Connecting with OpenID Connect (OIDC)

MyDataHelps supports the OpenId Connect standard (OIDC) for verifying the identity of a user. Using this standard you can redirect the users to for login and then receive a signed identity token (JSON Web Token with identity claims). If the user is already authenticated (using MyDataHelps in the same browser window) they will not need to log in again.

Client Registration

You first need to obtain a Client ID from MyDataHelps Support. We will require the following information for both the test and production projects:

  • Name of Application/Site.
  • Redirect URI where the OIDC response should be sent. Must be a fully-qualified URI with the HTTPS protocol.
  • Project Name.

Client Libraries

The OIDC specification suggests client libraries for a variety of technology platforms.

Identity Claims

When you redirect to the OIDC server for authorization, you will use OIDC scopes to specify what access your app needs. The MyDataHelps OIDC authorization supports the standard scopes and claims defined by the specification. The ones you will commonly use include:

Scope Description
openid Basic OIDC user attributes. (required)
profile User profile information, such as first and last name.
email User email attributes.

Below are some notes explaining how the standard identity claims relate to MyDataHelps user properties:

Claim From Scope Description
sub openid A stable UUID for the user.
participantidentifier openid The participant identifier associated with the user.
email email The user’s email address.
email_verified email Whether the user has verified their email.

Server Information

You can find the OIDC metadata at the following location:

The OIDC metadata includes a link to the JWKS URI where you can find the public key of the certificate(s) used to sign the identity tokens. Most client libraries support consuming the OIDC metadata and downloading the certificates automatically.