Prefill PII from your Application
Using the gateway, it is possible to prefill PII in your verification workflow.
An example:
- You are attempting to verify that the user on the device is the account holder. In this case - prefill full name (and potentially other attributes), and lock them on the workflow side.
To do this, you will need to:
- create a JSON Web Token (either signed or encrypted) including the data you'd like to prefill.
- Add the value of your JWT to the optional
login_hint
url parameter in the /auth request to ID DataWeb. - Configure which attributes should be locked in AXN Admin.
Use open source libraries for JWT creation
For this process, it is highly recommended you use an industry standard library to create your JWT. A good list can be found here (for digital signatures) and here (including JSON Web Encryption).
Digital Signature vs. Encryption
- Digital Signature is appropriate to use when there is no PII included in the payload, or in lower environments for POCs.
- Payload Encryption should be used when sensitive information is included.
JWT Payload format
The input format should follow the following structure:
{
"fname": "",
"mname": "",
"lname": "",
"email": "",
"ssn9": "",
"ssn4": "",
"dobday": "",
"dobmonth": "",
"dobyear": "",
"street_number": "",
"route": "",
"subpremise": "",
"locality": "",
"postal_code": "",
"administrative_area_level_1": "",
"country": "",
"dialCode": "",
"telephone": "",
"sub": "",
"iat": ,
"exp": ,
"appID":""
}
Notes
- some of these values, including
iat
andexp
should be generated by the library you are using to create JWTs. - You only need to include the required PII attributes above for your use case. All are optional.
Creating a Digitally Signed JWT
For this process, it is highly recommended you use an industry standard library to create your JWT. A good list can be found here.
Required parameters for open source libraries:
- algorithm: HS256
- secret for digital signature: client_secret of your service
Process
- Set your library to use the above algorithm and secret.
- input your payload (per format above) into the function.
- output should be a digitally signed JWT.
Creating an Encrypted JWT
In this process, you will be encrypting your JWT with a public key obtained from AXN Admin, which will be decrypted using the private key on the ID DataWeb side.
Required parameters:
- Key encryption algorithm (alg) : RSA-OAEP-256
- Content encryption (enc) : A128GCM
- public key: Obtain from ID DataWeb AXN Admin or your Solutions Architect
Process
- Set your library to use the above parameters.
- input your payload (per format above) into the function.
- output should be an encrypted JWT.
Including your JWT in /authorize call
Make your /authorize request including the login_hint=<your JWT>
to initiate your verification workflow:
https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/authorize
?response_type=code
&scope=openid%20idp.google%20country.us
&client_id=12345
&state=554433
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&login_hint=<your digitally signed JWT>
As a result, the PII will be prefilled on the user's verification workflow.
Updated 5 months ago