Technical Details for "iAM Smart"

Technical Details

OGCIO will provide three sets of Application Programming Interfaces (APIs) for commercial organisations and public bodies to adopt "iAM Smart" in their online services. OAuth 2.0 will be adopted for authentication and authorisation amongst "iAM Smart" user, online service and "iAM Smart" system.
Arrow
Arrow
Workflow:
  1. User to access online service website and to start the login by using "iAM Smart" process
  2. Online service to redirect user to a webpage that is hosted in "iAM Smart" System
  3. User to use "iAM Smart" Mobile App to scan the QR code on the webpage
  4. "iAM Smart" System to redirect user to online service with "Authorisation Code" included
  5. Online service to pass the "Authorisation Code" to "iAM Smart" System
  6. "iAM Smart" System to return the "Access token" which includes user's tokenised account identifier* and online service to use tokenised account identifier to perform user matching at local user database
*Tokenised account identifier is a unique identifier of "iAM Smart" user assigned by "iAM Smart" System for a particular online service. Different online service will be assigned with different values of tokenised account identifier for the same "iAM Smart" user, it will strengthen the privacy protection of users.
Authentication with "iAM Smart"
Workflow:
  1. User to access web form and start the form filling by "iAM Smart" process (if user is not authenticated, perform step 2-6 of "Authentication" process to obtain tokenised account identifier*)
  2. Online service to invite the user to authorise the form filling request in the "iAM Smart" Mobile App and pass the tokenised account identifier and form filling request to "iAM Smart" System
  3. User to use "iAM Smart" Mobile App and authorise "iAM Smart" System to pass information# to online service
  4. "iAM Smart" System to pass user selected information to online service
  5. Online service to use the information for form filling
* Tokenised account identifier is a unique identifier of "iAM Smart" user assigned by "iAM Smart" System for a particular online service. Different online service will be assigned with different values of tokenised account identifier for the same "iAM Smart" user, it will strengthen the privacy protection of users.

# An option will be provided for "iAM Smart" users to set up the user profile with personal data for form filling.
Form Filling with "iAM Smart"
Workflow:
  1. User to start the digital signing by "iAM Smart" process (if user is not authenticated, perform step 2-6 of "Authentication" process to obtain tokenised account identifier*)
  2. Online service to pass the hash value generated from the web form to be signed along with the user's tokenised account identifier to "iAM Smart" System
  3. Online service to show an identification code and invite the user to authorise digital signing in the "iAM Smart" Mobile App
  4. After ensuring the identification code shown on the "iAM Smart" Mobile App and the online service webpage are the same, user to authorise the digital signing action
  5. "iAM Smart" System to perform digital signing and return the signed hash and user's digital certificate# with public key to online service.
  6. Online service to confirm the digital signing and display result to user
* Tokenised account identifier is a unique identifier of "iAM Smart" user assigned by "iAM Smart" System for a particular online service. Different online service will be assigned with different values of tokenised account identifier for the same "iAM Smart" user, it will strengthen the privacy protection of users.

# Digital certificate issued by Recognized Certification Authority for "iAM Smart" user.
Digital Signing with "iAM Smart"
Download the QR code of Smart Mobile App
Download Now