OIDC request parameters

The agency's service redirects the customer to the RealMe OIDC Authentication Endpoint using the following authentication request parameters for RealMe login or assertion journeys.

Request Parameter	Mandatory/ Optional	Description
scope	Mandatory	· MUST contain the openid for RealMe login and assertion journeys. The following scope parameters may be presented for RealMe assertion journey in addition to RealMe login journey: · profile: customer’s verified identity details (i.e. fullname, date of birth, place of birth, gender, FIT). · address: customer’s verified residential address
response_type	Mandatory	The Response Type value determines the authorisation processing flow to be used, including what parameters are returned from the endpoints used. RealMe supports authorisation code flow only, therefore, the value must be "code".
response_mode	Recommended	The Response Mode value determines the method that is used to return the authorisation code. We recommend setting this value to "form_post" for best security.
client_id	Mandatory	The identifier of the digital service. A GUID provided by RealMe integrations team.
redirect_uri	Mandatory	The Redirection URI where the response will be sent, the redirection URI MUST use the https scheme. This URI MUST exactly match one of the Redirect URI values for the client organisation pre-registered at RealMe.
state	Mandatory	An opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
nonce	Mandatory	A string value used to associate a user session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the authentication request to the ID Token response.
acr_values	Optional	Authentication Class Reference Values, space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The supported values are: · urn:RealMe:OIDC:LowStrength – password-based authentication, the customer must enter their username and password as part of authentication journey. This is as per the current RealMe SAML message specification. · urn:RealMe:OIDC:ModStrength – multifactor authentication, if this is present the customer must enter their username, password and sms or otp generated by an authenticator app as part of authentication journey. This is as per the current RealMe SAML message specification.

The following is an example of an OIDC Authentication request for the RealMe login journey:

https://login.realme.govt.nz/12c36372-4b2d-4865-b1d1-9599b0d37348/B2C_1A_DIA_RealMe_OIDC_Service/oauth2/v2.0/authorize?client_id=2e9fda6c-23b8-4b45-ba7f-9c3babb5dc52&acr_values=urn:RealMe:OIDC:LowStrength&redirect_uri=https://sample.govt.nz/SignIn/CallbackCodeOidc&scope=openid&nonce= 5535362350&response_type=code&response_mode=form_post&state=af0ifjsldkj

OIDC Authentication Response

On successful authentication the RealMe OIDC Authorisation Endpoint returns the customer to the client organisation’s digital service redirect endpoint with the following parameters:

The following is an example of an OIDC authentication response for a successful authentication journey:

Response Parameter	Mandatory/ Optional	Description
code	Mandatory	On successful authentication, RealMe returns an authorisation code to the client organisation’s digital service redirect endpoint.
state	Mandatory	Returns the same value provided in authentication request.

The following is the example of OIDC authentication response for successful authentication journey:

Location: https://sample.govt.nz/SignIn/CallbackCodeOidc?

state=af0ifjsldkj

&code=SplxlOBeZQQYbYS6WxSbIA