OIO OIDC profile

What is OIO OIDC?

OIO OIDC is a profile of the OpenID Connect (OIDC) protocol tailored to meet specific requirements and standards. It ensures secure and standardized authentication and authorization processes, particularly for public sector services.

Configure Identify to meet OIO OIDC profile requirements

The OIO OIDC profile specifies the following requirements and validations:

  • Authorization Request:

    • Redirect URIs must use HTTPS. If a custom URL scheme is used (e.g., for native apps), it must comply with RFC 7595.
    • Mandatory parameters: state, code_challenge, code_challenge_method, nonce.
    • Prohibited parameters: display, response_mode, id_token_hint.
    • Optional parameter: max_age.

  • Token Endpoint:

    • Required response claim: auth_time.
    • Prohibited response claim: nbf.

To meet these requirements, Identify supports additional validation rules by configuring an extra setting on the OIDC application connection:

  • Setting name: AdditionalValidationRules
  • Setting value format and example:
  {
    "authorize": {
      "requiredParameters": "state, code_challenge, code_challenge_method, nonce",
      "prohibitedParameters": "display, response_mode, id_token_hint",
      "redirectUriScheme": "https",
      "codeChallengeMethod": "S256"
    },
    "token": {
      "requiredParameters": "",
      "requiredResponseClaims": "auth_time",
      "prohibitedResponseClaims": "nbf"
    }
  }

By configuring these additional rules, you can ensure that the client application complies with the OIO OIDC specification for both the Authorization and Token endpoints.

How to set up an OIO OIDC application

To set up an OIO OIDC application, follow these steps:

  1. OIDC application connection settings

Ensure that the redirect URI uses HTTPS or follows RFC 7595 for custom URL schemes:

setting

  1. Additional configuration:

Configure the following JSON rule as an additional setting named AdditionalValidationRules on the OIDC application connection. This setting enforces validation of required and prohibited parameters according to the OIO OIDC profile:

{
  "authorize": {
	  "requiredParameters": "state, code_challenge, code_challenge_method, nonce",
	  "prohibitedParameters": "display, response_mode,id_token_hint",
	  "redirectUriScheme": "https",
	  "codeChallengeMethod": "S256"
  },
  "token": {
	  "requiredParameters": "",
	  "requiredResponseClaims": "auth_time",
	  "prohibitedResponseClaims": "nbf"
  }
}

AdditionalValidationRules