Skip to content

Commit cc29a3a

Browse files
committed
docs: add hyperlinks to standards, RFCs, and technical references
Link important technical terms to their authoritative sources across all documentation pages, similar to academic citation practice. Includes FIPS 140-2, ETSI TS 102 204, OAuth 2.0, JWT, PKCE, PAR, E.164, GSM 03.38, PSD2, NIST references, CVE-2024-3596, FIDO Metadata Service, COSE, CMS, EAL5+, TPM, and all RADIUS-related RFCs.
1 parent 0752742 commit cc29a3a

11 files changed

Lines changed: 46 additions & 42 deletions

File tree

docs/.vitepress/config.mts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,8 +83,8 @@ export default defineConfig({
8383
{ text: 'Introduction', link: '/oidc-integration-guide/introduction' },
8484
{ text: 'Getting Started', link: '/oidc-integration-guide/getting-started' },
8585
{ text: 'Best Practices', link: '/oidc-integration-guide/best-practices' },
86-
{ text: 'Public Cloud Integration', link: '/oidc-integration-guide/cloud-integration-guide' },
8786
{ text: 'Passkey Authentication', link: '/oidc-integration-guide/passkey-authentication' },
87+
{ text: 'Public Cloud Integration', link: '/oidc-integration-guide/cloud-integration-guide' },
8888
{ text: 'MobileID OIDC - Use Cases', link: '/oidc-integration-guide/oidc-use-cases' },
8989
{ text: 'App Message Formats', link: '/oidc-integration-guide/message-formats' }
9090
]

docs/oidc-integration-guide/best-practices.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
### Back-channel PAR Submission
66

7-
The Pushed Authorisation Request (PAR) endpoint gives OAuth 2.0 clients a back-channel to post the parameters of an authorisation request to the Mobile ID server, to obtain an opaque URI handle for them, and then continue with the frontend redirection to the authorisation endpoint as usual.
7+
The [Pushed Authorisation Request (PAR)](https://datatracker.ietf.org/doc/html/rfc9126) endpoint gives OAuth 2.0 clients a back-channel to post the parameters of an authorisation request to the Mobile ID server, to obtain an opaque URI handle for them, and then continue with the frontend redirection to the authorisation endpoint as usual.
88

99
::: info
1010
Introducing an extra backend call to submit the authorisation parameters has three benefits:
@@ -48,7 +48,7 @@ response_type=code
4848
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
4949
```
5050

51-
Example PAR request for a public client with PKCE:
51+
Example PAR request for a public client with [PKCE](https://datatracker.ietf.org/doc/html/rfc7636):
5252

5353
```http
5454
POST /par HTTP/1.1

docs/oidc-integration-guide/introduction.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,10 @@
22

33
This document provides Relying Parties (RPs) with technical guidance and best practices for integrating Mobile ID OpenID Provider (MobileID OP) into their applications.
44

5-
The MobileID OP can be used for both authorization and authentication. It fully complies with the OpenID Connect specification.
5+
The MobileID OP can be used for both authorization and authentication. It fully complies with the [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
66

77
::: info OpenID Connect
8-
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
8+
OpenID Connect is a simple identity layer on top of the [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749) protocol. It allows clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
99

1010
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.
1111

@@ -26,7 +26,7 @@ The most basic key concepts are as follows.
2626
- **Scopes** are identifiers used to specify what access privileges are being requested.
2727
- **Claims** are simply key & value pairs that contain information about an End-User, as well as meta-information about the authentication event. Non-standard claims can be specified as custom claims.
2828
- **Access Token** is a credential used to access protected resources directly. Access tokens usually have an expiration date and are short-lived. They must be kept secret, though security considerations are less strict due to their shorter life.
29-
- **ID Token** is an identity token provided by the OpenID Provider to the Relying Party. The identity token contains a number of claims about that End-User and also attributes about the End-User authentication event, in a standard JWT format and signed by the OpenID Provider (so it can be verified by the intended recipients). It may optionally be encrypted for confidentiality.
29+
- **ID Token** is an identity token provided by the OpenID Provider to the Relying Party. The identity token contains a number of claims about that End-User and also attributes about the End-User authentication event, in a standard [JWT](https://datatracker.ietf.org/doc/html/rfc7519) format and signed by the OpenID Provider (so it can be verified by the intended recipients). It may optionally be encrypted for confidentiality.
3030
- **Refresh Token** carries the information necessary to get a new access token. Refresh tokens can also expire but are rather long-lived.
3131

3232
## Authorization Code Grant Flow

docs/oidc-integration-guide/message-formats.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ Mobile ID App screens can present the Data-To-Be-Displayed (DTBD) in two formats
55
::: tip
66
Use **Classic DTBD** for short confirmations and when you must support SIM users. Keep messages concise and always include the "DTBD Prefix".
77

8-
Use **Transaction Approval** when readability matters (e.g., PSD2 payments, contract consent, step up login verification). Force the App method with Device LoA4, keep within byte limits, and generate the escaped JSON programmatically.
8+
Use **Transaction Approval** when readability matters (e.g., [PSD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366) payments, contract consent, step up login verification). Force the App method with Device LoA4, keep within byte limits, and generate the escaped JSON programmatically.
99
:::
1010

1111
1. **Classic DTBD** (single text line) uses a plain UTF-8 string that is also signed (DTBS).
@@ -31,7 +31,7 @@ Use **Transaction Approval** when readability matters (e.g., PSD2 payments, cont
3131
A single UTF-8 string shown on the device. The classic DTBD must include the AP-specific DTBD prefix (e.g., `Bank ACME:`) and is supported by both SIM and App methods.
3232

3333
::: warning
34-
Keep the DTBD short. Maximum **239 characters**; if any character falls outside the GSM 03.38 set, effective maximum is **119 characters**.
34+
Keep the DTBD short. Maximum **239 characters**; if any character falls outside the [GSM 03.38](https://en.wikipedia.org/wiki/GSM_03.38) set, effective maximum is **119 characters**.
3535
:::
3636

3737
Parameter: `dtbd` with a plain string. The OP renders the classic one-line message.

docs/oidc-integration-guide/passkey-authentication.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
# Passkey Authentication (early access)
22

3+
::: warning Early Access — Pilot Phase
4+
MobileID Passkeys are currently available to **pilot testers only** and are not yet generally available in the production environment. This documentation is published in advance so Relying Parties can prepare their integration. General availability for all customers and users is expected **very soon**. Check back shortly for updates.
5+
:::
6+
37
MobileID now supports **FIDO2 Passkeys** as an authentication method within the OpenID Connect service. Relying Parties can allow their users to authenticate using MobileID Passkeys - alongside or instead of the existing MobileID SIM, App, and OTP SMS methods.
48

59
## What Are Passkeys?
@@ -19,13 +23,13 @@ Key characteristics of passkeys:
1923

2024
The term "Passkeys" is an **umbrella term** for FIDO2-based authenticators. Under the hood, these can be **platform authenticators** (built into a device, such as Touch ID or Windows Hello) or **roaming authenticators** (external hardware keys, such as a YubiKey). These authenticator types differ significantly in how they store the private key - and this distinction directly impacts the security assurance level they can achieve.
2125

22-
For MobileID, one of the most relevant security standards is [**NIST AAL3**](https://pages.nist.gov/800-63-3/sp800-63b.html) (Authentication Assurance Level 3), which specifies the highest level of authentication assurance. To achieve AAL3, the authenticator must be **device-bound** (the private key cannot be exported or synced) and the hardware must be **FIPS 140-2 certified**. Cloud-synced passkeys - while phishing-resistant and suitable for AAL2 - do not meet AAL3 because the private key is exportable across devices.
26+
For MobileID, one of the most relevant security standards is [**NIST AAL3**](https://pages.nist.gov/800-63-3/sp800-63b.html) (Authentication Assurance Level 3), which specifies the highest level of authentication assurance. To achieve AAL3, the authenticator must be **device-bound** (the private key cannot be exported or synced) and the hardware must be **[FIPS 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) certified**. Cloud-synced passkeys - while phishing-resistant and suitable for AAL2 - do not meet AAL3 because the private key is exportable across devices.
2327

2428
This distinction matters for Relying Parties integrating MobileID: while **MobileID users are free to register any type of passkey** in their [MyMobileID Dashboard](https://mobileid.ch/login), the **RP has full control** over which passkey types are accepted during authentication. Through the passkey claims returned by MobileID (see [Passkey Scope and Claims](#passkey-scope-and-claims)), the RP can enforce specific requirements - for example, accepting only FIPS 140-2 certified, device-bound passkeys for high-assurance use cases.
2529

2630
| Aspect | Device-Bound Passkeys | Cloud-Synced Passkeys |
2731
|--------|----------------------|----------------------|
28-
| **Private key storage** | Stored locally on a single device's secure hardware (e.g., Secure Enclave, TPM) | Synced across devices via encrypted cloud services (e.g., iCloud Keychain, Google Password Manager) |
32+
| **Private key storage** | Stored locally on a single device's secure hardware (e.g., Secure Enclave, [TPM](https://trustedcomputinggroup.org/resource/tpm-library-specification/)) | Synced across devices via encrypted cloud services (e.g., iCloud Keychain, Google Password Manager) |
2933
| **Examples** | YubiKey, Windows Hello, hardware security keys | Apple Passkeys, Google Passkeys |
3034
| **Portability** | Tied to one device; if lost, the passkey is lost | Available on all devices within the user's ecosystem |
3135
| **NIST AAL3 compliance** | Yes (if FIPS 140-2 certified) | No (private key is exportable) |
@@ -151,8 +155,8 @@ To receive passkey-related claims, add the `mid_passkey` scope to the authorizat
151155
| | `mid_pk_cert_level` | string | `FIPS140-2` \| `CommonCriteria` | Certification level of the authenticator |
152156
| | `mid_pk_created_ts` | number | `1717584000` | When the credential was first registered (Unix epoch) |
153157
| | `mid_pk_last_used_ts` | number | `1717591234` | Last usage timestamp (helps risk engines spot dormant keys) |
154-
| | `mid_pk_aaguid` | string | `2fc0579f-8113-...` | FIDO Metadata Service identifier; maps to authenticator vendor/model |
155-
| | `mid_pk_cred_fingerprint` | string | `pQECAyYgASFY...` | SHA-256 of the credential public key (COSE format) |
158+
| | `mid_pk_aaguid` | string | `2fc0579f-8113-...` | [FIDO Metadata Service](https://fidoalliance.org/metadata/) identifier; maps to authenticator vendor/model |
159+
| | `mid_pk_cred_fingerprint` | string | `pQECAyYgASFY...` | SHA-256 of the credential public key ([COSE](https://datatracker.ietf.org/doc/html/rfc9052) format) |
156160
| | `mid_pk_auth_attachment` | string | `platform` \| `cross-platform` | Authenticator attachment modality |
157161
| | `mid_pk_os_family` | string | `iOS` \| `Android` \| `Windows` | OS family of the authenticator platform |
158162

docs/radius-interface-gateway-guide/annexes.md

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -6,25 +6,25 @@ The following list contains a set of RFCs that cover the various aspects of the
66

77
| RFC | Title |
88
|-----|-------|
9-
| RFC 2865 | Remote Authentication Dial-In User Service (RADIUS) |
10-
| RFC 2866 | RADIUS Accounting |
11-
| RFC 2867 | RADIUS Accounting Modifications for Tunnel Protocol Support |
12-
| RFC 2868 | RADIUS Attributes for Tunnel Protocol Support |
13-
| RFC 2869 | RADIUS Extensions |
14-
| RFC 3162 | RADIUS and IPv6 |
15-
| RFC 3575 | IANA Considerations for RADIUS |
16-
| RFC 3579 | RADIUS Support for Extensible Authentication Protocol |
17-
| RFC 3580 | IEEE 802.1X RADIUS Usage Guidelines |
18-
| RFC 5080 | Common RADIUS Implementation Issues and Suggested Fixes |
19-
| RFC 6158 | RADIUS Design Guidelines |
20-
| RFC 6572 | RADIUS Support for Proxy Mobile IPv6 |
21-
| RFC 6613 | RADIUS over TCP (updated by RFC 7930) |
22-
| RFC 6614 | Transport Layer Security (TLS) Encryption for RADIUS |
23-
| RFC 6929 | RADIUS Protocol Extensions |
24-
| RFC 7268 | RADIUS Attributes for IEEE 802 Networks |
25-
| RFC 7930 | Larger Packets for RADIUS over TCP |
26-
| RFC 8044 | Data Types in RADIUS |
27-
| RFC 2607 | Proxy Chaining and Policy Implementation in Roaming |
9+
| [RFC 2865](https://datatracker.ietf.org/doc/html/rfc2865) | Remote Authentication Dial-In User Service (RADIUS) |
10+
| [RFC 2866](https://datatracker.ietf.org/doc/html/rfc2866) | RADIUS Accounting |
11+
| [RFC 2867](https://datatracker.ietf.org/doc/html/rfc2867) | RADIUS Accounting Modifications for Tunnel Protocol Support |
12+
| [RFC 2868](https://datatracker.ietf.org/doc/html/rfc2868) | RADIUS Attributes for Tunnel Protocol Support |
13+
| [RFC 2869](https://datatracker.ietf.org/doc/html/rfc2869) | RADIUS Extensions |
14+
| [RFC 3162](https://datatracker.ietf.org/doc/html/rfc3162) | RADIUS and IPv6 |
15+
| [RFC 3575](https://datatracker.ietf.org/doc/html/rfc3575) | IANA Considerations for RADIUS |
16+
| [RFC 3579](https://datatracker.ietf.org/doc/html/rfc3579) | RADIUS Support for Extensible Authentication Protocol |
17+
| [RFC 3580](https://datatracker.ietf.org/doc/html/rfc3580) | IEEE 802.1X RADIUS Usage Guidelines |
18+
| [RFC 5080](https://datatracker.ietf.org/doc/html/rfc5080) | Common RADIUS Implementation Issues and Suggested Fixes |
19+
| [RFC 6158](https://datatracker.ietf.org/doc/html/rfc6158) | RADIUS Design Guidelines |
20+
| [RFC 6572](https://datatracker.ietf.org/doc/html/rfc6572) | RADIUS Support for Proxy Mobile IPv6 |
21+
| [RFC 6613](https://datatracker.ietf.org/doc/html/rfc6613) | RADIUS over TCP (updated by [RFC 7930](https://datatracker.ietf.org/doc/html/rfc7930)) |
22+
| [RFC 6614](https://datatracker.ietf.org/doc/html/rfc6614) | Transport Layer Security (TLS) Encryption for RADIUS |
23+
| [RFC 6929](https://datatracker.ietf.org/doc/html/rfc6929) | RADIUS Protocol Extensions |
24+
| [RFC 7268](https://datatracker.ietf.org/doc/html/rfc7268) | RADIUS Attributes for IEEE 802 Networks |
25+
| [RFC 7930](https://datatracker.ietf.org/doc/html/rfc7930) | Larger Packets for RADIUS over TCP |
26+
| [RFC 8044](https://datatracker.ietf.org/doc/html/rfc8044) | Data Types in RADIUS |
27+
| [RFC 2607](https://datatracker.ietf.org/doc/html/rfc2607) | Proxy Chaining and Policy Implementation in Roaming |
2828

2929
## RADIUS Testing Tools
3030

docs/radius-interface-gateway-guide/introduction.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ RADIUS users are typically defined in the format `user@domain`. However, Mobile
3939
- Accounting Webhook (forward accounting traffic to external systems)
4040
- Supports Fortinet Vendor Specific Attributes (VSA)
4141
- Support for Docker secrets via `_FILE` environment variables
42-
- BlastRADIUS mitigation — Message-Authenticator support (CVE-2024-3596)
42+
- [BlastRADIUS](https://www.blastradius.fail/) mitigation — Message-Authenticator support ([CVE-2024-3596](https://nvd.nist.gov/vuln/detail/CVE-2024-3596))
4343

4444
### Features Planned
4545

docs/radius-interface-gateway-guide/radius-protocol.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,10 @@ The RADIUS protocol is a binary network protocol, operating on ports **1812** an
1414

1515
The protocol is covered by several RFCs, the most important ones being:
1616

17-
- **RFC 2865** — Remote Authentication Dial-In User Service (RADIUS)
18-
- **RFC 2866** — RADIUS Accounting
19-
- **RFC 2869** — RADIUS Extensions
20-
- **RFC 6613** — RADIUS over TCP (updated by RFC 7930)
17+
- **[RFC 2865](https://datatracker.ietf.org/doc/html/rfc2865)** — Remote Authentication Dial-In User Service (RADIUS)
18+
- **[RFC 2866](https://datatracker.ietf.org/doc/html/rfc2866)** — RADIUS Accounting
19+
- **[RFC 2869](https://datatracker.ietf.org/doc/html/rfc2869)** — RADIUS Extensions
20+
- **[RFC 6613](https://datatracker.ietf.org/doc/html/rfc6613)** — RADIUS over TCP (updated by [RFC 7930](https://datatracker.ietf.org/doc/html/rfc7930))
2121

2222
A larger list of related RFCs can be found in the [Annexes](/radius-interface-gateway-guide/annexes#radius-related-rfcs).
2323

docs/rest-api-guide/best-practices.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ When constructing an MSS Signature request, the following best-practice guidelin
2525
Duplicate triplets are rejected.
2626

2727
4. **Specify `MSISDN` in international format**
28-
The user's phone number must follow international (E.164) notation without spaces.
28+
The user's phone number must follow international ([E.164](https://www.itu.int/rec/T-REC-E.164/)) notation without spaces.
2929
A leading “+” is allowed but optional.
3030
- **Example:** `+41791234567`
3131

@@ -37,7 +37,7 @@ When constructing an MSS Signature request, the following best-practice guidelin
3737
- Encoded in UTF-8 [<sup id="a17">17</sup>](#17).
3838
- Should include a unique transaction reference (e.g., timestamp, customer ID, contract ID).
3939
- **Length limits:**
40-
- Maximum 239 characters if all characters are in the standard GSM DA character set.
40+
- Maximum 239 characters if all characters are in the standard [GSM 03.38](https://en.wikipedia.org/wiki/GSM_03.38) character set.
4141
- If any character falls outside this set (e.g., the lowercase cedilla "ç"), the maximum length reduces to 119 characters.
4242
- Keep the message as short and user-friendly as possible.
4343

docs/rest-api-guide/introduction.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ It is suitable for various system landscapes and meets strict regulatory require
3232
## MSS Signature Service
3333

3434
Mobile ID is a cost-efficient, managed authentication service operated by Swisscom.
35-
The customer-facing API follows the open standard ETSI 102 204 V1.1 (2003-08).
35+
The customer-facing API follows the open standard [ETSI TS 102 204](https://www.etsi.org/deliver/etsi_ts/102200_102299/102204/) V1.1 (2003-08).
3636

3737
Authentication in Mobile ID is based on a secure hardware token which can be either:
3838

@@ -60,7 +60,7 @@ An Application Provider (AP) can request SIM Toolkit (STK) based authentication,
6060
- **2nd Factor:** Personal Mobile ID PIN (Knowledge Factor)
6161

6262
- **High Level of Security**
63-
- Tamper-proof secure hardware (EAL5+ and ITSEC E3 certified)
63+
- Tamper-proof secure hardware ([EAL5+](https://www.commoncriteriaportal.org/ccra/) and ITSEC E3 certified)
6464
- Authentication via a separate encrypted channel
6565

6666
- **Pre-installed** STK App on the SIM/eSIM profile

0 commit comments

Comments
 (0)