2. Terminology¶
The following terminology is used in the next chapters regarding the implementation of MojeID:
- Service provider¶
provider of a web application (or simply an application, because it manages everything automatically without any manual setting) that requires verification of user’s identity via MojeID
- Full access¶
MojeID implementation variant at the service provider, more details at https://www.mojeid.cz/en/provider/options-and-prices/
- Limited access¶
MojeID implementation variant at the service provider, more details at https://www.mojeid.cz/en/provider/options-and-prices/
- Identity¶
set of data about the user that are linked to an identifier and managed by an OpenID provider
- Identifier¶
a URL with an
http
orhttps`schema that defines and provides certain data in the :term:`identity <Identity>
, e.g.http://specs.nic.cz/attr/contact/valid
.- Realm¶
the service provider’s URL area defining a part of a URL region for which the identity authentication request is valid
- OP¶
- OpenID provider¶
OpenID2 identities provider and maintainer on whose web the authentication is carried out. In case of MojeID, it is the CZ.NIC Association.
- OCP¶
- OpenID Connect provider¶
OpenID Connect identities provider and maintainer on whose web the authentication is carried out. In case of MojeID, it is the CZ.NIC Association.
- Identity name¶
the name of MojeID identity in form of
jmenoidentity.mojeid.cz
, that the user enters in the login form as the identity they want to log in with, e.g.demo.mojeid.cz
.- Claimed identifier¶
identifier derived from identity name under which the identity is available at OpenID provider and from where it is possible to retrieve matadata of this identifier, e.g.
https://demo.mojeid.cz/#UnIqUe
.- OP endpoint¶
URL where the OpenID2 provider receives messages. In case of MojeID, it is
https://mojeid.cz/endpoint/
.- Registration Endpoint¶
URL where it is possible to register a new service provider according to OpenID Connect Dynamic Client Registration specification.
- Client ID¶
unique identifier of a service that uses OpenID Connect. It is assigned on registration and used during all the communication via OpenID Connect.
- Client Secret¶
password that certifies the service provider’s authenticity in regard to his Client ID. This password can be changed using Registration Access Token.
- Registration Access Token¶
token used for authorization of any change of data about the service, e.g. Client Secret
- Authorization Endpoint¶
a URL to which service providers redirect users for login
- ID Token¶
contains a confirmation of a successful identity authentication of a user whose data is contained within the ID Token
- Access Token¶
a token used to authenticate a UserInfo Endpoint request
- UserInfo Endpoint¶
a URL where it is possibe to get detailed data of a user if they are not contained in the ID Token
- Token Endpoint¶
a URL where it is possible to get the Access Token, or the Refresh Token, in case they have not been received directly in the response to authentication.
- Refresh Token¶
a token that can be used to receive data from the UserInfo Endpoint even without the user’s presence.