RealMe for Developers and Integration Teams
RealMe.

RealMe and OIDC

The diagram below provides a high-level overview of the RealMe implementation of OpenID Connect (OIDC) Authorisation Code flow.

Open ID Connect flow diagram.

The user journey is as follows:

  • The user clicks the login button or tries to access the client organisation’s digital service. The digital service creates an OIDC authentication request with request parameters and redirects the user to the RealMe OIDC Authorisation Endpoint. The RealMe OIDC Authorisation Endpoint validates the client’s OIDC authentication request. The RealMe OIDC Authorisation Endpoint displays the login page on successful validation of the authentication request.
  • The user enters a username and password for low-strength authentication, and a one-time password (OTP) is generated through an Authenticator App or received through SMS for moderate-strength authentication. The RealMe Authorisation endpoint: 
       a. validates the user entered login credentials, 
       b. obtains requested credentials from internal source (i.e. Azure AD B2C) and/or external sources (i.e. IVS, AVS), 
       c. checks whether the returned credentials require consent then checks whether the user has given enduring consent previously and displays consent page with the user’s claims if the user has not given enduring consent.   
  • The user gives consent to share their claims with the client’s digital service and RealMe saves the user consent outcome. The RealMe Authorisation Endpoint saves consent, creates an authorisation code then redirects the user with the authorisation code to the client’s digital service.
  • The client's digital service creates a request with an authorisation code and client assertion via the client_secret_basic authentication method and sends them to the RealMe OIDC Token Endpoint. The RealMe OIDC Token Endpoint validates the client secret then requests and issues an ID Token with the requested claims and, optionally, an access token for RCMS in the response.
  • The client's digital service validates the ID token signature, retrieves the user claims and subject identifier from the ID Token, identifies the user based on the subject identifier and displays the appropriate landing page to the user.