1 of 3

IDP Kit | Basics

The IDP Kit enables you to launch an OIDC compliant identity provider that utilizes the OIDC-SIOPv2 protocol and/or NFT blockchain APIs to retrieve identity data or NFT metadata via a suitable wallet, providing the data as user info and/or mapping it to standard OIDC claims.

This enables applications, that already support OIDC-based authentication, to connect to SSI, NFT wallets or leverage Sign-in with Ethereum (EIP-4361), where users act as self-issued identity providers, with minimum effort, which in the simplest case could involve nothing more than a configuration change.

Simple authentication flow with IDP Kit

The following picture shows a simple OIDC authentication flow between the end user application and the IDP Kit:

Identity federation via an external identity and access manager

The IDP Kit can be configured as a federated identity provider, with other Identity and Access Management systems, such as KeyCloak, as shown in the picture below:

Overview

Here are the most important things to know about the IDP Kit:

It is open source (Apache 2). You can use the code for free and without limitations.
It is an out-of-the-box solution that you can simply re-use or even white-label such as for building pilot projects quickly.
It is customisable in a sense that you can individualise it based on your requirements.
It is composable in a sense that you can plug your existing (d)apps into the IDP Kit in order to supercharge your (d)apps with SSI capabilities.
It abstracts complexity such as low-level functionality related to key handling, data storage, signing and interactions with third party systems and SSI wallets.
It is built on open standards to ensure interoperability and prevent lock-in effects.
It is flexible in a sense that you can deploy and run an IDP on-premise, in your (multi) cloud environment or directly integrate our libraries.
It enables you to use different identity ecosystems like Europe’s emerging identity ecosystem (EBSI, ESSIF) in anticipation of a multi-ecosystem future. (Consult the SSI Kit documentation to find out which ecosystems the IDP Kit supports.)

Functionality

The IDP Kit makes it easy for you to build and launch your own OIDC compliant identity provider utilizing SSI, NFTs or Sign-In with Ethereum to obtain identity data.

Depending on your requirements the IDP Kit can be configured to map data from verifiable credentials or NFTs to standard OIDC claims (e.g. OIDC profile scope), or to deliver the presented credentials, NFTs or account addresses as they are via the custom vp_token and nft_token siwe claims.

The following overview summarizes the basic features of the IDP Kit:

OIDC
- Standard OIDC protocol support, when interfacing with end user applications
- Support for OIDC scopes like profile, address, email, and standard claims
  - Support for custom vp_token and nft_token claims, to allow client applications to request credential or nft token data from the user
- Support for various OIDC flows, including code flow, implicit flow and hybrid flows
- Support for OIDC auto discovery via well-known endpoint for OpenID provider metadata
SSI
- Credential presentation exchange with SSI wallets via the OIDC/SIOPv2 protocol
- Verification of credential and presentation signatures, challenges and compliance with the presentation request
  - Pluggability of additional verification policies
  - Support for custom verification policies
NFTs
- NFT metadata exchange with NFT wallets such as MetaMask
- Verification of NFT collections and traits
Sign-In with Ethereum
- Get account addresses from wallets such as MetaMask
- Verify ownership of the address
Claims and claim mapping
- Support for mapping credential and NFT data to standard OIDC claims and scopes
- Custom vp_token claim to propagate the verified presentation including all required credentials to the end user application as user info
- Custom nft_token claim to propagate verified NFT metadata, such as collection membership and token traits, to the end user application as user info
- Custom siwe claim to propagate verified addresses to the end user application as user info
Client authentication
- Configuration of client IDs, client secrets and redirect uri, to enforce client authentication (via client_secret_basic mode)
- Dynamic client registration
Signature types
- Support for RS256, EdDSA and ES256K key and signature types, for signing tokens
- Publishing of public keys on standard OIDC JWK set endpoint, to enable clients to verify token signatures

Functionality

The IDP Kit makes it easy for you to build and launch your own OIDC compliant identity provider utilizing SSI, NFTs or Sign-In with Ethereum to obtain identity data.

The following overview summarizes the basic features of the IDP Kit:

OIDC
- Standard OIDC protocol support, when interfacing with end user applications
- Support for OIDC scopes like profile, address, email, and standard claims
  - Support for custom vp_token and nft_token claims, to allow client applications to request credential or nft token data from the user
- Support for various OIDC flows, including code flow, implicit flow and hybrid flows
- Support for OIDC auto discovery via well-known endpoint for OpenID provider metadata
SSI
- Credential presentation exchange with SSI wallets via the OIDC/SIOPv2 protocol
- Verification of credential and presentation signatures, challenges and compliance with the presentation request
  - Pluggability of additional verification policies
  - Support for custom verification policies
NFTs
- NFT metadata exchange with NFT wallets such as MetaMask
- Verification of NFT collections and traits
Sign-In with Ethereum
- Get account addresses from wallets such as MetaMask
- Verify ownership of the address
Claims and claim mapping
- Support for mapping credential and NFT data to standard OIDC claims and scopes
- Custom vp_token claim to propagate the verified presentation including all required credentials to the end user application as user info
- Custom nft_token claim to propagate verified NFT metadata, such as collection membership and token traits, to the end user application as user info
- Custom siwe claim to propagate verified addresses to the end user application as user info
Client authentication
- Configuration of client IDs, client secrets and redirect uri, to enforce client authentication (via client_secret_basic mode)
- Dynamic client registration
Signature types
- Support for RS256, EdDSA and ES256K key and signature types, for signing tokens
- Publishing of public keys on standard OIDC JWK set endpoint, to enable clients to verify token signatures