OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.

0
framework. It allows third-party applications to verify the identity of the
end-user and to obtain basic user profile information. OIDC uses JSON
web tokens (JWTs), which you can obtain using flows conforming to the
OAuth 2.0 specifications

OpenID Connect Protocol

What is OpenID Connect (OIDC)?

OpenID Connect (OIDC) is an identity layer built on top of the OAuth
2.0 framework. It allows third-party applications to verify the identity of the
end-user and to obtain basic user profile information. OIDC uses JSON web
tokens (JWTs), which you can obtain using flows conforming to the OAuth 2.0
specifications. See our OIDC Handbook for more details.

OpenID vs. OAuth2

While OAuth 2.0 is about resource access and sharing, OIDC is about user
authentication. Its purpose is to give you one login for multiple sites. Each
time you need to log in to a website using OIDC, you are redirected to your
OpenID site where you log in, and then taken back to the website. For
example, if you chose to sign in to Auth0 using your Google account then you
used OIDC. Once you successfully authenticate with Google and authorize
Auth0 to access your information, Google sends information back to Auth0
about the user and the authentication performed. This information is returned
in a JWT. You'll receive an access token and if requested, an ID token.

OpenID and JWTs

JWTs contain claims, which are statements (such as name or email address)
about an entity (typically, the user) and additional metadata. The OpenID
Connect specification defines a set of standard claims. The set of standard
claims include name, email, gender, birth date, and so on. However, if you
want to capture information about a user and there currently isn't a standard
claim that best reflects this piece of information, you can create custom
claims and add them to your tokens.

Configure applications with OIDC and OAuth2

You can automatically configure your applications with OIDC
discovery.

Learn more
 Configure Applications with OIDC Discovery
 Force Reauthentication in OIDC
 Applications in Auth0
 Single Sign-On
 User Profiles

Authenticate

ADD LOGIN
 Login
 Single Sign-On
 Passwordless
PROVISION USERS
 Identity Providers
 Database Connections
 Enterprise Connections
Protocols
 SAML
 OpenID Connect Protocol
 OAuth 2.0 Authorization Framework
 Web Services Federation Protocol
 Lightweight Directory Access Protocol
 System for Cross-domain Identity Management (SCIM)
 Connection Settings Best Practices

1. Docs
2. Authenticate
3. Protocols
4. OpenID Connect Protocol

==

What is a gpg45 profile?

Good Practice Guide (GPG) 45 helps you decide how to check
someone's identity. From: Cabinet Office and Government Digital
Service Published 6 January 2014 Last updated 15 January 2024 —
See all updates.
GPG 45 is a guide for any organisation that needs to verify the identity
of customers, employees, and other parties.
What is the GPG45 profile trust ID?
https://www.trustid.co.uk/good-practice-guide-45-gpg-45-and-its-role-in-
supporting-digital-identity-check-standards/#:~:text=GPG%2045%20is%20a
%20guide,%2C%20employees%2C%20and%20other%20parties.

GPG45 Profile: The level of confidence that has been chosen by your Organisation. This
profile stipulates the combination of documents required to obtain a pass and the TrustID
Guestlink guides the user to submit the correct ones.

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0
framework. It allows third-party applications to verify the identity of the
end-user and to obtain basic user profile information. OIDC uses JSON
web tokens (JWTs), which you can obtain using flows conforming to the
OAuth 2.0 specifications

==

Good Practice Guide 45 (GPG 45) and its role in supporting digital
identity check standards

The challenge of validating and verifying identity for businesses continues,

whether you are onboarding staff and customers remotely or face to face.
Without a standard in identity verification, it’s down to individual firms to
determine whether the tools and methods they choose are sufficient to protect
their business, customers, and users from fraud. That’s where the Good
Practice Guide 45 (GPG 45) comes in. This guidance is a UK Government
document, designed to help organisations determine what checks they should
carry out to mitigate the risk presented by fake documents. In this blog, we look
at GPG 45, why we think it’s so important and what it might mean for you…

What is the Good Practice Guide 45 (GPG 45)?

GPG 45 is a guide for any organisation that needs to verify the identity of
customers, employees, and other parties.
It is issued by UK Government Digital Services and whilst it’s not law, it
comprises guidance on how to prove and verify identity against a range of
confidence levels: the higher the confidence level required, the more robust the
checks need to be. An organisation can determine a confidence level following a
risk assessment and then either introduce the required checks themselves or
turn to third party identity document validation experts if high levels of validation
are required.
More recently, GPG 45 is becoming the de facto standard for the evolving digital
identity verification market. The guide acts as a foundation upon which any
public body or organisation can build a digital identity scheme to ensure a set of
verification standards. For example, if a digital identity scheme specifies that
checks must provide a medium confidence level, anyone using that scheme can
refer to GPG 45 to understand the different verification options to achieve that
level of confidence.

Why is the GPG 45 important?

In the UK, the number of synthetic (or made up) and stolen identities being used
to commit identity fraud is increasing every year. Imposters, fraudsters, and
criminal groups commit identity fraud for a range of different reasons, including
to attempt to gain access to services or benefits to which they’re not entitled,
steal personal, medical or financial information from others, enable organised
crime or to avoid being detected by the police and other authorities.

GPG 45 was therefore created to protect you when checking the identity of your
employees, customers or someone acting on behalf of a business and help you
to only allow access to services to those people who can prove who they are to
the required confidence level. It creates the framework for consistent identity
checking which is focused on outcomes rather than specific technologies and
greatly improves protection against identity fraud.
This consistent and measured way to check identities means that fewer
organisations and services could be targeted by identity fraud. It also means it’s
easier to trust and reuse an identity that’s been checked by someone else.

How do you check someone’s identity in line with GPG 45?

An identity is a unique combination of ‘attributes’ (for example, a name, address
and date of birth) that belong to a person. Whilst a single attribute may not be
enough to tell one person apart from another, a combination of attributes might
be. By confirming these attributes, you can find out if the person is who they say
they are. The ‘identity checking’ process under GPG 45 is made up of 5 parts:

 get evidence of the claimed identity

 check the evidence is genuine or valid
 check the claimed identity has existed over time
 check if the claimed identity is at high risk of identity fraud
 check that the identity belongs to the person who’s claiming it

By carrying out different parts of the identity checking process, the identity
provider can build the necessary confidence that an identity is accurate

How do identity profiles work and which confidence level should I

choose?

There is a score for each part of the identity checking process. These scores are
transferred into an identity profile which then tie into 4 different levels of
confidence – low, medium, high and very high.

Each confidence level tells you how well your organisation or service is
protected against identity risks as well as helping other organisations and
services to understand your identity checking process.

A risk assessment can help you to decide which level you need and those
services at higher risk of fraud related crime should aim to get a higher level of
confidence.

How can TrustID help?

As an identity service provider, we can help you manage different parts of the
identity checking process, however you make identity checks. Our range of
services can combine to provide different levels of confidence from medium to
very high and can include remote technology to support digital checks, including
RFID chip opening and face matching technology.
 Seamlessly add TrustID identity checks to your service platform

Easy integration with other platforms, websites or Apps thanks to our API.
Create seamless onboarding journeys with our onboarding widget.

Any size of organisation can easily integrate TrustID identity checks into
their own onboarding journey. With comprehensive documentation, you
can quickly and confidently verify the identity of the people you work with –
staff, customers, students – within your own platform.

Some examples of successful integrations include Applicant Tracking

Systems, payroll providers, HR systems and Housing Providers.

Rich API for integrating identity

document verification services
Our API allows you to upload checks directly from your own platform, receive a
call back when checks are complete and download comprehensive results, data
fields and reports.

https://developer.trustid.co.uk/documentation/

Welcome to the TrustID API¶

Welcome to this TrustID API documentation which explains how to interface to the TrustID
Cloud.

The TrustID Cloud provides a rich Application Programming Interface (API) for integrating
your business workflow with identity document-related services.

Workflows¶

This documentation is based on the four main workflows that are used. Your development
process should follow one of these workflows:

 Using the API to Submit Applications and Receive Results

  Using the API to Receive Results
 Using the API to Create Queued Applications and Receive Results –
 Using the API to Create Guest Links and Receive Results

 Using the API to Submit Applications and Receive Results - here your back end system
uses the API to submit a complete application. TrustID processes the application and
sends a webhook, saying the result is complete. Your back end system performs
authentication with the TrustID server, then receives the results and interprets these.
 Using the API to Receive Results - here no data is uploaded from your back end system;
it just uses the API to receive notifications when results are ready, and then to download
them.
 Using the API to Create Queued Applications and Receive Results - here your users use
the TrustID web client and/or mobile app to upload documents and images. Your back
end system creates each application, setting custom/flexible field data. The use of this
custom data is the reason for using queued applications.
 Using the API to Create Guest Links and Receive Results - here your back end system
specifies custom/flexible field data for an application and triggers creation of a link that
allows a “guest” (a user without an account) to populate the application.

The two APIs¶

This documentation describes the two main ways to interface with the TrustID Cloud:

Using the TrustID RAW API

Using the TrustID Javascript API

 Using the TrustID RAW API - allows your business application to interface directly with
the TrustID Cloud via its HTTP/JSON service interface model which works
independently of any programming language or environment. Note that the raw API
does not provide any helper functions or code implementations; it is up to the integrator
to use the HTTP/JSON-based protocol to interface with the TrustID Cloud.
 Using the TrustID Javascript API - allows your business application to interface
directly with the TrustID Cloud via the Javascript programming environment. For more
details see .
For example, you could directly extend your web-based business software or cloud
system to communicate with the TrustID Cloud to upload document data, verify document-
related information, manage multiple uploads at the same time or access archived
information.
While the Raw API is the underlying and more fundamental programming model and is
independent of your environment and programming language, the Javascript API is built
on top of the Raw API in order to make it easy to interface with the TrustID Cloud if your
programming model is based on Javascript.

The Javascript API can be used in browser-based websites and web applications
based on React, AngularJS or other frameworks.

It can also be used on the server via its node.js version. Finally, it is also available
on mobile platforms through its React Native support.
https://www.trustid.co.uk/why-choose-idvt-from-trustid-certified-idsp/guide-whitepapers/

==