For identity providers

NOTE: This software is still in development and has not reached a high level of maturity, yet. You are welcome to try it and it would be of great help to us if you report any issues you find.

Step 1: OpenID Service

As an identity provider and credential issuer, you need to setup an OpenID Connect server. There are many servers out there. For a list of servers, check out the OpenID website. One important caveat is that the server should allow you to issue user information inside the signed "ID Token". The configuration regarding what user information goes into the token is of course completely under your discretion.

Step 2: Configuring the reclaimID client

reclaimID uses special client values which must be registered at the OpenID server. The values are:

Client ID: reclaimid
Client secret: none (public client)
Redirect URI: https://ui.reclaim
Grant type: Authorization code
PKCE: enabled (Optional but highly recommended)

Step 3: Configuring a webfinger

You must support the webfinger-based OpenID Connect service discovery. Whenever the user configures an email address for an identity, reclaimID will try to discover the issuing identity provider through the OIDC Discovery protocol. This includes a request to the authority part of the email address. The response should point reclaimID to the actual OpenID Connect service serving the issuer medatata. reclaimID will try to request all scopes which are listed in the metadata, but does not expect all of them to be granted.