You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/oidc-integration-guide/getting-started.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -93,7 +93,7 @@ The following request query string parameters are supported:
93
93
|`id_token_hint`| SHALL NOT be used ||
94
94
|`claims`| SHALL NOT be used ||
95
95
|`login_hint`| CAN be set to provide a login hint to the authorization server about the end-user's phone number(s) or LDAP username. Must be in a JSON format. | See [Login Hint Examples](/oidc-integration-guide/getting-started#login-hint-examples) below. |
96
-
|`dtbd`| CAN be set to overwrite the default authentication message displayed to the end-user if the authentication method is either Mobile ID SIM or Mobile ID App. | See [DTBD Parameter](/oidc-integration-guide/getting-started#dtbd-parameter) below. |
96
+
|`dtbd`| CAN be set to overwrite the default authentication message displayed to the end-user if the authentication method is either Mobile ID SIM or Mobile ID App. Supports plain string, JSON object, or mixed JSON array. | See [DTBD Parameter](/oidc-integration-guide/getting-started#dtbd-parameter) below and [Message Formats](/oidc-integration-guide/message-formats). |
97
97
98
98
#### Login Hint Examples
99
99
@@ -142,6 +142,8 @@ The `dtbd` message should include these keywords:
142
142
-`#SESSION#` — A unique transaction number. In case MFA Number Matching is enabled, this keyword will be replaced with the matching number.
143
143
-`#CLIENT#` — Relying Party Display Name.
144
144
145
+
For requests using `_any` ACR values (for example `mid_al2_any` or `mid_al3_any`), the final method can be resolved at runtime. In this case, you can send mixed `dtbd` (JSON array with one Classic string and one Transaction Approval object) so SIM and App are both covered in one request. See [Message Formats](/oidc-integration-guide/message-formats#mixed-dtbd-classic--transaction-approval).
146
+
145
147
The default authentication message is:
146
148
147
149
| Language | Message |
@@ -170,6 +172,7 @@ Given below is the list of supported scopes that can be requested during the aut
170
172
|`mid_profile`|`mid_profile_recovery_code_status`| boolean |`true`| Whether a recovery code has been set |
171
173
||`mid_profile_serial`| string |`MIDCHEYUD1YE4QB1`| Mobile ID serial number |
||`mid_pk_os_family`| string |`iOS`\|`Android`\|`Windows`| OS family of the authenticator platform |
197
+
||`mid_pk_aal3`| boolean |`true`| Whether the passkey authenticator used in the transaction is NIST AAL3-compliant |
194
198
195
199
::: tip
196
200
A Relying Party should always respect the user's privacy and keep the requested claims down to the very essential. For example, using scope `openid` only, the user sign-in will be anonymous. Neither the phone number nor any other user information will be passed on to the Relying Party's application.
-**App resolved:** Transaction Approval is used when present.
108
+
-**Passkey resolved:**`dtbd` is ignored (existing behavior).
109
+
110
+
Validation notes:
111
+
112
+
- The `dtbd` array must contain one string and one object (max two elements).
113
+
- Empty arrays, duplicate types, malformed JSON, or unsupported element types are rejected with `mid_auth_4000`.
114
+
- Existing Classic and Transaction Approval limits apply unchanged inside the array.
115
+
75
116
## Transaction Approval Example
76
117
77
118
### Pretty JSON
@@ -141,10 +182,13 @@ Request an App ACR (e.g., `mid_al3_mobileapp`) if you want to ensure the App met
141
182
142
183
i.e., the `dtbd` array only; the `type` label is not part of the signed bytes.
143
184
185
+
**Mixed DTBD:** only the representation selected for the resolved method is signed (Classic text for SIM, Transaction Approval normalized content for App).
186
+
144
187
## Best practices
145
188
146
189
::: info
147
190
-**Build → URL-encode → send:** generate the JSON with your library, then URL-encode as `dtbd`. Avoid hand-crafted strings. (Use PAR for large payloads/confidentiality.)
191
+
-**Use mixed format for `_any` ACRs:** when method resolution may end on SIM or App, send both representations in one array.
148
192
-**Select App method:** use `acr_values` (e.g., `mid_al3_mobileapp`) when you want to ensure App UX.
149
193
-**Prefix rule:** include your DTBD prefix in the value of the first pair.
150
194
-**Respect byte limits:** limits are in bytes, not characters; UTF-8 non-ASCII uses 2–4 bytes.
Copy file name to clipboardExpand all lines: docs/oidc-integration-guide/passkey-authentication.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -186,9 +186,11 @@ To receive passkey-related claims, add the `mid_passkey` scope to the authorizat
186
186
||`mid_pk_cred_fingerprint`| string |`pQECAyYgASFY...`| SHA-256 of the credential public key ([COSE](https://datatracker.ietf.org/doc/html/rfc9052) format) |
||`mid_pk_os_family`| string |`iOS`\|`Android`\|`Windows`| OS family of the authenticator platform |
189
+
||`mid_pk_aal3`| boolean |`true`| Whether the authenticator used in the transaction is NIST AAL3-compliant |
189
190
190
191
::: tip Claim delivery and availability
191
192
The `mid_pk_keyringid` claim is also available via the `mid_profile` scope, allowing RPs to retrieve the KeyRingID without requesting the full `mid_passkey` scope.
193
+
The signer certificate chain claim `mid_profile_signer_cert_chain` is delivered via `mid_profile` scope (not `mid_passkey`).
192
194
193
195
**ID Token** should carry the minimal set of claims needed for cryptographic proof (sub, iss, aud, acr, amr, nonce, etc.). **UserInfo endpoint** is the recommended delivery channel for passkey detail claims, as they may change and can be verbose.
0 commit comments