credentials

metamodel version: 1.7.0

version: 1.0

The vocabulary and schemas associated with the production of credentials by GOV.UK One Login.

Classes

• BankAccountDetailsClass - The details of a Bank Account as presented by a user for checking for identity verification purposes.

  JSON schema: di_vocab:BankAccount

  Examples

  • Bank Account
• BirthDateClass - BirthDate object that represents a user's claimed date of birth.

  JSON schema: di_vocab:BirthDate

• CheckDetailsClass
• ContraIndicatorClass
• CredentialSubjectClass - Verifiable credential subjects use multiple inheritance; this base class is intentionally blank.
  • PersonClass
    • AddressAssertionClass
    • PersonWithIdentityClass - A credential subject representing a person only by core identity attributes
      • PersonExtendedMatchingClass - An extended version of the PersonIdentity class for situations like Life Events where additional data may be required for matching, but where the full range of documents is not required
      • PersonWithDocumentsClass
        • IdentityCheckSubjectClass
• DocumentDetailsClass
  • DrivingPermitDetailsClass - The details of a driving license/permit as presented by Optical Character Recognition of the physical document or manually input by a user.

    JSON schema: di_vocab:DrivingPermit

    DVLA Examples

    • DVLA Issued Driving License Scanned
    • DVLA Issued Driving License Manual Input

    DVA Examples

    • DVA Issued Driving License Scanned
    • DVA Issued Driving License Manual Input
  • IdCardDetailsClass - The details of a National Identification Card as presented by a user for identity verification.

    JSON schema: di_vocab:IdCard

    Examples

    • ID Card
  • PassportDetailsClass - The details of a passport as presented by the biometric chip data using near-field communication (NFC), reading the Machine Readable Zone (MRZ) or manually input by a user.

    JSON schema: di_vocab:PassportDetails

    Examples

    • UK Passport
    • Non-UK Passport
    • German Passport - ICAO Issuer Code "D"
  • ResidencePermitDetailsClass - The details of a biometric residency permit as presented by reading the biometric chip data using near-field communication (NFC), reading the Machine Readable Zone (MRZ) or manually input by a user.

    JSON schema: di_vocab:ResidencePermit

    Examples

    • UK Biometric Residence Card
    UK Biometric Residence Permit
• SocialSecurityRecordDetailsClass - The details of a social security record as input by a user.

  JSON schema: di_vocab:SocialSecurityRecord

  Examples

  • Social Security Record

EvidenceRequestedClass - The levels of evidence_requested which are minimum GPG45 criteria that are requested.

IdentityCheckClass

InterventionClass

JWTClass

• AddressCredentialJWTClass - A JWT-encoded VC that wraps an
• AuthorizationRequestClass - An Authorization Request compliant with OAuth 2.0 section 4.1.1.
  • IssuerAuthorizationRequestClass - An Authorization Request that provides shared claims and other user/session data to GOV.UK One Login credential issuers.
  • OpenIDConnectAuthenticationRequestClass - An Authentication Request compliant with OpenID Connect 2.0 section 3.1.2.1 with any extensions supported by GOV.UK One Login.
• CoreIdentityJWTClass - A JWT-encoded VC that wraps a
• IdentityAssertionCredentialJWTClass - A JWT-encoded VC that wraps an
• IdentityCheckCredentialJWTClass - A JWT-encoded VC that wraps an
• InheritedIdentityJWTClass - A JWT-encoded VC that wraps a
• RiskAssessmentCredentialJWTClass - A JWT-encoded VC that wraps a
• SecurityCheckCredentialJWTClass - A JWT-encoded VC that wraps an

MitigatingCredentialClass

MitigationClass

NameClass - Name object that represents a user's claimed identity. This will have a list of nameParts. Usually this will contain one or more GivenName name parts and one (or occasionally more) FamilyName name part(s) for a specific period of validity.

JSON schema: di_vocab:Name

Examples

• One Given Name and One Family Name - No Validity Specified
• Multiple Given Names and One Family Name - No Validity Specified
• One Given Name and Multiple Name Words in One Family Name - No Validity Specified
• One Given Name and Multiple Family Names - No Validity Specified
• Multiple Given Names and Multiple Family Names - No Validity Specified
• Multiple Given Names and Two Family Names - Validity Specified for each Family Name
• Multiple Given Names and Multiple Family Names - Validity Specified for each Family Name

NamePartClass - Abstract class to define a name part value and name part type for an optional validity period.

• FamilyNameClass - Name part object that represents a Family Name. There currently will be a single NamePart object with a NamePartType of FamilyName within the representation of a Name for a specific period of validity. This property will contain the user specified family name or the family name that was read from official documentation and may contain space characters.
  
  NOTE Considering names in a global context across multiple cultures, consumers of this format should understand that multiple FamilyName name parts may be used in future.
• GivenNameClass - Name part object that represents a Given Name. There may be multiple NamePart objects with a NamePartType of GivenName within the representation of a Name for a specific period of validity. These will appear in the order in which the user specified or the order in which they were read from official documentation.

PostalAddressClass - A postal address associated with a user, returned by an Address Lookup API or by manual data input.

JSON schema: di_vocab:PostalAddress

Examples

• Building Number
• Building Name with UPRN
• Building Name without UPRN
• Building Number with Building Name
• Building Number with Dependent Address Locality
• Sub Building Name with Building Name
• Sub Building Name with Building Number

Close mapping: adb:Address

Close mapping: schema:PostalAddress

RiskAssessmentClass

SecurityCheckClass

SexClass

StructuredAttributeClass

• ISODateClass - Contains a complete or partial ISO date, with no time part and in which the day and month parts are optional.

VerifiableCredentialClass

• AddressCredentialClass
• IdentityAssertionCredentialClass
• IdentityCheckCredentialClass - A VC representing an identity check that contributes to identity confidence per UK government standards such as Good Practice Guide (GPG) 45.
• RiskAssessmentCredentialClass - A VC containing evidence pertaining to a risk assessment performed about a GOV.UK One Login account.
• SecurityCheckCredentialClass - A VC containing evidence pertaining to security checks performed about a GOV.UK One Login account.
• VerifiableIdentityCredentialClass - A VC for presentation to GOV.UK One Login relying parties,

Mixins

• ValidityClass

Slots

• @context
• accountNumber - The account number for a bank account. This is a string holding a 8-digit numerical code where leading 0 values are maintained.
• activityFrom - The date of the earliest activity found for the user.
• activityHistoryScore - The activity history score based on the check that has taken place as defined in the Good Practice Guide 45 documentation
  • EvidenceRequestedClass➞activityHistoryScore
• address
• addressCountry - The country. Provided as the two-letter ISO 3166-1 alpha-2 country code.

  Close mapping: schema:addressCountry

• ➞type
• ➞vc
• addressLocality - The town or city in which the address resides.

  Close mapping: adb:postTown

• aud - The aud (audience) claim identifies the recipients that the JWT is intended for.
• bankAccount
• biometricVerificationProcessLevel - For a biometric verification process, the level corresponding to the verification score as defined in the Good Practice Guide 45 documentation
• birthDate
• ➞value
• buildingName - The building name is a description applied to a single building or a small group of buildings, such as Highfield House. This also includes those building numbers that contain non-numeric characters, such as 44A. Some descriptive names, when included with the rest of the address, are sufficient to identify the property uniquely and unambiguously, for example, MAGISTRATES COURT. Sometimes the building name will be a blend of distinctive and descriptive naming, for example, RAILWAY TAVERN (PUBLIC HOUSE) or THE COURT ROYAL (HOTEL).

  Close mapping: adb:buildingName

• buildingNumber - The building number is a number given to a single building or a small group of buildings, thus identifying it from its neighbours, for example, 44. Building numbers that contain a range, decimals or non-numeric characters do not appear in this field but will be found in the buildingName or the sub-BuildingName fields. NOTE - This is a string representation of the building number.

  Close mapping: adb:buildingNumber

• checkDetails
• checkMethod - An identifier from the OpenID Check Methods list
• ci
• claims - The claims. This value will detail what additional claims, if any, are required from the /userinfo endpoint after a successful authentication request. This value should be URL-encoded JSON.
• client_id - The client id. This value is the client id the Relying Party service was provided with for identification upon registration. Internal system requests will use an internal client id.
• code - A system level code to indentify a contra-indicator.
• contraIndicator
• ➞vc
• credentialJWT
• credentialSubject
  • AddressCredentialClass➞credentialSubject
  • IdentityAssertionCredentialClass➞credentialSubject
  • IdentityCheckCredentialClass➞credentialSubject
  • VerifiableIdentityCredentialClass➞credentialSubject
• dataCheck - Specifies the kind of data check performed allows for the distinction between a record check, cancelled check and a lost or stolen check
• departmentName - For some organisations, department name is indicated because mail is received by subdivisions of the main organisation at distinct delivery points. E.g. Organisation Name - ABC COMMUNICATIONS Department Name - MARKETING DEPARTMENT

  Close mapping: adb:departmentName

• dependentAddressLocality - Dependent locality areas define an area within a town. These are only necessary to aid differentiation where there are thoroughfares/streets of the same name in the same locality. For example, HIGH STREET in SHIRLEY and SWAYTHLING in this situation - HIGH STREET, SHIRLEY, SOUTHAMPTON and HIGH STREET, SWAYTHLING, SOUTHAMPTON.

  Close mapping: adb:dependentLocality

• dependentStreetName - In certain places, for example, town centres, there are named thoroughfares/streets within other named thoroughfares/streets, for example, parades of shops on a high street where different parades have their own identity. For example, KINGS PARADE, HIGH STREET and QUEENS PARADE, HIGH STREET.

  Close mapping: adb:dependentThoroughfare

• description
• document - The single string representation of a document that a contra-indicator was raised against.
• documentNumber - An identifier generated for the specific document when it was issued, for example the passport number.
• documentType - An identifier of the type of document, for example IR for Biometric Residence Permit, CR for Biometric Residence Card.
• doubleDependentAddressLocality - This is used to distinguish between similar thoroughfares/streets or the same thoroughfare/street within a dependent locality. For example, Millbrook Industrial Estate and Cranford Estate in this situation - BRUNEL WAY, MILLBROOK INDUSTRIAL ESTATE, MILLBROOK, SOUTHAMPTON and BRUNEL WAY, CRANFORD ESTATE, MILLBROOK, SOUTHAMPTON.

  Close mapping: adb:doubleDependentLocality

• drivingPermit
• evidence
• evidence_requested
• exp - The exp (expiration time) claim identifies the time the JWT expires.
• expiryDate - The date the document expires.
  • DrivingPermitDetailsClass➞expiryDate
  • PassportDetailsClass➞expiryDate
  • ResidencePermitDetailsClass➞expiryDate
• failedCheckDetails
• fraudCheck - Specifies the kind of fraud check performed as defined in the Good Practice Guide 45 documentation
• fullAddress - Unparsed address string as retrieved from optical character recognition read of a document.
• govuk_signin_journey_id - The journey id value as assigned by the GOV.UK account sign in process.
• ➞value - The date in the form CCYY[-MM[-DD]]
• iat - The iat (issued at) claim identifies the time at which the JWT was issued.
• icaoIssuerCode - An identifier for the issuing State or Organisation of a passport as defined by the International Civil Aviation Organization (ICAO) Standard for Machine Readable Travel Documents. Usually three characters.
• id - The identifier of a verifiable credential.
• idCard
• ➞type
• ➞vc
• ➞type - Identity check type values allowed
• ➞type
• identityCheckLevel - A measure of the level of identity confidence held by the issuer or previously performed in respect of the data being checked.
• identityCheckPolicy - Details of the type of policy that was checked as part of the identity check.
• identityFraudScore - The identity fraud score based on the check that has taken place as defined in the Good Practice Guide 45 documentation
  • EvidenceRequestedClass➞identityFraudScore
• incompleteMitigation - A partial or uncompleted mitigation that has taken place against a particular contra-indicator.
• ➞vc
• intervention - Intervention required by the risk assessment
• interventionCode
• interventionReason
• iss - The iss (issuer) claim identifies the principal that issued the JWT.
  • IdentityCheckCredentialJWTClass➞iss
• issuanceDate - The date a contra-indicator was generated.
• issueDate - The date the document was issued by the issuing authority.
• issueNumber - An identifier that changes with each issue of the document - unique only within documents issued under the same personalNumber.
• issuedBy - An identifier for the issuing authority, for example, DVLA.
• issuer - The issuer of a verifiable credential.
• issuers - An array of cri issuers.
• issuingCountry - Issuing country for documents represented as an ISO 3166 two character country code. Not used for passports see icaoIssuerCode.
• jti - The jti (JWT ID) claim identifies the unique identifier of the JWT.
  • IdentityCheckCredentialJWTClass➞jti
• kbvQuality - The quality of a knowledge-based verification (KBV) question.
• kbvResponseMode - Describes the way a KBV question was presented to the user.
• mitigatingCredential - Details of the credential that was generated as part of the mitigation journey for a particular contra-indicator.
• ➞validFrom
• mitigation - A completed mitigation that has taken place against a particular contra-indicator.
• name
• nameParts - The list of name parts that make up a Name object.
• nbf - The nbf (not before) claim identifies the time the JWT is valid from.
  • IdentityCheckCredentialJWTClass➞nbf
• nonce - The nonce. A random value provided from the ID token to verify the integrity of the ID token.
• organisationName - The organisation name is the business name given to a delivery point within a building or small group of buildings. E.g. TOURIST INFORMATION CENTRE This field could also include entries for churches, public houses and libraries.

  Close mapping: adb:organisationName

• passport
• personalNumber - An identifier that is common across documents issued to the same individual, such as driver number.
• photoVerificationProcessLevel - For a photo-based verification process, the level corresponding to the verification score as defined in the Good Practice Guide 45 documentation
• postalCode - A UK postcode is an abbreviated form of address made up of combinations of between five and seven alphanumeric characters. International postal codes have different formats.

  Exact mapping: schema:postalCode

• prompt - Use the value login to force a user to authenticate again even if they have an existing session. If this is not set a user will authenticate silently if they have an existing session.
• redirect_uri - The redirect uri. This value must exactly match one of the redirect uris registered by the Relying Party service and must be URL-encoded.
• residencePermit
• response_type - The response type. This value currently needs to be set to the value code.
• ➞type
• ➞evidence
• ➞type
• ➞vc
• scope - The scope. A space-separated list of scopes which must include the openid value. Other options are email, phone and offline_access (returns a refresh token). Other custom scopes are available for internal requests.
• scoringPolicy - The scoring policy that is applicable for the evidence requested scores. The current supported scoring policy is gpg45.
  • EvidenceRequestedClass➞scoringPolicy
• ➞type
• ➞evidence
• ➞type
• ➞vc
• sex - A person's legal sex. Only used for matching in certain life events. Multivalued only for consistency with other personal attributes.
• shared_claims - The shared claims. This value will detail what shared information the calling service wants to and is permitted to share.
• socialSecurityRecord
• sortCode - The sort code for a bank account. This is a string holding a 6-digit numerical code where leading 0 values are maintained.
• state - The state. This value is used to validate the response sent to the redirect URI. This value will be returned to the client in the authentication response.
• streetName - A thoroughfare/street is fundamentally a road, track or named access route, for example, HIGH STREET.

  Close mapping - adb:thoroughfare

• strengthScore - The strength score based on the check that has taken place as defined in the Good Practice Guide 45 documentation
  • EvidenceRequestedClass➞strengthScore
• sub - The sub (subject) claim identifies the principal that is the subject of the JWT.
  • IdentityCheckCredentialJWTClass➞sub
• subBuildingName - The sub-building name and/or number are identifiers for subdivisions of properties. E.g. Sub-building Name - FLAT 3 Building Name - POPLAR COURT Thoroughfare - LONDON ROAD NOTE - If the address is styled as 3 POPLAR COURT, all the text will be shown in the Building Name attribute and the Sub-building Name will be empty. The building number will be shown in this field when it contains a range, decimal or non-numeric character (see Building Number).

  Close mapping: adb:subBuildingName

• txn - A unique transaction identifier for this check, or part of a check, if any.
  • ContraIndicatorClass➞txn
• type - The type of name represented by the NamePart.
• uprn - The Unique Property Reference Number (UK and Northern Ireland Addresses Only)

  Exact mapping: adb:uprn

• validFrom
• validUntil
• validityScore - The validity score based on the check that has taken place as defined in the Good Practice Guide 45 documentation
  • EvidenceRequestedClass➞validityScore
• value
  • FamilyNameClass➞value
  • GivenNameClass➞value
• vc
  • IdentityCheckCredentialJWTClass➞vc
• ➞type
• verificationScore - The verification score based on the check that has taken place as defined in the Good Practice Guide 45 documentation
  • EvidenceRequestedClass➞verificationScore
• vot - The vot identifies the Vector Of Trust.
• vtm - The vtm identifies the Vector Trust Mark.
• vtr - The Vector of Trust request. If not specified the default value Cl.Cm is used. Further information can be found in Vectors of Trust RFC

Enums

• CheckMethodType
• DataCheckType
• FraudCheckType
• IdentityCheckPolicyType
• IdentityCheckType
• IdentityVectorOfTrust
• KBVResponseModeType
• NamePartType - Reference data enumeration applied to the type property for a specific NamePart
• VerifiableCredentialType

Subsets

Types

Built in

• Bool
• Curie
• Decimal
• ElementIdentifier
• NCName
• NodeIdentifier
• URI
• URIorCURIE
• XSDDate
• XSDDateTime
• XSDTime
• float
• int
• str

Defined

• JWS (str)
• StringOrURI (str)
• Boolean (Bool) - A binary (true or false) value
• Curie (Curie) - a compact URI
• Date (XSDDate) - a date (year, month and day) in an idealized calendar
• DateOrDatetime (str) - Either a date or a datetime
• Datetime (XSDDateTime) - The combination of a date and time
• Decimal (Decimal) - A real number with arbitrary precision that conforms to the xsd:decimal specification
• Double (float) - A real number that conforms to the xsd:double specification
• Float (float) - A real number that conforms to the xsd:float specification
• Integer (int) - An integer
• Jsonpath (str) - A string encoding a JSON Path. The value of the string MUST conform to JSON Point syntax and SHOULD dereference to zero or more valid objects within the current instance document when encoded in tree form.
• Jsonpointer (str) - A string encoding a JSON Pointer. The value of the string MUST conform to JSON Point syntax and SHOULD dereference to a valid object within the current instance document when encoded in tree form.
• Ncname (NCName) - Prefix part of CURIE
• Nodeidentifier (NodeIdentifier) - A URI, CURIE or BNODE that represents a node in a model.
• Objectidentifier (ElementIdentifier) - A URI or CURIE that represents an object in the model.
• Sparqlpath (str) - A string encoding a SPARQL Property Path. The value of the string MUST conform to SPARQL syntax and SHOULD dereference to zero or more valid objects within the current instance document when encoded as RDF.
• String (str) - A character string
• Time (XSDTime) - A time object represents a (local) time of day, independent of any particular day
• Uri (URI) - a complete URI
• Uriorcurie (URIorCURIE) - a URI or a CURIE