IRMA is a distributed, attribute-based authentication platform which is very privacy-friendly. It is at its core an implementation of the Idemix attribute-based credential scheme. This page provides a short technical overview of IRMA. You can find more general information on the IRMA project here. A much more detailed technical introduction to IRMA is available here. All other technical IRMA documentation can be found here.
Users will need an IRMA client to manage their attributes. Currently, there are two client implementations of IRMA. A smart card version which is no longer maintained, and a much newer and more versatile Android and iOS app.
The IRMA app is currently the only maintained IRMA client. The IRMA app is available for download directly from the Google Play store and from the Apple App Store. If you have no access to the Google Play store, or do not wish to get the app from there, you can also find a binary here. Alternatively, you can build the app from the publicly available source code. Be aware that only an install via the app store will automatically update to the newest version.
After installing the app, users obtain their first credentials through a registration process. After obtaining attributes, users can use them to authenticate to service providers. Several demos can be found on here.
More information on installing and using the IRMA app can be found here.
Verifying and Issuing credentials
If you want to verify and/or issue credentials you can use the following projects.
The API server handles all IRMA-specific cryptographic details of issuing and verifying attributes on behalf of the service or identity provider. It sits between IRMA tokens on the one hand, and authorized service or identity providers on the other hand. It exposes a RESTful JSON API driven by JWTs for authentication. The protocol that the IRMA API server and the IRMA Android and iOS apps speak is documented here. If you wish to run your own API server you can find the code and instructions here.
IRMA session flow
The following image shows the dataflow between the IRMA software components in a typical IRMA session.
Explanation of the steps:
- The requestor (i.e., the service or identity provider wanting to verify or issue attributes) provides
a JWT containing an IRMA session request,
along with success and failure callbacks to
POSTs the JWT to the API server
- The API server replies with an IRMA session token
irma_jsrenders the session token along with the URL to the API server in a QR that the IRMA app scans
- The IRMA app contact the API server, and they perform the actual IRMA session
- The API server informs
irma_jsof the result (in the case of a successful disclosure session, this includes a JWT containing the disclosed attributes)
irma_jsinforms the requestor via the callbacks provided in step 1, including the disclosed attributes in verification sessions
irma_mobile: A cross-platform iOS and Android mobile IRMA app,
irmago: the underlying IRMA client implementation in Go; also parses the
irma_configurationfolder, and contains structs that serve as the messages in the IRMA protocol
irma_api_common: Java library that parses the
irma_configurationfolder; contains our Idemix implementation, and contains classes that serve as the messages in the IRMA protocol
irma_api_server: server for issuing and verifying attributes
irma-demoscheme managers contain credential descriptions, issuer descriptions, and public and possibly private keys of issuers, grouped in scheme managers. These should be put in an
irma_configurationfolder for use by the
gabi, Idemix implementation in Go used by
Support or Contact
Having trouble with the IRMA usage or development? Contact
irma 'at' privacybydesign.foundation and we’ll help you sort it out.