Implement ID.me attribute exchange to retrieve community group membership for benefit eligibility gating

Verified steps

1. Configure an ID.me application in the developer portal with the Attribute Exchange policy for the specific group type (military, veteran, first responder, student, or low-income); each group type requires a separate policy scope.
2. Initiate the OIDC flow with scope openid and the specific community scope (e.g., military, veteran); the user completes group verification on ID.me's hosted interface.
3. On callback, exchange the authorization code for tokens; call the userinfo endpoint with the access token to retrieve the group claim, which returns the verified affiliation and the verification method used.
4. Map the group attribute to your benefit eligibility logic: a truthy group claim confirms the user belongs to the asserted community; a missing or false claim indicates verification was not completed or group membership was not established.
5. Cache the group verification result with an expiry aligned to ID.me's verification validity period (typically one year for document-based verifications); trigger re-verification on expiry rather than storing the claim indefinitely.
6. Handle partial verification: a user may successfully authenticate (openid scope claims present) but fail community verification (group claim absent); display a clear message that benefit access requires completed group verification.