Skip to content

Commit 59b6703

Browse files
committed
docs: improve readability and image quality across oidc-integration-guide pages
Replace 10 images with higher quality versions extracted from the OIDC Word document, add new Amazon Cognito config screenshot, and apply the same readability improvements from the rest-api-guide: frosted-glass callout banners, better formatting, fixed typos and grammar, proper cross-references, and consistent heading hierarchy. Add Imprint to sidebar for parity with rest-api-guide.
1 parent 9855781 commit 59b6703

18 files changed

Lines changed: 295 additions & 214 deletions

docs/.vitepress/config.mts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,10 @@ export default defineConfig({
8080
{ text: 'MobileID OIDC - Use Cases', link: '/oidc-integration-guide/oidc-use-cases' },
8181
{ text: 'Message Formats on the Mobile ID App', link: '/oidc-integration-guide/message-formats' }
8282
]
83+
},
84+
{
85+
text: '',
86+
items: [{ text: 'Imprint', link: '/oidc-integration-guide/imprint.md' }]
8387
}
8488
],
8589

Lines changed: 41 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,43 @@
11
# Best Practices
22

3-
### Pushed Authorization Request (PAR)
3+
## Pushed Authorization Request (PAR)
44

55
### Back-channel submission of authorisation parameters
66

77
The Pushed Authorisation Request (PAR) endpoint gives OAuth 2.0 clients a back-channel to post the parameters of an authorisation request to the Mobile ID server, to obtain an opaque URI handle for them, and then continue with the frontend redirection to the authorisation endpoint as usual.
88

9+
::: info
910
Introducing an extra backend call to submit the authorisation parameters has three benefits:
1011

11-
- Frees the authorisation request from any browser URL length limits. They can become an issue with complex requests, such as RAR.
12-
13-
- Keeps the parameters confidential between client and server. Regular requests expose them in the URL query string and hence to the browser, the end-user and logs.
14-
15-
- Confidential OAuth clients will be authenticated up-front, and the request parameters will be checked for errors, before sending the end-user to the authorisation endpoint for login and consent.
16-
12+
- **Frees the authorisation request from any browser URL length limits.** They can become an issue with complex requests, such as RAR.
13+
- **Keeps the parameters confidential** between client and server. Regular requests expose them in the URL query string and hence to the browser, the end-user and logs.
14+
- **Confidential OAuth clients will be authenticated up-front**, and the request parameters will be checked for errors, before sending the end-user to the authorisation endpoint for login and consent.
15+
:::
1716

1817

1918
### PAR Request (POST)
2019

2120
Submits the OAuth 2.0 authorisation request parameters to `/par` to obtain a `request_uri` handle for use at the authorisation endpoint.
2221

23-
Header parameters:
24-
- `[ Authorization ]` Used for HTTP basic authentication of the client.
25-
- `Content-Type` Must be set to `application/x-www-form-urlencoded`.
26-
- `[ Issuer ]` The issuer URL
27-
- `[ Tenant-ID ]` The tenant ID
22+
**Header parameters:**
23+
- `Authorization` Used for HTTP basic authentication of the client.
24+
- `Content-Type` Must be set to `application/x-www-form-urlencoded`.
25+
- `Issuer`The issuer URL (optional).
26+
- `Tenant-ID`The tenant ID (optional).
2827

29-
Body:
28+
**Body:**
3029
- The OAuth 2.0 authorisation request parameters, together with any client authentication parameters.
3130

32-
Success:
33-
- Code: 200
31+
**Success:**
32+
- Code: `200`
3433
- Content-Type: `application/json`
3534
- Body: `{object}` The PAR response.
3635

3736
Example PAR request for a confidential client registered for `client_secret_basic` authentication:
3837

3938
```http
4039
POST /par HTTP/1.1
41-
Host: c2id.com
40+
Host: openid.mobileid.ch
4241
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
4342
Content-Type: application/x-www-form-urlencoded
4443
@@ -47,14 +46,13 @@ response_type=code
4746
&client_id=fcb5e4f1
4847
&state=af0ifjsldkj
4948
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
50-
5149
```
5250

5351
Example PAR request for a public client with PKCE:
5452

5553
```http
5654
POST /par HTTP/1.1
57-
Host: c2id.com
55+
Host: openid.mobileid.ch
5856
Content-Type: application/x-www-form-urlencoded
5957
6058
response_type=code
@@ -64,8 +62,6 @@ response_type=code
6462
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
6563
&code_challenge_method=S256
6664
&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
67-
68-
6965
```
7066

7167
Example response with a request URI to complete the authorisation:
@@ -80,16 +76,14 @@ Pragma: no-cache
8076
"request_uri" : "urn:ietf:params:oauth:request_uri:OsL1Z3VqIxAT9R77wB7KCw.5-cQUNt9DygE4XxnYjysnw",
8177
"expires_in" : 60
8278
}
83-
84-
8579
```
8680

8781
### PAR Response
8882

8983
JSON object with members:
9084

91-
- `request_uri`: The request URI handle to use at the authorisation endpoint.
92-
- `expires_in`: The configured lifetime of the request URI, in seconds.
85+
- `request_uri` The request URI handle to use at the authorisation endpoint.
86+
- `expires_in` The configured lifetime of the request URI, in seconds.
9387

9488
Example:
9589

@@ -102,56 +96,59 @@ Example:
10296

10397
## Token and response validation
10498

105-
According to the OIDC specification RPs must ensure that the received tokens are valid. The following chapters summarize the Relying Party's obligations when consuming OIDC/OAUTH tokens and responses.
99+
According to the OIDC specification, RPs must ensure that the received tokens are valid. The following chapters summarize the Relying Party's obligations when consuming OIDC/OAUTH tokens and responses.
106100

107101
### Authentication Request
108102

109103
Provide state and nonce values with sufficient entropy.
110104

111-
- [http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
112-
- [http://openid.net/specs/openid-connect-core-1_0.html#NonceNotes](http://openid.net/specs/openid-connect-core-1_0.html#NonceNotes)
105+
- [OIDC Core — AuthRequest](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
106+
- [OIDC Core — NonceNotes](http://openid.net/specs/openid-connect-core-1_0.html#NonceNotes)
113107

114108
### Validate authentication responses
115109

116110
Handle the state parameter correctly.
117111

118-
- [http://openid.net/specs/openid-connect-core-1_0.html#AuthResponseValidation](http://openid.net/specs/openid-connect-core-1_0.html#AuthResponseValidation)
112+
- [OIDC Core — AuthResponseValidation](http://openid.net/specs/openid-connect-core-1_0.html#AuthResponseValidation)
119113

120114
### Validate token endpoint responses
121115

122-
Validate the ID Token and proof scopes.
116+
Validate the ID Token and verify scopes.
123117

124-
- [http://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation](http://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation)
118+
- [OIDC Core — TokenResponseValidation](http://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation)
125119

126120
### Validate ID token
127121

128122
Relying Party must validate ID Tokens.
129123

130-
- [http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
124+
- [OIDC Core — IDTokenValidation](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
131125

132126
### Protect Client ID and secret
133127

134-
Relying Party's credentials (for example, client secret) must be stored safely for remaining a secret only known by the Relying Party. Relying Party should inform the Mobile ID OP in case credentials have been compromised.
128+
::: warning
129+
Relying Party's credentials (for example, client secret) must be stored safely to remain a secret only known by the Relying Party. Relying Party should inform the Mobile ID OP in case credentials have been compromised.
130+
:::
135131

136132
### Store tokens securely
137133

134+
::: warning
138135
Tokens, especially Refresh Tokens, must be treated as credentials and stored securely in a place where only the End-Users for whom they were issued can access them.
136+
:::
139137

140138
## Test Users
141139

142-
There are test user accounts available for testing and debugging purpose.
140+
There are test user accounts available for testing and debugging purposes.
143141

144-
Please be aware, due to the strict phone number validation during the Mobile ID authorization flow, these test phone numbers will only be accepted by the Mobile ID server if they are provided via `log-in_hint` request parameter. However, your account must be authorized to use the `login_hint` parameter and requires the use of Pushed Authorisation Requests (PAR), which keeps the parameters confidential between client and server (see section [Pushed Authorization Request (PAR)](/oidc-integration-guide/best-practices#pushed-authorization-request-par) ).
142+
::: info
143+
Due to the strict phone number validation during the Mobile ID authorization flow, these test phone numbers will only be accepted by the Mobile ID server if they are provided via the `login_hint` request parameter. Your account must be authorized to use the `login_hint` parameter and requires the use of Pushed Authorisation Requests (PAR), which keeps the parameters confidential between client and server (see section [Pushed Authorization Request (PAR)](/oidc-integration-guide/best-practices#pushed-authorization-request-par)).
144+
:::
145145

146146
| MSISDN | Auth | Description |
147147
|--------|------|-------------|
148-
| +41-700092501 | SIM | Robot User (EC key; Swisscom Root CA 2 Certificate) |
149-
| +41-700092502 | SIM | Robot User (RSA key; Swisscom Root CA 2 Certificate) |
150-
| +41-000092401 | SIM | Simulated user to test the Mobile ID Error 401; USER_CANCEL |
151-
| +41-000092402 | SIM | Simulated user to test the Mobile ID Error 402; PIN_BLOCKED |
152-
| +41-000092403 | SIM | Simulated user to test the Mobile ID Error 403; CARD_BLOCKED |
153-
| +41-000092404 | SIM | Simulated user to test the Mobile ID Error 404; NO_KEY_FOUND |
154-
| +41-000092406 | SIM | Simulated user to test the Mobile ID Error 406; PB_SIGNATURE_PROCESS |
155-
156-
157-
148+
| `+41-700092501` | SIM | Robot User (EC key; Swisscom Root CA 2 Certificate) |
149+
| `+41-700092502` | SIM | Robot User (RSA key; Swisscom Root CA 2 Certificate) |
150+
| `+41-000092401` | SIM | Simulated user to test the Mobile ID Error 401; USER_CANCEL |
151+
| `+41-000092402` | SIM | Simulated user to test the Mobile ID Error 402; PIN_BLOCKED |
152+
| `+41-000092403` | SIM | Simulated user to test the Mobile ID Error 403; CARD_BLOCKED |
153+
| `+41-000092404` | SIM | Simulated user to test the Mobile ID Error 404; NO_KEY_FOUND |
154+
| `+41-000092406` | SIM | Simulated user to test the Mobile ID Error 406; PB_SIGNATURE_PROCESS |
Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,23 @@
11
# Public Cloud Integration Guide
22

3-
This chapter covers a few Mobile-ID integration scenario examples with popular public cloud services.
3+
This chapter covers a few Mobile ID integration scenario examples with popular public cloud services.
44

5-
## Microsoft Azure ADB B2C
5+
## Microsoft Azure AD B2C
66

7-
Azure Active Directory B2C is a Single-Sign-On (SSO) solution for any API, web, or mobile application. It enables any organization to provide their users with access using identities they already have, such as Mobile-ID.
7+
Azure Active Directory B2C is a Single-Sign-On (SSO) solution for any API, web, or mobile application. It enables any organization to provide their users with access using identities they already have, such as Mobile ID.
88

9-
Mobile-ID is officially supported by Microsoft Azure and the setup is described on their official article.
9+
::: info
10+
Mobile ID is officially supported by Microsoft Azure and the setup is described on their [official article](https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect).
11+
:::
1012

1113
Microsoft will act as the secure front door to any of these applications and they will worry about the safety and scalability of the authentication platform. Azure will handle things like denial of service or brute force attacks, so that organizations can focus on their core business and stay out of the identity business.
1214

1315
## Amazon Cognito
1416

1517
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
1618

17-
This article explains how to integrate user sign-in with an OpenID Connect IdP such as Mobile-ID.
19+
::: tip
20+
This [article](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html) explains how to integrate user sign-in with an OpenID Connect IdP such as Mobile ID.
21+
:::
1822

19-
![use-case-prompt-user-credentials](/img/use-case-prompt-user-credentials.png)
23+
![amazon-cognito-config](/img/amazon-cognito-config.png)

0 commit comments

Comments
 (0)