Prefill PII from your Application

Suggest Edits

Using the gateway, it is possible to prefill PII in your verification workflow.

An example:

  • You are attempting to verify that the user on the device is the account holder. In this case - prefill full name (and potentially other attributes), and lock them on the workflow side.

To do this, you will need to:

  • create a JSON Web Token (either signed or encrypted) including the data you'd like to prefill.
  • Add the value of your JWT to the optional login_hint url parameter in the /auth request to ID DataWeb.
  • Configure which attributes should be locked in AXN Admin.

👍

Use open source libraries for JWT creation

For this process, it is highly recommended you use an industry standard library to create your JWT. A good list can be found here (for digital signatures) and here (including JSON Web Encryption).

Digital Signature vs. Encryption

  • Digital Signature is appropriate to use when there is no PII included in the payload, or in lower environments for POCs.
  • Payload Encryption should be used when sensitive information is included.

JWT Payload format

The input format should follow the following structure:

{
            "fname": "",
            "mname": "",
            "lname": "",
            "email": "",
            "ssn9": "",
            "ssn4": "",
            "dobday": "",
            "dobmonth": "",
            "dobyear": "",
            "street_number": "",
            "route": "",
            "subpremise": "",
            "locality": "",
            "postal_code": "",
            "administrative_area_level_1": "",
            "country": "",
            "dialCode": "",
            "telephone": "",
            "sub": "", 
            "iat": , 
            "exp": , 
            "appID":""
        }

Notes

  • some of these values, including iat and exp should be generated by the library you are using to create JWTs.
  • You only need to include the required PII attributes above for your use case. All are optional.

Creating a Digitally Signed JWT

For this process, it is highly recommended you use an industry standard library to create your JWT. A good list can be found here.

Required parameters for open source libraries:

  • algorithm: HS256
  • secret for digital signature: client_secret of your service

Process

  • Set your library to use the above algorithm and secret.
  • input your payload (per format above) into the function.
  • output should be a digitally signed JWT.

Creating an Encrypted JWT

In this process, you will be encrypting your JWT with a public key obtained from AXN Admin, which will be decrypted using the private key on the ID DataWeb side.

Required parameters:

  • Key encryption algorithm (alg) : RSA-OAEP-256
  • Content encryption (enc) : A128GCM
  • public key: Obtain from ID DataWeb AXN Admin or your Solutions Architect

Process

  • Set your library to use the above parameters.
  • input your payload (per format above) into the function.
  • output should be an encrypted JWT.

Including your JWT in /authorize call

Make your /authorize request including the login_hint=<your JWT> to initiate your verification workflow:

https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/authorize         
          ?response_type=code
          &scope=openid%20idp.google%20country.us
          &client_id=12345
          &state=554433
          &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
          &login_hint=<your digitally signed JWT>

As a result, the PII will be prefilled on the user's verification workflow.

Updated 5 months ago