Authorisations
User authorisation¶
In the OIDC flow, access tokens can only be retrieved for users who:
- Have had their identity verified by an accredited SERMI CAB
- Have had their UIDs and certificate created by the CAB
- Have a valid authorisation approved by the CAB
- Have logged in via either Web or Passwordless login
If the IOE has not been verified via the CAB, or has had their authorisation revoked, they will not be able to successfully log in via the OIDC flow, and an access token cannot be retrieved. For this reason, an access token in the OIDC flow serves the same purpose as a traditional certificate would: proving verified identity, and proving valid authorisation.
Chain authorisation¶
Along with the requirements listed above, RSSEs must also be granted chain authorisation by an IOE before they are able to log in.
Authorisation process¶
As long as both the IOE and RSSE have a valid CAB authorisation, chain authorisation can be granted without requiring any action from the CAB.
The authorisation process can be started by either the IOE or RSSE from their certificate in the Digidentity app. Once started, an invitation is sent to the other party, who has 24 hours to accept before the invitation expires. The chain authorisation is not established until the other party has accepted the invitation.
Usage¶
Once the invitation has been accepted, the RSSE receives a one-time chain authorisation to log into the RMI Portal on the IOE's behalf.
In the OIDC flow, VMs can recognise an RSSE login by the UIDs returned in the user_info response. In this scenario, UIDs are returned for both the RSSE logging in and the IOE granting their chain authorisation.
Once the RSSE has successfully logged into the RMI Portal, the chain authorisation is immediately revoked. Any additional logins will require a new invitation. Should the chain authorisation not be used, it will automatically expire 24 hours from the moment it was accepted.
Certificates¶
As OIDC access tokens provide the necessary security assurance required by SERMI scheme rules, Digidentity will not provide VMs with a certificate for the user. All information required to verify the user's identity will be included within the employee's UID attributes.