You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/oidc-integration-guide/best-practices.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -141,7 +141,7 @@ Tokens, especially Refresh Tokens, must be treated as credentials and stored sec
141
141
142
142
There are test user accounts available for testing and debugging purpose.
143
143
144
-
Please be aware, due to the strict phone number validation during the Mobile ID authorization flow, these test phone numbers will only be accepted by the Mobile ID server if they are provided via `log-in_hint` request parameter. However, your account must be authorized to use the `login_hint` parameter and requires the use of Pushed Authorisation Requests (PAR), which keeps the parameters confidential between client and server (see section [Pushed Authorization Request (PAR)](/oidc/best-practices#pushed-authorization-request-par) ).
144
+
Please be aware, due to the strict phone number validation during the Mobile ID authorization flow, these test phone numbers will only be accepted by the Mobile ID server if they are provided via `log-in_hint` request parameter. However, your account must be authorized to use the `login_hint` parameter and requires the use of Pushed Authorisation Requests (PAR), which keeps the parameters confidential between client and server (see section [Pushed Authorization Request (PAR)](/oidc-integration-guide/best-practices#pushed-authorization-request-par) ).
Copy file name to clipboardExpand all lines: docs/oidc-integration-guide/getting-started.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,8 +8,8 @@ For the technical on-boarding, you will be asked to provide Swisscom with the fo
8
8
|------|--------------------|------|
9
9
|**Client Display Name**| Your client’s name, which is displayed by the authorization server. <br> Example value: `iDemo Online Shop`||
10
10
|**Redirect URI(s)**| Redirection URI(s) to which the response will be sent. Note that TLS (https) is always required and the localhost URI is not allowed.<br> Example value:<br>`https://app01.idemo-company.ch/oauth2/authresp`<br>`https://app02.idemo-company.ch/oauth2/authresp`|[OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)|
11
-
|**Default ACR**| Your default ACR. Must be a value that is available for your selected Mobile ID contract.<br> Example value: `mid_al3_any`|[Section Auth Code Request ](/oidc/getting-started#authorization-code-request)|
12
-
|**Client Auth Mode**| Your client’s authentication method, either basic or post.<br> Example value: `client_secret_post`|[Section Access Token Request ](/oidc/getting-started#access-token-request)|
11
+
|**Default ACR**| Your default ACR. Must be a value that is available for your selected Mobile ID contract.<br> Example value: `mid_al3_any`|[Section Auth Code Request ](/oidc-integration-guide/getting-started#authorization-code-request)|
12
+
|**Client Auth Mode**| Your client’s authentication method, either basic or post.<br> Example value: `client_secret_post`|[Section Access Token Request ](/oidc-integration-guide/getting-started#access-token-request)|
13
13
|**Always Prompt For Consent**| The Mobile ID server default behavior is to skip the consent step, provided such is already recorded for the given end-user and client.<br> Default: `false`||
14
14
|**MFA Number Matching**| Enable MFA number matching feature for Mobile ID SIM and Mobile ID App authentication.<br> When a user responds to an MFA notification using Mobile ID SIM or Mobile ID App, they'll be presented with a number on their mobile. They need to select that number in the sign-in prompt to complete the approval.<br> Default: `false`|[Video](https://youtu.be/4ACfK_kByKY)|
15
15
|**LDAP Settings**| Optional. Mobile ID server can connect to an LDAP(S) to validate user credentials and/or retrieve user attributes from the LDAP, such as:<br> - MFA mobile number attribute<br> - Mobile ID Serialnumber attribute (required for ACR mid_al4)<br> - User password attribute ||
@@ -72,13 +72,13 @@ The following request query string parameters are supported:
72
72
73
73
| Parameter | Value | Remarks |
74
74
|-----------|-------|---------|
75
-
| scope | MUST contain the value `openid`| Optionally, the client may request additional scopes as specified in [Scopes and Claims](/oidc/getting-started#scopes-and-claims)|
75
+
| scope | MUST contain the value `openid`| Optionally, the client may request additional scopes as specified in [Scopes and Claims](/oidc-integration-guide/getting-started#scopes-and-claims)|
76
76
| response_type | MUST be the value `code`||
77
77
| client_id | MUST be your client ID ||
78
78
| redirect_uri | MUST be (one of) your redirect URI(s) ||
79
79
| state | MUST be an opaque value | Used to maintain state between the request and the callback |
80
80
| nonce | MUST be a nonce value ||
81
-
| acr_values | CAN be set to overwrite the client's default ACR | Authentication Level (AL) required by the client (see [ACR](/oidc/getting-started#authentication-context-class-reference-acr)) |
81
+
| acr_values | CAN be set to overwrite the client's default ACR | Authentication Level (AL) required by the client (see [ACR](/oidc-integration-guide/getting-started#authentication-context-class-reference-acr)) |
82
82
| response_mode | SHALL NOT be used ||
83
83
| display | SHALL NOT be used ||
84
84
| prompt | CAN be set to `login`||
@@ -152,7 +152,7 @@ If a user has more than one authentication method available that comply with the
152
152
| 3 | Unknown SIM card & Active Mobile ID App | Mobile ID App |
153
153
| 4 | Unknown SIM card & Inactive Mobile ID App | AL2: One-Time-Password SMS<br>AL3: Mobile ID App (Account Recovery)<br>AL4: Mobile ID App (Account Recovery) |
154
154
155
-
If your client attempts to request a scope that is not available with your current Mobile ID contract, an OIDC error `mid_sec_2020` ("unauthorized acr_values used in request", see [Error Scheme](/oidc/getting-started#error-scheme)) is returned.
155
+
If your client attempts to request a scope that is not available with your current Mobile ID contract, an OIDC error `mid_sec_2020` ("unauthorized acr_values used in request", see [Error Scheme](/oidc-integration-guide/getting-started#error-scheme)) is returned.
156
156
157
157
Please check with your commercial contact or via Backoffice.Security@swisscom.com if you are interested in ACR values that are listed in the table above but currently not configured for your Mobile ID OIDC account.
The obtained authorization code ([see here](/oidc/getting-started#authorization-code-response)) can be used to receive an access token. This chapter describes how to format the access token request and which data is returned from the access token endpoint.
209
+
The obtained authorization code ([see here](/oidc-integration-guide/getting-started#authorization-code-response)) can be used to receive an access token. This chapter describes how to format the access token request and which data is returned from the access token endpoint.
210
210
211
211
The OpenID Connect RFC states that there are 4 possible client authentication methods (used by clients to authenticate to the Authorization Server when using the Token Endpoint).
212
212
@@ -269,7 +269,7 @@ Authentication Method Reference (AMR) is an attribute within the OpenID Connect
269
269
| mid_sim | ✓ |||
270
270
| mid_sms | ✓ |||
271
271
272
-
The AMR can be helpful in case the client requests an ACR with an "any" value, such as `mid_al3_any` (see section [ACR](/oidc/getting-started#authentication-context-class-reference-acr)). Since there are multiple authentication methods that comply with such ACR, the client will know from the AMR what authentication method the user actually used for the sign-in.
272
+
The AMR can be helpful in case the client requests an ACR with an "any" value, such as `mid_al3_any` (see section [ACR](/oidc-integration-guide/getting-started#authentication-context-class-reference-acr)). Since there are multiple authentication methods that comply with such ACR, the client will know from the AMR what authentication method the user actually used for the sign-in.
0 commit comments