Get an idea of how OpenID Connect with AXN works.

OpenID Connect in 5 Steps

Step 1- /auth redirect

The relying party makes an OpenID Connect /auth request to ID DataWeb, including the client ID of the verification workflow, and other key elements (described below and in the technical documentation.)

This browser redirect step can be triggered from your custom application, or through one of the many integrations to SSO and identity systems.

Browser redirect:

HTTP/1.1 302 Found
Location: https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/authorize         

Step 2- Identity Verification

Once the page loads, the user will begin the identity verification process. This verification process is configured by the customer administrator, and is called a "Verification Workflow."

Depending on your configuration, the user may go through one or many steps to complete the process. Once complete, ID DataWeb will redirect the browser back to the original application's "Redirect URL", as described in the next step.

Step 3- Authorization code to client application

Once verification is complete on the ID DataWeb side, a one-time pin known as an "authorization code" is passed back to the client application's "redirect URL" specified in AXN Admin.

HTTP/1.1 302 Found
Location: https://client.example.org/cb?

Step 4 - Customer Application Retrieves the ID Token

Once the authorization code has been obtained, your application must exchange this (and other client specific data) for the results of the authentication and verification events. This is done by passing the required data to AXN's token endpoint. Once validated, the AXN will respond with the token payload.


HTTP/1.1 302 Found
Location: https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/token
Content-Type: application/x-www-form-urlencoded
body: grant_type=authorization_code


HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
  "access_token": "SlAV32hkKG",
  "token_type": "Bearer",
  "expires_in": 3600,

Step 5 - User Info

On response, the OP will return a JSON object with the ID token, an access token and an optional refresh token.


Verifying the ID Token's digital signature

It is highly recommended that the RP verifies the ID Token's digital signature. Please see the next page for more information.

Obtaining User Info

Once the tokens are obtained, the RP may obtain results from the /userinfo endpoint. This will return all information required for understanding the result, including the policy decision, scores, assertions and attributes.

To access the /userinfo endpoint, the RP must include the access_token from the /token response as a header in the following format: authorization: bearer <access_token>.


HTTP/1.1 302 Found
Location: https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/userInfo
Content-Type: application/x-www-form-urlencoded
header: Authorization: Bearer SlAV32hkKG


HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

   "userAttributes_InternationalTelephone_telephone":"(XXX) xxx-xxxx",   

What’s Next

Next, learn how to verify and parse the ID Token to obtain user verification results.