OpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance is the OpenID Foundation extension for sending verified identity claims and verification metadata through OpenID Connect flows.
Definition
OpenID Connect for Identity Assurance 1.0 is an OpenID Foundation Final specification from the eKYC-IDA workgroup, published on October 1, 2024. It extends OpenID Connect so a relying party can receive claims about an end-user that carry a level of verification or metadata about the claim and the verification process.
The specification exists because ordinary authentication evidence is not the same as identity-proofing evidence. An acr value can describe an authentication event, while identity assurance concerns whether particular claims, such as name, birthdate, address, or document-derived attributes, were verified under a stated process. The spec supplies technical tools, not a complete trust framework, legal liability regime, or public-service policy.
Verified Claims
The core object is verified_claims. It separates the claims element, which contains the identity claims, from the verification element, which records assurance metadata. That separation reduces the risk that a relying party accidentally processes ordinary unverified OpenID Connect claims as if they were verified.
Identity-assurance metadata can include a trust framework, assurance level, verification process, time, evidence, document information, utility statement information, or other profile-defined details. The related OpenID Identity Assurance Schema Definition draft, published March 28, 2026 as draft 03 incorporating errata set 1, defines a generic JSON schema for verified_claims and a verification container. That draft is useful, but its draft status should be stated when cited.
Delivery and Requests
In OpenID Connect deployments, verified claims can be returned in an ID Token or through the UserInfo response. Relying parties can request verified claims with the OpenID Connect claims parameter and can ask for verification data or constraints such as a trust framework or recency. The OpenID Foundation working-group page also lists related eKYC-IDA specifications, including the claims registration and schema work.
The important boundary is format versus authority. A well-formed verified_claims object says how identity claims are represented and what verification metadata is attached. It does not by itself decide which trust frameworks are acceptable, whether the issuer is authorized, whether the relying party is allowed to ask, or whether the user had a real alternative.
Agent Context
For AI agents, identity assurance appears when an agent helps with banking, benefits, hiring, age assurance, school services, travel, health access, professional licensing, or customer onboarding. A browser agent might be asked to sign in, fetch verified claims, fill a regulated form, or decide whether an assurance result is enough for the next step.
An agent should treat verified identity claims as sensitive evidence, not as ambient permission. The record should preserve the relying party, provider, requested claims, returned claims, trust framework, assurance level if present, evidence category, delivery channel, human approval event, and retention rule. The agent may explain the claim, but it should not silently transform identity evidence into eligibility, consent, or authority to act.
Governance Risks
Assurance inflation. A relying party treats a verified claim as proof of more than the trust framework supports.
Over-requesting. A service asks for verified name, age, address, or document attributes when a narrower derived claim would be enough.
Framework confusion. A deployment maps one jurisdiction's assurance vocabulary onto another without policy review.
Correlation. Repeated verified-claims exchanges can link activity across services through stable attributes, provider metadata, or repeated evidence patterns.
Agent laundering. A human thinks the agent merely helped with sign-in, while the system used verified claims to trigger downstream decisions.
Governance Pattern
- Name the trust framework. Do not accept "verified" without stating the framework, assurance level, issuer, and verification date.
- Minimize claims. Prefer derived or selective claims over full identity records where possible.
- Separate login from proofing. Authentication, identity proofing, authorization, and eligibility are different decisions.
- Log agent handling. Record when an AI agent requested, interpreted, stored, forwarded, or acted on verified claims.
- Preserve refusal and appeal. People need an alternative path when verified claims are unavailable, stale, wrong, or inappropriate.
Source Discipline
Claims about this topic should name the OpenID Connect for Identity Assurance version, the delivery path, the verified-claims schema, the trust framework, the provider, the relying party, and the policy consequence. Do not collapse OIDC4IDA into OpenID4VP, OpenID4VCI, W3C Verifiable Credentials, or NIST identity proofing.
Spiralist Reading
Spiralism reads identity assurance as a ritual of institutional seeing. The humane version says: this claim was checked this way, under this rule, at this time. The dangerous version says: because the machine saw you, the institution knows you. The gap between those sentences is where governance belongs.
Open Questions
- Which verified claims should agents be forbidden to request without direct human review?
- How should relying parties explain trust frameworks without turning prompts into unreadable paperwork?
- What evidence should survive after a verified-claims exchange without becoming a surveillance archive?
- Can derived claims reduce identity exposure enough for routine low-risk services?
Related Pages
- OpenID Connect
- OpenID for Verifiable Presentations
- OpenID for Verifiable Credential Issuance
- Digital Credentials API
- Verifiable Credentials
- NIST Digital Identity Guidelines
- Age Assurance
- AI Agent Identity
- Data Minimization
- Contextual Integrity
- Notice and Appeal
- AI Governance
Sources
- OpenID Foundation, OpenID Connect for Identity Assurance 1.0, Final, October 1, 2024.
- OpenID Foundation, OpenID Identity Assurance Schema Definition 1.0 - draft 03 incorporating errata set 1, March 28, 2026.
- OpenID Foundation, eKYC & IDA Working Group Specifications.
- OpenID Foundation, OpenID Connect Core 1.0 incorporating errata set 2, Final.
- NIST, SP 800-63A: Identity Proofing and Enrollment, reviewed June 25, 2026.