Prefill PII from your Application

This document outlines how to prefill PII into your verification workflow for an end user.

An example:

• You are attempting to verify that the user on the device is the account holder.
• In this case - prefill full name (and potentially other attributes), and lock them on the verification workflow side.
• This way, the user must verify that they are specifically the account holder, instead of just verifying they are who they say they are.

Prefill Options

There are three options for prefilling PII into your Verification Workflow:

• Login_hint Prefill - API - Call the ID DataWeb Admin API with the end user's PII to generate a fully formed JWT, then add this value as a login_hint to your /authorize request.
• Login_hint Prefill - Create JWT - Create a JWT in your application with the end user's PII, and add it as a login_hint to your /authorize request.
• Pre-Verify Federated Login - Add a federated login to the beginning of your verification workflow, and map attributes from your SSO system to the ID DataWeb form through OpenID Connect.

Note - For both options 1 and 2, you can choose to use a digital signature OR encryption for your JWT. Your solutions architect can configure your API key appropriately.

• Digital Signature is appropriate to use when there is no PII included in the payload, or in lower environments for POCs.
• Payload Encryption should be used when sensitive information is included.

Option 1: Use the Admin API to generate a JWT for prefill

In this option, you will call the AXN Admin API to generate a fully formed JSON Web Token for you. As an output, you can use this value to append to your /authorize request.

1. Get an AXN Admin access token. Your solutions architect can generate the credentials required for this step. When you have them, obtain an OAuth2 access token using this API call.
2. With the token, make a request to the verification link API. . The key inputs for this API call are:
   • the access token from step 1
   • the api key which you plan to prefill. Note - this is the first client ID in your verification workflow.
   • the PII which you want to prefill. Note - ID DataWeb recommends the "full name" field as a minimum. The format follows the standard ID DataWeb PII input format (an example is shown in the docs linked above.)

As an output, you will receive a fully formed JSON Web Token, which you can then use as the login_hint value in your /authorize request.

Option 2: Create a JWT in your application for prefill

👍

Use open source libraries for JWT creation

For this process, it is highly recommended you use an industry standard library to create your JWT. A good list can be found here (for digital signatures) and here (including JSON Web Encryption).

JWT Payload format

The input format should follow the following structure:

{
            "fname": "",
            "mname": "",
            "lname": "",
            "email": "",
            "ssn9": "",
            "ssn4": "",
            "dobday": "",
            "dobmonth": "",
            "dobyear": "",
            "street_number": "",
            "route": "",
            "subpremise": "",
            "locality": "",
            "postal_code": "",
            "administrative_area_level_1": "",
            "country": "",
            "dialCode": "",
            "telephone": "",
            "sub": "", 
            "iat": , 
            "exp": , 
            "appID":""
        }

Notes

• some of these values, including iat and exp should be generated by the library you are using to create JWTs.
• You only need to include the required PII attributes above for your use case. All are optional.

Creating a Digitally Signed JWT

For this process, it is highly recommended you use an industry standard library to create your JWT. A good list can be found here.

Required parameters for open source libraries:

• algorithm: HS256
• secret for digital signature: client_secret of your service

Process

• Set your library to use the above algorithm and secret.
• input your payload (per format above) into the function.
• output should be a digitally signed JWT.

Creating an Encrypted JWT

In this process, you will be encrypting your JWT with a public key obtained from AXN Admin, which will be decrypted using the private key on the ID DataWeb side.

Required parameters:

• Key encryption algorithm (alg) : RSA-OAEP-256
• Content encryption (enc) : A128GCM
• public key: Obtain from ID DataWeb AXN Admin or your Solutions Architect

Process

• Set your library to use the above parameters.
• input your payload (per format above) into the function.
• output should be an encrypted JWT.

Including your JWT in /authorize call

Make your /authorize request including the login_hint=<your JWT> to initiate your verification workflow:

https://preprod1.iddataweb.com/preprod-axn/axn/oauth2/authorize         
          ?response_type=code
          &scope=openid%20idp.google%20country.us
          &client_id=12345
          &state=554433
          &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
          &login_hint=<your digitally signed JWT>

As a result, the PII will be prefilled on the user's verification workflow.

Option 3: Add a federated login to the beginning of your flow

In this option, the user is first authenticated at an identity provider before they are verified. You can configure the identity provider connection to map the user's PII to the ID DataWeb form, including the full name. Typically - the user is already authenticated by this point, so they will not have to login again.

Steps

• step 1: add a federated IDP connection, as outlined here: Adding a federated Identity Provider (IDP)
• step 2: add the federated IDP to your workflow configuration.
• step 3: in your /authorize request, add the appropriate "scope" field to trigger authentication with your configured IDP. For example - idp.funbankIDP.
  • The format is: idp.<code field from your IDP configuration page>
  • For example: idp.funBank
• Result: User begins verification workflow with PII prefilled.