Itsme Provider 
Itsme is a trusted identity provider allowing partners to use verified identities for authentication and authorization on web desktop, mobile web and mobile applications.
Setup
A few steps are needed to get Itsme working as a provider.
Before you start integrating itsme®, you MUST create an organisation. This is described in the prerequisites part of the official Itsme documentation: https://belgianmobileid.github.io/slate/login.html#1-introduction.
Once there, you will need to fill out a basic form with the following questions:
- Contact details such as your email, name, phone number.
- Organisation details as shown on the company register for your jurisdiction.
- Information about the project you want to set-up and the use case you have in mind.
- itsme® terms and conditions. If you require a copy of this please contact onboarding@itsme.be.
Their onboarding team will review your project and get in touch within 3 days with a "client_id" and a "service_code" which need to be added in your configuration.
After going through the integration process with Itsme, we also need to do some configuration in the Ometa Business Connector.
Registering your private keys.
The OpenID Connect Core specifications support multiple authentication methods, but itsme® only supports "private_key_jwt". It requires that each party exposes its public keys as a simple JWK Set document on a URI accessible to all, and keep its private set for itself.
Your private and public keys can be generated via Yeoman. To get started, install Yeoman and generator-itsme with NPM:
$ npm install -g yo generator-itsme
After installation, run the generator:
$ yo itsme
You'll receive 2 json files: 'jwks_private.json' and 'jwks_public.json'.
The jwks_public.json file should be publicly available for itsme, so you need to host this file on a public URI and mail this uri to onboarding@itsme.be. The jwks_private.json file should be used in the business connector. More information about that in the section below.
Business Connector
Open the Ometa Business Connector.
Click on the blue menu item in the top left corner and navigate to the security tab. Click on the "Providers" menu item. The following screen will pop up:
As you can see, itsme is already known in our Framework. We just need to enter the configuration we've received from itsme in order to get it to work.
Click on the itsme provider.
- Fill in the client id with the client id that you've received from itsme.
- Fill in the client secret with the service code that you received from itsme. Use the service code that is provided for the login functionality.
- Last but not least, load the contents of the private keys json by using the designated button.
Note
You'll receive a visual representation of the keys but you can't edit them.
Claims
The following claims are provided by default by itsme when a user successfully authenticates itself.
- name
- given_name
- family_name
- birthdate
- gender
- email_verified
An example:
| Type | Value |
|---|---|
| name | John Doe |
| give_name | John |
| family_name | Doe |
| birthdate | 1980-01-05 |
| gender | male |
| john.doe@ometa.net | |
| email_verified | true |