2. Terminology¶
The following terminology is used in the next chapters regarding the implementation of mojeID:
- Service provider
provider of a web application (or simply an application, because it manages everything automatically without any manual setting) that requires verification of user’s identity via mojeID
- Full access
mojeID implementation variant at the service provider, more details at https://www.mojeid.cz/en/provider/options-and-prices/
- Limited access
mojeID implementation variant at the service provider, more details at https://www.mojeid.cz/en/provider/options-and-prices/
- Identity
set of data about the user that are linked to an identifier and managed by an OpenID provider
- Identifier
a URL with an
http
orhttps`schema that defines and provides certain data in the :term:`identity <Identity>
, e.g.http://specs.nic.cz/attr/contact/valid
.- Realm
the service provider’s URL area defining a part of a URL region for which the identity authentication request is valid
- OP
- OpenID provider
OpenID2 identities provider and maintainer on whose web the authentication is carried out. In case of mojeID, it is the CZ.NIC Association.
- OCP
- OpenID Connect provider
OpenID Connect identities provider and maintainer on whose web the authentication is carried out. In case of mojeID, it is the CZ.NIC Association.
- Identity name
the name of mojeID identity in form of
jmenoidentity.mojeid.cz
, that the user enters in the login form as the identity they want to log in with, e.g.demo.mojeid.cz
.- Claimed identifier
identifier derived from identity name under which the identity is available at OpenID provider and from where it is possible to retrieve matadata of this identifier, e.g.
https://demo.mojeid.cz/#UnIqUe
.- OP endpoint
URL where the OpenID2 provider receives messages. In case of mojeID, it is
https://mojeid.cz/endpoint/
.- Registration Endpoint
URL where it is possible to register a new service provider according to OpenID Connect Dynamic Client Registration specification.
- Client ID
unique identifier of a service that uses OpenID Connect. It is assigned on registration and used during all the communication via OpenID Connect.
- Client Secret
password that certifies the service provider’s authenticity in regard to his Client ID. This password can be changed using Registration Access Token.
- Registration Access Token
token used for authorization of any change of data about the service, e.g. Client Secret
a URL to which service providers redirect users for login
- ID Token
contains a confirmation of a successful identity authentication of a user whose data is contained within the ID Token
- Access Token
a token used to authenticate a UserInfo Endpoint request
- UserInfo Endpoint
a URL where it is possibe to get detailed data of a user if they are not contained in the ID Token
- Token Endpoint
a URL where it is possible to get the Access Token, or the Refresh Token, in case they have not been received directly in the response to authentication.
- Refresh Token
a token that can be used to receive data from the UserInfo Endpoint even without the user’s presence.