Onfido Verification

Onfido digitally prove people’s real identities using a photo ID and facial biometrics. So your users can verify themselves anywhere, anytime. By leveraging Onfido with Auth0 with this fast and easy integration, we enable organizations to know who their digital users are, tied to a real identity; during authentication, onboarding, and other high-risk actions.

Onfido helps thousands of companies across the world trust their users’ real identities. From financial services, online healthcare and trust marketplaces, to self-check-ins at airports, hotels and car rentals. Trust your users together with Onfido and Auth0.

Onfido provides an Identity Verification (IDV) service leveraging your user's government issued documents (passport, driving license, or others) and a facial biometric (photo or video of the user). This allows organizations to know the real identity of their users as asserted by these documents and biometrics.

Leveraging this service in combination with Auth0 guides the user through the collection of the identity documents and biometrics using the Onfido SDKs implemented in a custom application you manage.

This guide will cover enabling the Onfido Rule in Auth0 and an example application for collecting the above mentioned information.

Overview

The Auth0 Rule will trigger once a user has authenticated using their credentials, another identity provider, or single sign-on. The Auth0 Rule will evaluate the context of the login and redirect the user to your Onfido IDV application. Your Onfido IDV application will collect the documents, photos, and/or videos required and start a check with Onfido.

Once the criteria your Onfido IDV application defines is met, it will return to Auth0 to update the user's app_metadata and the current ID token with the results of Onfido's IDV. Lastly, Auth0 will pass the modified ID token to your protected application.

Prerequisites

You will need to have an Onfido account (request one here) to leverage the APIs and SDKs leveraged in this integration. Your Onfido account will need to be configured with document reports and facial similarity photo variant to follow this example exactly. You may have more services from Onfido (or less) that are not covered here.

Add the Auth0 Rule

The Auth0 Rule created below has two functions:

1, Initial redirect to a custom app implementing the Onfido SDK to collect the needed information from the user and start the Onfido check. 2. Collect results from the custom app and add information to the app_metadata for the user and to the idToken in the current context for the downstream application.

Please note: Clicking any of the 3 buttons on the Edit Rule screen will save and activate the Rule. When initially installed, the Rule will be skipped until the required configuration (explained below) is added.

1. Click Add Integration at the top of this page ​
2. Click Save Changes to activate this integration

For information on testing and debugging Rules, please see our documentation.

Add the Auth0 Rule Configuration

Please note: Once marked the required configuration below is added, all logins for your tenant will be processed by this Rule. Please make sure all components have been configured correctly and verified on a test tenant before activating the integration in production.

1. Click Back to Rules to get to the main Rules screen.

2. Scroll down to the Settings section.

3. Add the following keys (more about Rules configuration here):

   Required configuration

• SESSION_TOKEN_SECRET: A random long string that is used to sign the session token sent to the custom app implementing Onfido. This value will also need to be used in the custom app in order to verify and re-sign the session token back to Auth0. Examples of how to generate a suitable string.
• ONFIDO_API_TOKEN: Your Onfido API token for accessing the Onfido APIs. You can find information on creating an API token here.
• ONFIDO_REGION: The region (EU, US, or CA) where your Onfido instance resides.
• ONFIDO_ID_VERIFICATION_URL: The URL of your custom application that implements the Onfido Input Capture SDK for processing IDV checks.

Your Onfido IDV Application

This is a custom application that implements the Onfido Input Capture SDK. The intent of this application is to collect users documents, photos, or videos and start a check with Onfido for Identity Verification. Onfido offers SDKs for Web (Javascript), iOS, and Android to allow customers to develop the solution where their customers interact.

At a minimum your Onfido IDV application will need to be able to verify and decode the session_token sent from Auth0, retrieve the applicant_id of the user from the session_token, and use said applicant_id to capture the needed resources and start an IDV check. It will also need to send an updated session_token back to Auth0 with the added claims/properties of checkStatus and checkResult along with a query string parameter of onfido_idv=true.

A note on processing an Onfido IDV Check

Identity verification is typically an asynchronous process. Because of a number of environmental factors (lighting, physical damage, poor camera quality) and actual fraudulent documents, the "turn-around time" or processing time of documents can be in the range of 15 seconds (for good quality, non-fraudulent documents) and up to 5 minutes in extreme cases. This means that your Onfido IDV application can either wait for the result (which can take a bit in some cases) or return to Auth0 and let the downstream application re-check for the result there. Onfido also offers Webhook functionality to POST an event to a defined URL when a check is complete.