IDPartner follows the OpenID Connect (OIDC) protocol for authentication and authorization. Relying Parties (RPs) can utilize the OIDC token endpoint to obtain identity information for authenticated users. The OIDC token endpoint returns claims, access tokens, and refresh tokens, which are essential for retrieving user data.

Obtaining Claims Using the OIDC Token Endpoint

The OIDC token endpoint serves as the primary mechanism for acquiring claims, access tokens, and refresh tokens. When a user successfully authenticates, the RP sends a token request to this endpoint. The token endpoint then verifies the credentials and responds with an access token, a refresh token, and a set of claims.

By default, all consented claims are returned in the ID Token itself, which is included in the response from the token endpoint. The ID Token contains both basic and high-value attributes. This approach allows for a comprehensive set of identity information to be obtained immediately upon authentication.

However, the RP has the flexibility to configure their application to retrieve only basic claims in the ID Token initially, deferring the retrieval of high-value claims to a later stage. This configuration can be useful in scenarios such as a checkout process, where initially identifying the user is crucial, and retrieving the rest of the identity details can be deferred until after the checkout is completed. This approach can be more cost-effective, as users who drop out of the checkout process may not require the retrieval of high-value claims.

Accessing Additional Identity Information Using the User Info Endpoint

To retrieve high-value claims, RPs can make a request to the User Info endpoint. This endpoint provides a comprehensive set of consented claims, including additional identity details beyond the basic claims present in the ID Token.

By separating the retrieval of high-value claims to the User Info endpoint, RPs can reduce the initial data retrieval costs and improve the overall efficiency of their application. This approach allows for a more targeted and cost-effective retrieval of identity information.

Utilizing Refresh Tokens for Future Data Retrieval

Upon receiving the initial access token and refresh token from the OIDC token endpoint, RPs can store the refresh token securely for future use. When the access token expires, the RP can utilize the refresh token to obtain a new access token without requiring the user to re-authenticate. This allows for seamless data retrieval in subsequent interactions, including the retrieval of high-value claims from the User Info endpoint.

To use the refresh token for future data retrieval:

• Store the refresh token securely.

• When the access token expires, make a request to the OIDC token endpoint using the refresh token to obtain a new access token.

• The new access token can be used to retrieve both the initial basic claims from the ID Token and the high-value claims from the User Info endpoint.

By leveraging the refresh token, RPs can optimize the data retrieval process and ensure a smoother user experience.