You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add Passkey Authentication page for OIDC integration guide
Introduce comprehensive documentation for MobileID FIDO2 Passkeys covering
passkey concepts (device-bound vs. synced, NIST AAL3, FIPS 140-2), the
mobileid.ch domain-binding model, RP control over passkey quality via
KeyRingID and claims, OIDC parameters (scopes, ACR/AMR values, login_hint),
feature flag configuration, error codes, and canonical RP scenarios.
Includes MyMobileID Dashboard screenshots for passkey management.
The `sn` parameter is optional and only required for ACR `mid_al4`.
135
+
The `sn` parameter is optional and only required for ACR `mid_al4`. The `keyringId` is required for `mid_al4_passkey` and `mid_al4_any` (when passkeys are enabled). See [Passkey Authentication](/oidc-integration-guide/passkey-authentication) for details.
130
136
:::
131
137
132
138
#### DTBD Parameter
@@ -156,9 +162,10 @@ Given below is the list of supported scopes that can be requested during the aut
A Relying Party should always respect the user's privacy and keep the requested claims down to the very essential. For example, using scope `openid` only, the user sign-in will be anonymous. Neither the phone number nor any other user information will be passed on to the Relying Party's application.
@@ -188,17 +195,20 @@ Below is an overview of all authentication means offered and supported by Mobile
188
195
189
196
An ACR can include one or several different authentication methods. The Mobile ID OP will check the user's authentication possibilities and will select an authentication method that complies with the ACR.
190
197
191
-
| Authentication Level (AL) | ACR value | SIM Card | Mobile App | OTP Text SMS | CH Loc. Check | MID SN Check |
(✓) Passkey is included for `_any` ACRs only if `passkeys_enabled:true` is configured for the client account. `mid_al4_passkey` is passkey-only and phishing-resistant. See [Passkey Authentication](/oidc-integration-guide/passkey-authentication) for detailed passkey ACR documentation.
202
212
203
213
If a user has more than one authentication method available that comply with the requested ACR, the Mobile ID OP will use the following preference (note, all authentication methods are equally billed):
204
214
@@ -323,17 +333,20 @@ The ID token is a JWT and is created (and thus signed, RS256 by default) by the
323
333
324
334
Authentication Method Reference (AMR) is an attribute within the OpenID Connect Identity Token. The AMR claim makes statements about the authentication method that was used (including additional factors such as geolocation).
325
335
326
-
| AMR Value | SIM Auth | App Auth | OTP Auth |
327
-
|-----------|----------|----------|----------|
328
-
|`mid_app`|| ✓ ||
329
-
|`mid_geo`| (✓) | (✓) ||
330
-
|`mid_hwk`|| ✓ ||
331
-
|`mid_otp`||| ✓ |
332
-
|`mid_sim`| ✓ |||
333
-
|`mid_sms`| ✓ |||
336
+
| AMR Value | SIM Auth | App Auth | OTP Auth | Passkey Auth |
The AMR can be helpful in case the client requests an ACR with an "any" value, such as `mid_al3_any` (see section [ACR](/oidc-integration-guide/getting-started#authentication-context-class-reference-acr)). Since there are multiple authentication methods that comply with such ACR, the client will know from the AMR what authentication method the user actually used for the sign-in.
348
+
349
+
**Passkey-specific AMR values:**`phr` (Phishing-Resistant, only for `mid_al4_passkey`) and `hwk` (Hardware Key, [RFC 8176](https://datatracker.ietf.org/doc/html/rfc8176)). The `mid_hwk` AMR has been deprecated in favor of the standard `hwk` value. See [Passkey Authentication](/oidc-integration-guide/passkey-authentication#passkey-amr-values) for details.
337
350
:::
338
351
339
352
### Example Access Token Response
@@ -485,6 +498,8 @@ This table presents all the error codes that are currently implemented.
485
498
|`invalid_scope`|`mid_req_1110`| Invalid scopes in request |
486
499
|`invalid_request`|`mid_req_1120`| AL4 requested but login_hint is empty |
0 commit comments