Prove your user’s identity
You must have authenticated your users before you can prove their identity.
If you requested identity proving, when
you retrieve user information with /userinfo
, you’ll receive a response containing
additional claims (user attributes). You may receive different claims, depending on how your user proved their identity.
Your service’s needs will determine how you process the other claims that GOV.UK One Login provides about your user. You’ll probably need to match against information held by your service or organisations you work with.
Most claims are represented by JSON objects. The core identity claim is a JSON web token (JWT) protected by an electronic signature for additional security.
You’ll receive a response from /userinfo
that will look similar to this example:
HTTP/1.1 200 OK
Content-Type: application/json
"sub": "urn:fdc:gov.uk:2022:56P4CMsGh_02YOlWpd8PAOI-2sVlB2nsNU7mcLZYhYw=",
"email": "test@example.com",
"email_verified": true,
"phone": "+441406946277",
"phone_verified": true,
"https://vocab.account.gov.uk/v1/coreIdentityJWT": <JWT>,
"https://vocab.account.gov.uk/v1/address": [
{
"uprn": "10022812929",
"subBuildingName": "FLAT 5",
"buildingName": "WEST LEA",
"buildingNumber": "16",
"dependentStreetName": "KINGS PARK",
"streetName": "HIGH STREET",
"doubleDependentAddressLocality": "EREWASH",
"dependentAddressLocality": "LONG EATON",
"addressLocality": "GREAT MISSENDEN",
"postalCode": "HP16 0AL",
"addressCountry": "GB",
"validFrom": "2022-01-01"
},
{
"uprn": "10002345923",
"buildingName": "SAWLEY MARINA",
"streetName": "INGWORTH ROAD",
"dependentAddressLocality": "LONG EATON",
"addressLocality": "NOTTINGHAM",
"postalCode": "BH12 1JY",
"addressCountry": "GB",
"validUntil": "2022-01-01"
}
],
"https://vocab.account.gov.uk/v1/drivingPermit": [
{
"expiryDate": "2023-01-18",
"issueNumber": "5",
"issuedBy": "DVLA",
"personalNumber": "DOE99802085J99FG"
}
],
"https://vocab.account.gov.uk/v1/passport": [
{
"documentNumber": "1223456",
"icaoIssuerCode": "GBR",
"expiryDate": "2032-02-02"
}
]
}
Understand your user’s core identity claim
The https://vocab.account.gov.uk/v1/coreIdentityJWT
property in the /userinfo
response is the core identity claim,
which is a JWT representing core identity attributes.
The following are core identity attributes:
- your user’s name
- your user’s date of birth
- the level of identity confidence GOV.UK One Login has reached
The core identity is valid for 30 minutes, starting when it is issued. Do not store the coreIdentityJWT
in its raw encoded or decoded forms.
If your service persists the data inside the core identity, you should extract the name and date of birth and store those.
https://vocab.account.gov.uk/v1/coreIdentityJWT
property is not present, then GOV.UK One Login was not able to prove your user’s identity.
You’ll need a public key to validate this JWT. You can download a Decentralized Identifiers (DID) document containing the current JSON Web Key (JWK) public key – there’s further guidance on validating the core identity claim JWT using a public key.
The JWT contains the following claims:
{
"sub": "urn:fdc:gov.uk:2022:56P4CMsGh_02YOlWpd8PAOI-2sVlB2nsNU7mcLZYhYw=",
"iss": "https://identity.integration.account.gov.uk/",
"aud": "YOUR_CLIENT_ID",
"nbf": 1541493724,
"iat": 1541493724,
"exp": 1573029723,
"vot": "P2",
"vtm": "https://oidc.integration.account.gov.uk/trustmark",
"vc": {
"type": [
"VerifiableCredential",
"VerifiableIdentityCredential"
],
"credentialSubject": {
"name": [
{
"validFrom": "2020-03-01",
"nameParts": [
{
"value": "Alice",
"type": "GivenName"
},
{
"value": "Jane",
"type": "GivenName"
},
{
"value": "Laura",
"type": "GivenName"
},
{
"value": "Doe",
"type": "FamilyName"
}
]
},
{
"validUntil": "2020-03-01",
"nameParts": [
{
"value": "Alice",
"type": "GivenName"
},
{
"value": "Jane",
"type": "GivenName"
},
{
"value": "Laura",
"type": "GivenName"
},
{
"value": "O’Donnell",
"type": "FamilyName"
}
]
}
],
"birthDate": [
{
"value": "1970-01-01"
}
]
}
}
}
The vc
claim in the JWT is a verifiable credential (VC). Claims about your
user are contained in the credentialSubject
JSON object.
Validate the core identity claim JWT using a public key
To validate the core identity claim JWT, you must use a public key. GOV.UK One Login publishes the public keys in a Decentralized Identifier (DID) document.
This is an example of a web DID document published by GOV.UK One Login:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/jwk/v1"
],
"id": "did:web:identity.account.gov.uk",
"assertionMethod": [
{
"id": "did:web:identity.account.gov.uk#b7863b6926193d93b48808cbabcbc8a414d0080f81c8779c0a54491551a35816",
"type": "JsonWebKey",
"controller": "did:web:identity.account.gov.uk",
"publicKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "QrP65yghuglwPkEl11oMaabr4WqAMjuvztBYb7T4Ipo",
"y": "CSQNybYbCZLl-Xr1OA3pcxjC6qZrG7JPqwXgo-9fHLM"
}
}
]
}
Use the kid
(key ID) to see which public key signed the JWT
When validating a JWT, the JWT header will include the kid
(key ID). This will be either did:web:identity.integration.account.gov.uk#{UNIQUE_KEY_IDENTIFIER}
for the integration environment, or did:web:identity.account.gov.uk#{UNIQUE_KEY_IDENTIFIER}
for the production environment.
GOV.UK One Login uses a simplified version of the DID resolution algorithm from the did:web Method Specification. Third-party libraries may have features which ‘resolves’ the DID – this means turning the kid
into the URL for the DID document and then downloading the DID. However, you must not use a third-party library’s DID resolution. This could make your application vulnerable to trusting an invalid identity.
You should only trust the DID documents located at:
- integration – https://identity.integration.account.gov.uk/.well-known/did.json
- production – https://identity.account.gov.uk/.well-known/did.json
GOV.UK One Login will always publish the DID documents on the URLs above and will never change the publication URLs without notifying you.
Follow the steps below to use the kid
to determine which public key from the DID document was used to sign the JWT. This is important because GOV.UK One Login may have rotated its public keys and using the incorrect key will break your integration.
- Split the
kid
from the JWT header into two parts: the controller ID (before the#
) and the unique key ID (after the#
). For example, in thekid
did:web:identity.integration.account.gov.uk#c9f8da1c87525bb41653583c2d05274e85805ab7d0abc58376c7128129daa936
, the controller ID isdid:web:identity.integration.account.gov.uk
and the unique key ID isc9f8da1c87525bb41653583c2d05274e85805ab7d0abc58376c7128129daa936
. - Download the DID document from the DID endpoint you need:
- Make sure the controller ID matches the
id
in the DID document. - Find the object in
assertionMethods
which has anid
field matching thekid
from the JWT header. If there are multiple keys in the DID document, GOV.UK One Login is in the process of rotating its keys. If there’s a key without a matchingid
, do not trust the identity and contact GOV.UK One Login to report an incident. - Use the
publicKeyJwk
object of the key you want to use to verify the signature.
Cache the DID document
You should cache the returned DID document and re-use it instead of downloading the DID document for every signature you need to verify. The DID document will not change often and caching it reduces latency for your service.
The Cache-Control
HTTP header field in the DID endpoint contains a suggested caching period. This caching period is how long GOV.UK One Login expects the DID document to remain valid.
For example, a header with the value Cache-Control: max-age=3600, private…
would mean you cache the DID document for the max-age
of 1 hour (3600 seconds = 1 hour). private
stops any other caches or proxies from caching the DID document.
Occasionally, you may not be able to refresh the cache from GOV.UK One Login’s URL, for example if there’s a temporary outage. If this happens, you should continue to trust the cached version until you’re able to refresh the cache.
For more details on the Cache-Control
header, see RFC 9111: HTTP Caching.
Understand the core identity signing key rotations
GOV.UK One Login will rotate its keys for the:
- integration environment - weekly from 29 October 2024 so you can test your integration
- production environment - every 6 months starting from 30 January 2025
GOV.UK One Login may need to rotate keys at short notice, for example if a key is compromised. New public keys will appear in the assertionMethod
array of the DID document before any rotation.
Use the Cache-Control
headers and guidance on caching the DID document to regularly poll the DID endpoint to detect new versions and make sure you’re using the latest key.
Once GOV.UK One Login has removed the old public key from the DID document, it will no longer be valid. You should no longer trust verifiable credentials signed with that key.
Validate your user’s identity credential
- You must validate the JWT signature according to
the JSON Web Signature Specification. Check the JWT
alg
header isES256
and then use the value of the JWTalg
header parameter to validate the JWT. - Check the
iss
claim ishttps://identity.integration.account.gov.uk/
. - Check the
aud
claim matches your client ID you received when you registered your service to use GOV.UK One Login. - Check the
sub
claim matches thesub
claim you received in theid_token
from your token request. - Check the current time is before the time in the
exp
claim.
Check your user’s level of authentication protection matches the requested level
You must look for the vot
(Vector of Trust) claim in the ID token and make sure the level of protection matches or exceeds the level a user needs to access your service. The vot
claim will only contain the credential trust level, not the level of confidence, even if you make an identity request.
Additionally, if you ask for medium confidence (P2
) you must also request a protection level of Cl.Cm
. This means logging in with two-factor authenticaion. If you do not do this, you’ll receive the error: invalid_request - Request vtr not valid
.
Process your user’s identity credential
The identity credential contains the following claims as properties of credentialSubject
.
Property | Description |
---|---|
name |
A list showing the names proven by GOV.UK One Login. This list reflects name changes by using the validFrom and validUntil metadata properties. If validUntil is null or not present, that name is your user’s current name. If validFrom is null or not present, your user may have used that name from birth. Each name is presented as an array in the nameParts property. Each part of the name is either a GivenName or a FamilyName , identified in its type property. The value property could be any text string. GOV.UK One Login cannot specify a maximum length or restrictions on what characters may appear. GivenName or FamilyName can appear in any order within the list. The order of names may depend on either your user’s preferences or the order they appear on documents used to prove your user’s identity. |
birthDate |
A list of ISO 8601 date strings. There may be multiple dates of birth, for example, if there’s evidence an incorrect date of birth was previously recorded for your user. The date of birth GOV.UK One Login has highest confidence in will be the first item in the list. |
Understand your user’s address claim
The https://vocab.account.gov.uk/v1/address
claim contains all addresses your user has declared, including previous
addresses.
Each JSON object in the list may contain any of the following properties:
Property | Definition |
---|---|
validFrom |
ISO 8601 date strings representing the date your user moved into the address. If the month is unknown for validFrom , GOV.UK One Login will show that as 01 . GOV.UK One Login will also show an unknown day of the month as 01 . |
validUntil |
ISO 8601 date strings representing the date your user moved from the address. This property is not included for your user’s current address. If the month is unknown for validUntil , GOV.UK One Login will show that as 01 . GOV.UK One Login will also show an unknown day of month as 01 . |
uprn |
GOV.UK One Login will provide a Unique Property Reference Number (UPRN) for UK addresses, unless your user has manually corrected their address. |
organisationName |
Maps to ORGANISATION_NAME in the Postcode Address File and Ordnance Survey Places API. |
departmentName |
Maps to DEPARTMENT_NAME in the Postcode Address File and Ordnance Survey Places API. |
subBuildingName |
Maps to SUB_BUILDING_NAME in the Postcode Address File and Ordnance Survey Places API.subBuildingName may accompany either buildingName or buildingNumber . |
buildingNumber |
Maps to BUILDING_NUMBER in the Postcode Address File and Ordnance Survey Places API. |
buildingName |
Maps to BUILDING_NAME in the Postcode Address File and Ordnance Survey Places API. |
dependentStreetName |
Maps to DEPENDENT_THOROUGHFARE_NAME in the Postcode Address File and Ordnance Survey Places API. |
streetName |
Maps to THOROUGHFARE_NAME in the Postcode Address File and Ordnance Survey Places API. |
doubleDependentAddressLocality |
Maps to DOUBLE_DEPENDENT_LOCALITY in the Postcode Address File and Ordnance Survey Places API. |
dependentAddressLocality |
Maps to DEPENDENT_LOCALITY in the Postcode Address File and Ordnance Survey Places API. |
addressLocality |
Maps to POST_TOWN in the Postcode Address File and Ordnance Survey Places API. |
postalCode |
Maps to POST_CODE in the Postcode Address File and Ordnance Survey Places API. |
addressCountry |
Two-letter ISO 3166-1 alpha-2 country code. |
addressRegion |
Maps to schema:addressRegion. Only returned for international addresses and will contain the region, provided as text. For example, California or another appropriate first-level Administrative division. |
Do not assume address properties always map to the same line of an address. For example, addressLocality
may map to a different line of an address, depending on whether other properties are present (in this case,
dependentAddressLocality
and doubleDependentAddressLocality
).
Understand your user’s passport claim
The https://vocab.account.gov.uk/v1/passport
claim contains the details of your user’s passport, if they
submitted one when proving their identity.
Property | Definition |
---|---|
documentNumber |
The passport number. |
icaoIssuerCode |
An identifier for the state or organisation that issued the passport. This is defined by the International Civil Aviation Organization (ICAO) standard 9303 Machine Readable Travel Documents. The identifier is up to 3 characters. |
expiryDate |
The expiration date as an ISO 8601 date string. |
Understand your user’s driving licence claim
The https://vocab.account.gov.uk/v1/drivingPermit
claim contains the details of your user’s driving
licence, if they submitted one when proving their identity.
Property | Definition |
---|---|
expiryDate |
The expiry date of the driving licence as an ISO 8601 date string. |
issueNumber |
The last 2 characters of the driving licence number – these show how many times the user has received a new driving licence. You’ll only receive this property for licences issued by the Driver and Vehicle Licensing Agency (DVLA). |
issuedBy |
The organisation that issued the driving licence. |
personalNumber |
The driver number of the driving licence. This is a string unique to the user. |
Understand your user’s return code claim
The https://vocab.account.gov.uk/v1/returnCode
claim gives information about any issues with the evidence your user provided to prove their identity. For example, if GOV.UK One Login was not able to prove your user’s identity.
To use this claim, you must let us know when registering your service with GOV.UK One Login.
When you use this claim and there’s an issue with the evidence your user provided to prove their identity:
- You’ll receive an authorisation code in the
redirect_uri
instead of anaccess_denied
error. - Use this authorisation code to get an ID token and an access token.
- When you make a request to the
/userinfo
endpoint using the access token, the response may contain only authentication data, and an array of one or morereturnCode
values, which will each be a letter. - For security reasons, you’ll need to contact GOV.UK One Login on govuk-one-login@digital.cabinet-office.gov.uk for more detailed information on what issue each
returnCode
value stands for.
Currently, there are 11 returnCode
values which GOV.UK One Login could return if there’s an issue with the evidence your user provided to prove their identity. You may receive a return code even if a user’s identity verification is successful, for example, if a user is a politically exposed person. Contact GOV.UK One Login on govuk-one-login@digital.cabinet-office.gov.uk for more detailed information on what each return code means.
Property | Definition |
---|---|
code |
An array of single letter codes for returnCode values. You can use these codes to identify the reason(s) for any issues that occurred during the identity proving journey. For security reasons, you’ll need to contact GOV.UK One Login on govuk-one-login@digital.cabinet-office.gov.uk for more detailed information on what each return code means. |
If you want to add this feature to an existing integration, contact GOV.UK One Login on govuk-one-login@digital.cabinet-office.gov.uk to update your client registration. You must also update your code to make sure your integration is able to use the new behaviour.
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "urn:fdc:gov.uk:2022:56P4CMsGh_02YOlWpd8PAOI-2sVlB2nsNU7mcLZYhYw=",
"email": "test@example.com",
"email_verified": true,
"phone_number": "+441406946277",
"phone_number_verified": true,
"https://vocab.account.gov.uk/v1/returnCode": [
{
"code": "B"
},
{
"code": "C"
}
]
}
Continue to managing your users’ sessions.