OpenID Connect 2: Why I ❤ ID-porten
The advantage of OpenID Connect is the fact that it’s standardized and widely adopted. This means that a library or tool designed to work with, e.g. Google accounts, can easily be adopted to work with e.g. Microsoft’s Active Directory or the Norwegian national ID provider ID-porten.
Different Identity providers can support different levels of trust between you and your users.
In my next few blogposts, I will explore different OpenID Connect providers and what they can offer you as an application developer.
Norway’s national Identity Provider
The advantages of using ID porten as an identity provider are considerable, but it comes with limitations as well. ID-porten is the identify provider supplied by the Norwegian government to all residents of Norway. It is (almost) fully compliant with OpenID Connect and is compatible with most tools and libraries.
When your user is authenticated with ID-porten, your application receives their national identification number (fødselsnummer eller d-nummer). This identity is generally safeguarded by two factor authentication and the user has been validated by personally showing their identification papers in a bank or police office. You can be very certain of the user’s identify.
The limitation is that even though you know the user’s identification number, you know very little about the user. You have to be authorized to use the national population register and do the lookup yourself to get their name and address. And even then, you don’t know what organizations the user is associated with and what authorization they have there. (This limitation is natural, considering the scope of responsibility of ID-porten)
So the dilemma is that you can be quite sure of who the user is, but you have no idea who they user is. 😂
(Some of this information is available in other national registers and as time goes by, it may be more accessible)
Furthermore, even though you know who your user is, you don’t know if you can trust them or if they are a crook. Most convinced criminals of course retain their right to use online banking and naturally they have ID-porten access. And that’s the way I think we should treat people, even those who have messed up in their lives.
Getting started with ID-porten is a bit harder than for other OpenID Connect providers, but this is mostly administration. First, not all applications are authorized to use it, of course, so you must contact Difi to get access. Secondly, ID-porten is very limited in terms for self service of application administration, so getting client credentials also involved soon emailing.
But once you have your application credentials, integrating with ID-porten is just as simple as any other OpenID Connect provider. As a matter of fact, I’ve made apps that work with Google accounts and re-targeted them to ID-porten with only changes to credentials.
Difi’s OpenID implementation is impressively accurate and robust, but there are still some issues you may run into in mobile app scenarios. (In technical parlance, response_mode=fragment doesn’t support response_type=code without a client secret, which is the easiest secure option for apps)
If you are providing services to Norwegians on behalf of local or state government, ID-porten is your mandatory identity provider. And you can use existing knowledge and tools for OpenID Connect to do so.
You can start your journey at my Javabin talk in Oslo this Wednesday. https://www.meetup.com/javaBin/events/258573600/