CIBA PAR Age Verification

Signaturgruppen Broker has a generalized CIBA PAR OIDC mechanism that is relevant for age verification flows. Here an example of a standard “minimal age verification flow” is shown, which utilizes the minimal scope in order to force a minimalistic data-return, that helps adhere to GDPR and data-minimizing principles.

Age verification with minimal scope

In the following request, either age or age_verify:[age] scope can be used (not both):

curl --location 'https://pp.netseidbroker.dk/op/connect/ciba' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:openid:params:grant-type:ciba' \
--data-urlencode 'scope=openid minimal age' \
--data-urlencode 'client_id=[your_client_id]' \
--data-urlencode 'client_secret=[your_secret]' \
--data-urlencode 'login_hint_token={"flow_type": "broker_oidc", "idp_values":"mitid" }'

Note that you can use client assertion signed JWTs instead of posting client secret directly.

In the resulting ID token, either the idbrokerdk_age=[age] (using scope age) claim or the idbrokerdk_age_verified=[age:bool(verified)]” (using scope age_verify:[age]) is returned.

User experience

The flow is initiated from the integrating service backend, and then continously polled until the resulting ID token with the verification response is fetched.

At https://brokerdemo-pp.signaturgruppen.dk/ageverifyqr we have set up an interactive QR code demo of an Age Verification Flow, which utilizes this API under the hood. Here:

  1. CIBA + PAR is initiated
  2. QR is created from resulting authentication_uri and show to the end-user
  3. User is able to scan the QR to initiate a MitID (Use MitID PP Test-tool for simulation) age verication flow.
  4. The QR page will poll in the background for status update (using a backend) - the new tab/QR opened browser on another device will start the OIDC PAR age verification flow.
  5. When the flow is completed the end-user will see a confirmation page and the QR page will update with the result of the flow.

MitID age verification text:
MitID age verification text

User browser completed:
User browser completed

QR page updated with status:
QR page updated with status

Sessions

If the user already has an active session with the client, accessing the authentication_uri will automatically redirect them to the confirmation page to complete the flow.

To prevent this behavior and require users to log in each time, set the prompt parameter in the login_hint_token to login:

curl --location 'https://pp.netseidbroker.dk/op/connect/ciba' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:openid:params:grant-type:ciba' \
--data-urlencode 'scope=openid minimal age' \
--data-urlencode 'client_id=[your_client_id]' \
--data-urlencode 'client_secret=[your_secret]' \
--data-urlencode 'login_hint_token={"flow_type": "broker_oidc", "idp_values": "mitid", "prompt": "login" }'