Overview
hConnect offers two integration methods: a hosted OIDC flow (redirect to Hopae’s OpenID Provider) and direct API integration. Each has distinct trade-offs in security, complexity, and control.Architecture Comparison
- Hosted OIDC Flow
- REST API (Direct Integration)
OAuth 2.0 Authorization Code Flow
Follows the standard OIDC Authorization Code flow for simplified yet secure integration:Fully OIDC-Compliant: The hosted flow uses the OIDC Authorization Code grant (with PKCE support) against the
https://connect.hopae.com issuer, so you can reuse any OIDC-certified client library.- Redirect users to
https://sandbox.connect.hopae.com/auth(or production) - hConnect handles all provider interactions
- Receive an authorization code on your redirect URI
- Exchange code for ID token
Key Security Features
- PKCE: Protection against code interception
- State Parameter: CSRF protection
- Single-use codes: 60-second TTL
- JWT ID Tokens: Standard token format
Implementation Example
Provider Flow Comparison (Example)
| Provider | Flow Type | Hosted OIDC Flow | API Requirements |
|---|---|---|---|
| BankID SE | QR Code | ✅ Automatic | QR generation + polling |
| MitID DK | Redirect | ✅ Automatic | Redirect handling |
| Smart-ID | Push | ✅ Automatic | Push UI + polling |
| DigiD NL | Redirect | ✅ Automatic | Multi-step redirects |
| itsme BE | QR + Push | ✅ Automatic | Multi-flow support |
Provider Abstraction: The hosted OIDC flow abstracts provider differences. Direct API integration requires implementing each provider’s specific flow.
Key Differences
| Aspect | Hosted OIDC Flow | API |
|---|---|---|
| Security Model | OAuth 2.0 patterns with PKCE | Custom implementation |
| Provider Complexity | Abstracted away | Direct handling required |
| Implementation Time | Quick setup | Extensive development |
| Control Level | Standard flow | Full customization |
| Maintenance | Automatic updates | Manual updates |