You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: improve readability and image quality across oidc-integration-guide pages
Replace 10 images with higher quality versions extracted from the OIDC
Word document, add new Amazon Cognito config screenshot, and apply the
same readability improvements from the rest-api-guide: frosted-glass
callout banners, better formatting, fixed typos and grammar, proper
cross-references, and consistent heading hierarchy. Add Imprint to
sidebar for parity with rest-api-guide.
### Back-channel submission of authorisation parameters
6
6
7
7
The Pushed Authorisation Request (PAR) endpoint gives OAuth 2.0 clients a back-channel to post the parameters of an authorisation request to the Mobile ID server, to obtain an opaque URI handle for them, and then continue with the frontend redirection to the authorisation endpoint as usual.
8
8
9
+
::: info
9
10
Introducing an extra backend call to submit the authorisation parameters has three benefits:
10
11
11
-
- Frees the authorisation request from any browser URL length limits. They can become an issue with complex requests, such as RAR.
12
-
13
-
- Keeps the parameters confidential between client and server. Regular requests expose them in the URL query string and hence to the browser, the end-user and logs.
14
-
15
-
- Confidential OAuth clients will be authenticated up-front, and the request parameters will be checked for errors, before sending the end-user to the authorisation endpoint for login and consent.
16
-
12
+
-**Frees the authorisation request from any browser URL length limits.** They can become an issue with complex requests, such as RAR.
13
+
-**Keeps the parameters confidential** between client and server. Regular requests expose them in the URL query string and hence to the browser, the end-user and logs.
14
+
-**Confidential OAuth clients will be authenticated up-front**, and the request parameters will be checked for errors, before sending the end-user to the authorisation endpoint for login and consent.
15
+
:::
17
16
18
17
19
18
### PAR Request (POST)
20
19
21
20
Submits the OAuth 2.0 authorisation request parameters to `/par` to obtain a `request_uri` handle for use at the authorisation endpoint.
22
21
23
-
Header parameters:
24
-
-`[ Authorization ]` Used for HTTP basic authentication of the client.
25
-
-`Content-Type` Must be set to `application/x-www-form-urlencoded`.
26
-
-`[ Issuer ]`The issuer URL
27
-
-`[ Tenant-ID ]`The tenant ID
22
+
**Header parameters:**
23
+
-`Authorization` — Used for HTTP basic authentication of the client.
24
+
-`Content-Type`— Must be set to `application/x-www-form-urlencoded`.
25
+
-`Issuer` — The issuer URL (optional).
26
+
-`Tenant-ID` — The tenant ID (optional).
28
27
29
-
Body:
28
+
**Body:**
30
29
- The OAuth 2.0 authorisation request parameters, together with any client authentication parameters.
31
30
32
-
Success:
33
-
- Code: 200
31
+
**Success:**
32
+
- Code: `200`
34
33
- Content-Type: `application/json`
35
34
- Body: `{object}` The PAR response.
36
35
37
36
Example PAR request for a confidential client registered for `client_secret_basic` authentication:
-`request_uri`: The request URI handle to use at the authorisation endpoint.
92
-
-`expires_in`: The configured lifetime of the request URI, in seconds.
85
+
-`request_uri` — The request URI handle to use at the authorisation endpoint.
86
+
-`expires_in` — The configured lifetime of the request URI, in seconds.
93
87
94
88
Example:
95
89
@@ -102,56 +96,59 @@ Example:
102
96
103
97
## Token and response validation
104
98
105
-
According to the OIDC specification RPs must ensure that the received tokens are valid. The following chapters summarize the Relying Party's obligations when consuming OIDC/OAUTH tokens and responses.
99
+
According to the OIDC specification, RPs must ensure that the received tokens are valid. The following chapters summarize the Relying Party's obligations when consuming OIDC/OAUTH tokens and responses.
106
100
107
101
### Authentication Request
108
102
109
103
Provide state and nonce values with sufficient entropy.
Relying Party's credentials (for example, client secret) must be stored safely for remaining a secret only known by the Relying Party. Relying Party should inform the Mobile ID OP in case credentials have been compromised.
128
+
::: warning
129
+
Relying Party's credentials (for example, client secret) must be stored safely to remain a secret only known by the Relying Party. Relying Party should inform the Mobile ID OP in case credentials have been compromised.
130
+
:::
135
131
136
132
### Store tokens securely
137
133
134
+
::: warning
138
135
Tokens, especially Refresh Tokens, must be treated as credentials and stored securely in a place where only the End-Users for whom they were issued can access them.
136
+
:::
139
137
140
138
## Test Users
141
139
142
-
There are test user accounts available for testing and debugging purpose.
140
+
There are test user accounts available for testing and debugging purposes.
143
141
144
-
Please be aware, due to the strict phone number validation during the Mobile ID authorization flow, these test phone numbers will only be accepted by the Mobile ID server if they are provided via `log-in_hint` request parameter. However, your account must be authorized to use the `login_hint` parameter and requires the use of Pushed Authorisation Requests (PAR), which keeps the parameters confidential between client and server (see section [Pushed Authorization Request (PAR)](/oidc-integration-guide/best-practices#pushed-authorization-request-par) ).
142
+
::: info
143
+
Due to the strict phone number validation during the Mobile ID authorization flow, these test phone numbers will only be accepted by the Mobile ID server if they are provided via the `login_hint` request parameter. Your account must be authorized to use the `login_hint` parameter and requires the use of Pushed Authorisation Requests (PAR), which keeps the parameters confidential between client and server (see section [Pushed Authorization Request (PAR)](/oidc-integration-guide/best-practices#pushed-authorization-request-par)).
144
+
:::
145
145
146
146
| MSISDN | Auth | Description |
147
147
|--------|------|-------------|
148
-
| +41-700092501 | SIM | Robot User (EC key; Swisscom Root CA 2 Certificate) |
149
-
| +41-700092502 | SIM | Robot User (RSA key; Swisscom Root CA 2 Certificate) |
150
-
| +41-000092401 | SIM | Simulated user to test the Mobile ID Error 401; USER_CANCEL |
151
-
| +41-000092402 | SIM | Simulated user to test the Mobile ID Error 402; PIN_BLOCKED |
152
-
| +41-000092403 | SIM | Simulated user to test the Mobile ID Error 403; CARD_BLOCKED |
153
-
| +41-000092404 | SIM | Simulated user to test the Mobile ID Error 404; NO_KEY_FOUND |
154
-
| +41-000092406 | SIM | Simulated user to test the Mobile ID Error 406; PB_SIGNATURE_PROCESS |
155
-
156
-
157
-
148
+
|`+41-700092501`| SIM | Robot User (EC key; Swisscom Root CA 2 Certificate) |
149
+
|`+41-700092502`| SIM | Robot User (RSA key; Swisscom Root CA 2 Certificate) |
150
+
|`+41-000092401`| SIM | Simulated user to test the Mobile ID Error 401; USER_CANCEL |
151
+
|`+41-000092402`| SIM | Simulated user to test the Mobile ID Error 402; PIN_BLOCKED |
152
+
|`+41-000092403`| SIM | Simulated user to test the Mobile ID Error 403; CARD_BLOCKED |
153
+
|`+41-000092404`| SIM | Simulated user to test the Mobile ID Error 404; NO_KEY_FOUND |
154
+
|`+41-000092406`| SIM | Simulated user to test the Mobile ID Error 406; PB_SIGNATURE_PROCESS |
This chapter covers a few Mobile-ID integration scenario examples with popular public cloud services.
3
+
This chapter covers a few MobileID integration scenario examples with popular public cloud services.
4
4
5
-
## Microsoft Azure ADB B2C
5
+
## Microsoft Azure AD B2C
6
6
7
-
Azure Active Directory B2C is a Single-Sign-On (SSO) solution for any API, web, or mobile application. It enables any organization to provide their users with access using identities they already have, such as Mobile-ID.
7
+
Azure Active Directory B2C is a Single-Sign-On (SSO) solution for any API, web, or mobile application. It enables any organization to provide their users with access using identities they already have, such as MobileID.
8
8
9
-
Mobile-ID is officially supported by Microsoft Azure and the setup is described on their official article.
9
+
::: info
10
+
Mobile ID is officially supported by Microsoft Azure and the setup is described on their [official article](https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect).
11
+
:::
10
12
11
13
Microsoft will act as the secure front door to any of these applications and they will worry about the safety and scalability of the authentication platform. Azure will handle things like denial of service or brute force attacks, so that organizations can focus on their core business and stay out of the identity business.
12
14
13
15
## Amazon Cognito
14
16
15
17
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
16
18
17
-
This article explains how to integrate user sign-in with an OpenID Connect IdP such as Mobile-ID.
19
+
::: tip
20
+
This [article](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html) explains how to integrate user sign-in with an OpenID Connect IdP such as Mobile ID.
0 commit comments