eIDAS OpenID Connect

Irish eIDAS node provides OAuth 2.0 API that can be used for authentication (according to OpenID Connect specification). Under the hood, it is implemented using OpenID Certified node oidc-provider and provides a simple way to retrieve user authentication details via eIDAS system.

Test environment

The test environment is deployed on demo.eidasnode.gov.ie domain. There is OpenId Connect Discovery 1.0 endpoint which can be used by many OpenId Connect client libraries:

https://demo.eidasnode.gov.ie/.well-known/openid-configuration

It returns JSON with all endpoints available, for example:

• authorization endpoint: https://demo.eidasnode.gov.ie/auth
• token endpoint: https://demo.eidasnode.gov.ie/token
• user info endpoint: https://demo.eidasnode.gov.ie/me

The following scopes are available at the moment:

• openid
• profile — eIDAS minimum data set (id, given name, family name, birthdate) + LoA
• profile_birth_name — birth name
• profile_current_address — current address
• profile_gender — gender
• profile_place_of_birth — place of birth
• legal — legal_id, legal_name, legal_address, vat_number, tax_reference, lei, eori, eu_id, seed, sic

The code flow is preferred, but hybrid flow is supported too (on demand for specific clients).

RP-Initiated Logout is supported according to the specification: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Level of Assurance

In the test environment, the minimum LoA in requests is "low", but for some countries (like the Netherlands) it is overridden to be "substantial". In the production environment, the minimum LoA is going to be "substantial".

OAuth 2.0 credentials

In order to get test credentials (client id and client secret), please, contact OGCIO at eidas@per.gov.ie. You should be able to provide redirect URIs at this point.

Debugging

oidcdebugger.com can be used for testing/debugging (test configuration has client oidcdebugger with secret secret). After receiving auth code the following bash snippet is useful for retrieving the user info in test environment (assuming AUTH_CODE is defined):

readonly CLIENT_ID=oidcdebugger
readonly CLIENT_SECRET=secret
TOKENS=$(curl -H 'Content-Type: application/x-www-form-urlencoded' https://demo.eidasnode.gov.ie/token -d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET")
ACCESS_TOKEN=$(jq -r '.access_token' <<< "$TOKENS")
curl -H "Authorization: Bearer $ACCESS_TOKEN" https://demo.eidasnode.gov.ie/me

Example

An example service provider is available here: https://demo.eidasnode.gov.ie/example/. It is very simple and just shows user info as a result.

Source code

The source code of this example application is available via git:

git clone https://demo.eidasnode.gov.ie/git/eidas-oidc-client

It is based on node openid-client. But feel free to use any OpenId Connect client library.

MyGovId

Test integration with MyGovId is available here.