Skip to content

General information

Addo Sign Authentication Service is an OpenID Connect (OIDC) identity provider. For your implementation, we recommend using well-established packages/libraries for connecting with OIDC. They often handle more tedious parts of the OIDC specification automatically and ensure the best security practices. You should implement the entire authentication flow yourself only in extreme cases.

Structure of the document

On the right you see a list of pages contained in this document. The "Table of contents" on the right can be used to navigate to outlined sections in the selected page. If you more or less know what you are looking for, the search bar at the top right can be used to quickly find the information.

This page contains information generally applicable to all of the Authentication service. Many of our identity providers have their own parameters, flows, and overrides, which can be found in Supported identity providers page. We recommend reading this entire page before proceeding to provider-specific documentation.

For information on what identity providers are available, see Supported identity providers page. For information on how to identify users, see Authorization code flow page.
For information on how to get access tokens that allow accessing various Addo services, see Client credentials flow page.

Examples

In examples, values provided in {} represent your individual credentials and should be replaced with your own values.

Environments

Demo

Authority URL: 

https://demo.addosign.net/authentication-service

Discovery document URL: 

https://demo.addosign.net/authentication-service/.well-known/openid-configuration

Production

Authority URL: 

https://addosign.net/authentication-service

Discovery document URL: 

https://addosign.net/authentication-service/.well-known/openid-configuration

Choosing an identity provider

Authentication service supports multiple identity providers. To choose a specific identity provider, the acr_values authorization parameter must be set. The parameter must be set in format: idp:{your identity provider idp value}. The idp value for each provider can be found in its description page. See the Supported identity providers page for details on each provider.

⚠️ Important!
The idp value is case-sensitive. For example, the value acr_values=idp:mitId might not work, while acr_values=idp:MitId will.

Example acr_values

acr_values=idp:MitId
acr_values=idp:NorwegianBankId
acr_values=idp:Tupas

Supported claims

These are commonly supported claims from all providers

sub- subject ID. A unique identifier issued by Addo Sign for an authenticated user.

⚠️ Important!
The 'sub' claim should not be used as a unique identifier for the user in your system. If you need to uniquely identify users, please use other claims.

idp- identity provider used to authenticate the user. Most of the time, it is the same value as provided in the acr_values parameter. See your chosen identity provider page for exceptions. We recommend checking this value to make sure the user is authenticated with the correct method.

name- the name (first and last name) of authenticated user

ssn- social security number/ personal number of the authenticated user. The format depends on the identity provider chosen.

given_name - if available, first name of the user.

family_name - if available, last name of the user.

Supported scopes

openid - required OIDC flow scope. Provides sub, idp claims.
profile - provides details about the authenticated user, such as their name and surname.
ssn - provides the authenticated user's social security number (ssn), also known as personal identification number (PIN) in some countries.

ℹ️ Note
Previous versions of Authentication Service supported the idp scope. It is no longer used, is DEPRECATED and should no longer be sent.