https://www.mojeid.cz/en/provider/options-and-prices/

Identity

set of data about the user that are linked to an identifier and managed by an OpenID provider

Identifier

a URL with an http or https`schema that defines and provides certain data in the :term:`identity <Identity>, e.g. http://specs.nic.cz/attr/contact/valid.

Realm

the service provider’s URL area defining a part of a URL region for which the identity authentication request is valid

OP
OpenID provider

OpenID2 identities provider and maintainer on whose web the authentication is carried out. In case of mojeID, it is the CZ.NIC Association.

OCP
OpenID Connect provider

OpenID Connect identities provider and maintainer on whose web the authentication is carried out. In case of mojeID, it is the CZ.NIC Association.

Identity name

the name of mojeID identity in form of jmenoidentity.mojeid.cz, that the user enters in the login form as the identity they want to log in with, e.g. demo.mojeid.cz.

Claimed identifier

identifier derived from identity name under which the identity is available at OpenID provider and from where it is possible to retrieve matadata of this identifier, e.g. https://demo.mojeid.cz/#UnIqUe.

OP endpoint

URL where the OpenID2 provider receives messages. In case of mojeID, it is https://mojeid.cz/endpoint/.

Registration Endpoint

URL where it is possible to register a new service provider according to OpenID Connect Dynamic Client Registration specification.

Client ID

unique identifier of a service that uses OpenID Connect. It is assigned on registration and used during all the communication via OpenID Connect.

Client Secret

password that certifies the service provider’s authenticity in regard to his Client ID. This password can be changed using Registration Access Token.

Registration Access Token

token used for authorization of any change of data about the service, e.g. Client Secret

Authorization Endpoint

a URL to which service providers redirect users for login

ID Token

contains a confirmation of a successful identity authentication of a user whose data is contained within the ID Token

Access Token

a token used to authenticate a UserInfo Endpoint request

UserInfo Endpoint

a URL where it is possibe to get detailed data of a user if they are not contained in the ID Token

Token Endpoint

a URL where it is possible to get the Access Token, or the Refresh Token, in case they have not been received directly in the response to authentication.

Refresh Token

a token that can be used to receive data from the UserInfo Endpoint even without the user’s presence.