Skip to content

Commit 68f0e9d

Browse files
committed
docs: add Passkey Authentication page for OIDC integration guide
Introduce comprehensive documentation for MobileID FIDO2 Passkeys covering passkey concepts (device-bound vs. synced, NIST AAL3, FIPS 140-2), the mobileid.ch domain-binding model, RP control over passkey quality via KeyRingID and claims, OIDC parameters (scopes, ACR/AMR values, login_hint), feature flag configuration, error codes, and canonical RP scenarios. Includes MyMobileID Dashboard screenshots for passkey management.
1 parent 06d3c9e commit 68f0e9d

17 files changed

Lines changed: 672 additions & 21 deletions

docs/.vitepress/config.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,7 @@ export default defineConfig({
8484
{ text: 'Getting Started', link: '/oidc-integration-guide/getting-started' },
8585
{ text: 'Best Practices', link: '/oidc-integration-guide/best-practices' },
8686
{ text: 'Public Cloud Integration', link: '/oidc-integration-guide/cloud-integration-guide' },
87+
{ text: 'Passkey Authentication', link: '/oidc-integration-guide/passkey-authentication' },
8788
{ text: 'MobileID OIDC - Use Cases', link: '/oidc-integration-guide/oidc-use-cases' },
8889
{ text: 'App Message Formats', link: '/oidc-integration-guide/message-formats' }
8990
]

docs/.vitepress/theme/custom.css

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,33 @@ html.dark .VPSwitchAppearance .check {
218218
box-shadow: 0 2px 12px rgba(0, 0, 0, 0.45);
219219
}
220220

221+
/* Sidebar: active item uses MobileID green (#004844) for better visibility */
222+
.VPSidebarItem.is-active > .item .link > .text {
223+
color: #004844 !important;
224+
font-weight: 600 !important;
225+
}
226+
227+
html.dark .VPSidebarItem.is-active > .item .link > .text {
228+
color: #2dd4b0 !important;
229+
}
230+
231+
.VPSidebarItem.is-active > .item > .indicator {
232+
background-color: #004844 !important;
233+
}
234+
235+
html.dark .VPSidebarItem.is-active > .item > .indicator {
236+
background-color: #2dd4b0 !important;
237+
}
238+
239+
/* Sidebar: hover uses MobileID green too */
240+
.VPSidebarItem.is-link > .item > .link:hover .text {
241+
color: #004844 !important;
242+
}
243+
244+
html.dark .VPSidebarItem.is-link > .item > .link:hover .text {
245+
color: #2dd4b0 !important;
246+
}
247+
221248
/* Fix: keep sidebar width constant across desktop breakpoints.
222249
VitePress widens/narrows sidebar/title at >=1440px using a calc() that can
223250
shrink when --vp-layout-max-width is larger than the viewport (e.g. 1600px).

docs/oidc-integration-guide/getting-started.md

Lines changed: 48 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -125,8 +125,14 @@ You can use the following login hint in combination with the `prompt=login` para
125125
{"useLDAP": true}
126126
```
127127

128+
If passkeys are enabled for your account, you can include the `keyringId` field in the login hint:
129+
130+
```json
131+
{"hints": [{"msisdn":"+41765XXXXXX", "keyringId":"MIDPKXXXXXXXXXX"}]}
132+
```
133+
128134
::: info
129-
The `sn` parameter is optional and only required for ACR `mid_al4`.
135+
The `sn` parameter is optional and only required for ACR `mid_al4`. The `keyringId` is required for `mid_al4_passkey` and `mid_al4_any` (when passkeys are enabled). See [Passkey Authentication](/oidc-integration-guide/passkey-authentication) for details.
130136
:::
131137

132138
#### DTBD Parameter
@@ -156,9 +162,10 @@ Given below is the list of supported scopes that can be requested during the aut
156162
| `profile` | name | string |
157163
| `phone` | phone_number<br>phone_number_verified | string<br>boolean |
158164
| `mid_location` | mid_geo_accuracy<br>mid_geo_country<br>mid_geo_device_confidence<br>mid_geo_location_confidence<br>mid_geo_timestamp | number<br>string<br>number<br>number<br>string |
159-
| `mid_profile` | mid_profile_recovery_code_status<br>mid_profile_serial<br>mid_profile_sim_status<br>mid_profile_sim_pin_status<br>mid_profile_sim_mcc<br>mid_profile_sim_mnc<br>mid_profile_sim_network<br>mid_profile_app_status | boolean<br>string<br>string<br>string<br>string<br>string<br>string<br>string |
165+
| `mid_profile` | mid_profile_recovery_code_status<br>mid_profile_serial<br>mid_pk_keyringid<br>mid_profile_sim_status<br>mid_profile_sim_pin_status<br>mid_profile_sim_mcc<br>mid_profile_sim_mnc<br>mid_profile_sim_network<br>mid_profile_app_status<br>mid_profile_sscds<br>mid_profile_alias | boolean<br>string<br>string<br>string<br>string<br>string<br>string<br>string<br>string<br>string<br>string |
160166
| `mid_cms` | mid_cms_content | string |
161167
| `mid_esign_basic` | mid_esign_basic_assurance_level<br>mid_esign_basic_jurisdictions<br>mid_esign_basic_has_valid_evidence | string<br>string<br>boolean |
168+
| `mid_passkey` | mid_pk_keyringid<br>mid_pk_binding<br>mid_pk_cert_level<br>mid_pk_created_ts<br>mid_pk_last_used_ts<br>mid_pk_aaguid<br>mid_pk_cred_fingerprint<br>mid_pk_auth_attachment<br>mid_pk_os_family | string<br>string<br>string<br>number<br>number<br>string<br>string<br>string<br>string |
162169

163170
::: tip
164171
A Relying Party should always respect the user's privacy and keep the requested claims down to the very essential. For example, using scope `openid` only, the user sign-in will be anonymous. Neither the phone number nor any other user information will be passed on to the Relying Party's application.
@@ -188,17 +195,20 @@ Below is an overview of all authentication means offered and supported by Mobile
188195

189196
An ACR can include one or several different authentication methods. The Mobile ID OP will check the user's authentication possibilities and will select an authentication method that complies with the ACR.
190197

191-
| Authentication Level (AL) | ACR value | SIM Card | Mobile App | OTP Text SMS | CH Loc. Check | MID SN Check |
192-
|---------------------------|------------|----------|------------|--------------|----------------|---------------|
193-
| 2 | `mid_al2_any` |||| | |
194-
| 3 | `mid_al3_any` ||| | | |
195-
| | `mid_al3_simcard` || | | | |
196-
| | `mid_al3_mobileapp` | || | | |
197-
| | `mid_al3_any_ch` ||| || |
198-
| 4 | `mid_al4_any` ||| | ||
199-
| | `mid_al4_simcard` || | | ||
200-
| | `mid_al4_mobileapp` | || | ||
201-
| | `mid_al4_any_ch` ||| |||
198+
| Authentication Level (AL) | ACR value | SIM Card | Mobile App | OTP Text SMS | Passkey | CH Loc. Check | SN / KeyRing Check |
199+
|---------------------------|------------|----------|------------|--------------|---------|----------------|---------------------|
200+
| 2 | `mid_al2_any` |||| (✓) | | |
201+
| 3 | `mid_al3_any` ||| | | | |
202+
| | `mid_al3_simcard` || | | | | |
203+
| | `mid_al3_mobileapp` | || | | | |
204+
| | `mid_al3_any_ch` ||| | || |
205+
| 4 | `mid_al4_any` ||| | (✓) | ||
206+
| | `mid_al4_simcard` || | | | ||
207+
| | `mid_al4_mobileapp` | || | | ||
208+
| | `mid_al4_any_ch` ||| | |||
209+
| | `mid_al4_passkey` | | | || ||
210+
211+
(✓) Passkey is included for `_any` ACRs only if `passkeys_enabled:true` is configured for the client account. `mid_al4_passkey` is passkey-only and phishing-resistant. See [Passkey Authentication](/oidc-integration-guide/passkey-authentication) for detailed passkey ACR documentation.
202212

203213
If a user has more than one authentication method available that comply with the requested ACR, the Mobile ID OP will use the following preference (note, all authentication methods are equally billed):
204214

@@ -323,17 +333,20 @@ The ID token is a JWT and is created (and thus signed, RS256 by default) by the
323333

324334
Authentication Method Reference (AMR) is an attribute within the OpenID Connect Identity Token. The AMR claim makes statements about the authentication method that was used (including additional factors such as geolocation).
325335

326-
| AMR Value | SIM Auth | App Auth | OTP Auth |
327-
|-----------|----------|----------|----------|
328-
| `mid_app` | || |
329-
| `mid_geo` | (✓) | (✓) | |
330-
| `mid_hwk` | || |
331-
| `mid_otp` | | ||
332-
| `mid_sim` || | |
333-
| `mid_sms` || | |
336+
| AMR Value | SIM Auth | App Auth | OTP Auth | Passkey Auth |
337+
|-----------|----------|----------|----------|--------------|
338+
| `mid_app` | || | |
339+
| `mid_geo` | (✓) | (✓) | | |
340+
| `mid_otp` | | || |
341+
| `mid_sim` || | | |
342+
| `mid_sms` || || |
343+
| `phr` | | | ||
344+
| `hwk` ||| ||
334345

335346
::: info
336347
The AMR can be helpful in case the client requests an ACR with an "any" value, such as `mid_al3_any` (see section [ACR](/oidc-integration-guide/getting-started#authentication-context-class-reference-acr)). Since there are multiple authentication methods that comply with such ACR, the client will know from the AMR what authentication method the user actually used for the sign-in.
348+
349+
**Passkey-specific AMR values:** `phr` (Phishing-Resistant, only for `mid_al4_passkey`) and `hwk` (Hardware Key, [RFC 8176](https://datatracker.ietf.org/doc/html/rfc8176)). The `mid_hwk` AMR has been deprecated in favor of the standard `hwk` value. See [Passkey Authentication](/oidc-integration-guide/passkey-authentication#passkey-amr-values) for details.
337350
:::
338351

339352
### Example Access Token Response
@@ -485,6 +498,8 @@ This table presents all the error codes that are currently implemented.
485498
| `invalid_scope` | `mid_req_1110` | Invalid scopes in request |
486499
| `invalid_request` | `mid_req_1120` | AL4 requested but login_hint is empty |
487500
| `invalid_request` | `mid_req_1130` | Invalid request, missing query string |
501+
| `invalid_request` | `mid_req_1140` | Invalid keyring ID in `login_hint` |
502+
| `invalid_request` | `mid_req_1150` | Invalid `login_hint`, AL4 passkey requested but keyring ID is empty |
488503
| `invalid_request` | `mid_req_1900` | Invalid client request, check request parameters |
489504
| `unauthorized_client` | `mid_sec_2010` | Unauthorized scopes used in request |
490505
| `unauthorized_client` | `mid_sec_2020` | Unauthorized acr_values used in request |
@@ -501,12 +516,24 @@ This table presents all the error codes that are currently implemented.
501516
| `access_denied` | `mid_auth_3040` | Country (geo-location) validation failed |
502517
| `access_denied` | `mid_auth_3050` | MSISDN ownership verification failed |
503518
| `access_denied` | `mid_auth_3060` | Mobile ID account activation failed |
519+
| `access_denied` | `mid_auth_3065` | Mobile ID app account activation not completed in time |
504520
| `access_denied` | `mid_auth_3070` | Mobile ID SIM card required for this authentication |
505521
| `access_denied` | `mid_auth_3080` | No authentication method available |
506522
| `access_denied` | `mid_auth_3090` | Authentication via SMS OTP failed |
523+
| `access_denied` | `mid_auth_3100` | Geo accuracy limit validation failed |
524+
| `access_denied` | `mid_auth_3110` | Geo device confidence score limit validation failed |
525+
| `access_denied` | `mid_auth_3120` | Geo location confidence score limit validation failed |
526+
| `access_denied` | `mid_auth_3125` | Geofencing policy violated for referenced AP ID |
507527
| `access_denied` | `mid_auth_3300` | Authentication failed; user did not respond |
508528
| `access_denied` | `mid_auth_3310` | Authentication failed; user is busy with another authentication |
529+
| `access_denied` | `mid_auth_3320` | Authentication failed; provided LDAP credentials were invalid |
530+
| `access_denied` | `mid_auth_3330` | Authentication failed; mandatory LDAP attribute is missing |
531+
| `access_denied` | `mid_auth_3340` | Authentication failed; LDAP server communication exception |
532+
| `access_denied` | `mid_auth_3350` | Authentication failed; LDAP (OIDC) account is time locked |
533+
| `access_denied` | `mid_auth_3400` | Authentication failed; generic LDAP exception |
534+
| `access_denied` | `mid_auth_3500` | Authentication failed; passkey keyring mismatch |
509535
| `access_denied` | `mid_auth_3900` | Authentication failed for other reasons |
536+
| `invalid_request` | `mid_auth_4000` | Invalid `dtbd` parameter used in request |
510537
| `server_error` | `mid_sys_9900` | Internal server error |
511538

512539

0 commit comments

Comments
 (0)