iDIN attributes in OpenID Connect (OIDC)

This page contains information about the user attributes that you can request and retrieve from iDIN when using OpenID Connect (OIDC) as an authentication protocol.

OIDC scopes and claims

You can use the following OIDC scopes to request personal information from an end-user using iDIN. The claims column shows the data fields returned in the response.

For further details about attributes and data formats, see the official iDIN documentation - Consumer attributes.

Including all claims in the ID token

To configure what user data (claims) to return in the ID token object, do this:

1. Go to the Products > eID and Wallet Hub > OIDC clients
2. Select your client.
3. Edit the Advanced Security > ID Token User data property.

By default, only the UserInfo endpoint returns all claims.

Age verification

To initiate an Age verification flow, use only the eighteen-or-older scope in your authorization request, without including other scopes, except for the optional idp-id.

If you include other scopes in your request, it will cause an error or initiate authentications with other use cases. Learn more in the Age verification section.

OIDC examples

Below, you can find examples of requests and responses for different use cases with iDIN using OIDC.

Request examples

To start an authentication with iDIN, you can build an OIDC request like:

Login

Scopes: openid

https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
    &client_id=<OIDC_CLIENT_ID>
    &response_type=code
    &redirect_uri=<REDIRECT_URI>
    &state=1599045135410-jFe
    &scope=openid
    &acr_values=idp:idin
    &prompt=login
    &nonce=1599046102647-dv4

Age verification

Scopes: openid, eighteen-or-older

https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
    &client_id=<OIDC_CLIENT_ID>
    &response_type=code
    &redirect_uri=<REDIRECT_URI>
    &state=1599045135410-jFe
    &scope=openid%20eighteen-or-older
    &acr_values=idp:idin
    &prompt=login
    &nonce=1599046102647-dv4

Including other scopes

Note that including any additional scopes in your request, for example gender, triggers an Identification process.

If you include both eighteen-or-older and date-of-birth in your request, Signicat returns an error and the authentication fails.

Identification

Scopes: openid,profile,idp-id,email,address,phone,gender,date-of-birth,idin-name

https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
    &client_id=<OIDC_CLIENT_ID>
    &response_type=code
    &redirect_uri=<REDIRECT_URI>
    &state=1599045135410-jFe
    &scope=openid%20profile%20idp-id%20email%20address%20phone%20gender%20date-of-birth%20idin-name
    &acr_values=idp:idin
    &prompt=login
    &nonce=1599046102647-dv4

Requesting the raw BIN

To receive the raw (unhashed) value of the Bank Identification Number (BIN), send the idp-id scope in your request:

scope=openid%20idp-id

Response examples

Response example for the UserInfo endpoint:

Login

Scopes: openid

{
  "sub": "VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=",
  "idp_issuer": "idin"
}

Age verification

Scopes: openid, eighteen-or-older

{
  "eighteen_or_older": true,
  "sub": "VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=",
  "idp_issuer": "idin"
}

Identification

Scopes: openid,profile, idp-id,email,address,phone,gender,date-of-birth,idin-name

{
  "idp_id": "NLRABOtestdata8de3695d048d9da76b7c09d5a800b51897441e8ae3210731a058e",
  "name": "VJ de Vries",
  "family_name": "de Vries",
  "gender": "1",
  "birthdate": "1975-07-25",
  "email": "info@equensworldline.nl",
  "address":
  {
    "formatted": "Pascalstreet 19 A, 0000AA, Aachen, DE",
    "street_address": "Pascalstreet 19 A",
    "house_number":"19",
    "house_number_suffix":"A",
    "locality": "Aachen",
    "postal_code": "0000AA",
    "country": "DE"
  },
  "phone_number": "+31203051900",
  "idin_legal_last_name": "Vries",
  "idin_legal_last_name_prefix": "de",
  "idin_preferred_last_name": "Vries-Jansen",
  "idin_partner_last_name": "Jansen",
  "idin_preferred_last_name_prefix": "de",
  "idin_partner_last_name_prefix": "de",
  "initials": "VJ",
  "sub": "VsQFCIOdsM-brFXDGQhMyMfnlkQyeb8pNfkxq6VFppY=",
  "idp_issuer": "idin"
}

Routing to issuer bank portal

You can display the issuer bank selection page directly on your side and route the end-user to the issuer authentication portal.

iDIN requirements

Make sure to list all the issuers that are active in your Signicat account. You can find the full list at https://<YOUR_ACCOUNT_DOMAIN>.com/broker/authn/idin/issuers, where <YOUR_ACCOUNT_DOMAIN> is the domain you registered in the Dashboard > Settings > Domain Management.

OIDC example

To route your end-users directly to their bank authentication portal, pass the idin_idp parameter in the ACR values. For example, to direct to ING bank, pass the following query parameter in your authorisation request:

acr_values=idp:idin idin_idp:INGBNL2A