Skip to content

Commit da7cdd8

Browse files
committed
Document mixed OIDC DTBD format and new claims.
Clarify mixed DTBD array behavior for _any ACR flows and add documentation for mid_pk_aal3 and mid_profile_signer_cert_chain claims in OIDC guides.
1 parent 8ee94dd commit da7cdd8

3 files changed

Lines changed: 53 additions & 3 deletions

File tree

docs/oidc-integration-guide/getting-started.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ The following request query string parameters are supported:
9393
| `id_token_hint` | SHALL NOT be used | |
9494
| `claims` | SHALL NOT be used | |
9595
| `login_hint` | CAN be set to provide a login hint to the authorization server about the end-user's phone number(s) or LDAP username. Must be in a JSON format. | See [Login Hint Examples](/oidc-integration-guide/getting-started#login-hint-examples) below. |
96-
| `dtbd` | CAN be set to overwrite the default authentication message displayed to the end-user if the authentication method is either Mobile ID SIM or Mobile ID App. | See [DTBD Parameter](/oidc-integration-guide/getting-started#dtbd-parameter) below. |
96+
| `dtbd` | CAN be set to overwrite the default authentication message displayed to the end-user if the authentication method is either Mobile ID SIM or Mobile ID App. Supports plain string, JSON object, or mixed JSON array. | See [DTBD Parameter](/oidc-integration-guide/getting-started#dtbd-parameter) below and [Message Formats](/oidc-integration-guide/message-formats). |
9797

9898
#### Login Hint Examples
9999

@@ -142,6 +142,8 @@ The `dtbd` message should include these keywords:
142142
- `#SESSION#` — A unique transaction number. In case MFA Number Matching is enabled, this keyword will be replaced with the matching number.
143143
- `#CLIENT#` — Relying Party Display Name.
144144

145+
For requests using `_any` ACR values (for example `mid_al2_any` or `mid_al3_any`), the final method can be resolved at runtime. In this case, you can send mixed `dtbd` (JSON array with one Classic string and one Transaction Approval object) so SIM and App are both covered in one request. See [Message Formats](/oidc-integration-guide/message-formats#mixed-dtbd-classic--transaction-approval).
146+
145147
The default authentication message is:
146148

147149
| Language | Message |
@@ -170,6 +172,7 @@ Given below is the list of supported scopes that can be requested during the aut
170172
| `mid_profile` | `mid_profile_recovery_code_status` | boolean | `true` | Whether a recovery code has been set |
171173
| | `mid_profile_serial` | string | `MIDCHEYUD1YE4QB1` | Mobile ID serial number |
172174
| | `mid_pk_keyringid` | string | `MIDPK123A567B90` | Passkey keyring identifier |
175+
| | `mid_profile_signer_cert_chain` | string[] | `["MIIF...","MIIE..."]` | Signer certificate chain (Base64-encoded DER certificates) |
173176
| | `mid_profile_sim_status` | string | `active` | SIM card activation status |
174177
| | `mid_profile_sim_pin_status` | string | `active` | SIM PIN status |
175178
| | `mid_profile_sim_mcc` | string | `228` | Mobile Country Code |
@@ -191,6 +194,7 @@ Given below is the list of supported scopes that can be requested during the aut
191194
| | `mid_pk_cred_fingerprint` | string | `pQECAyYgASFY...` | SHA-256 of the credential public key ([COSE](https://datatracker.ietf.org/doc/html/rfc9052)) |
192195
| | `mid_pk_auth_attachment` | string | `platform` \| `cross-platform` | Authenticator attachment modality |
193196
| | `mid_pk_os_family` | string | `iOS` \| `Android` \| `Windows` | OS family of the authenticator platform |
197+
| | `mid_pk_aal3` | boolean | `true` | Whether the passkey authenticator used in the transaction is NIST AAL3-compliant |
194198

195199
::: tip
196200
A Relying Party should always respect the user's privacy and keep the requested claims down to the very essential. For example, using scope `openid` only, the user sign-in will be anonymous. Neither the phone number nor any other user information will be passed on to the Relying Party's application.

docs/oidc-integration-guide/message-formats.md

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Message Formats on the Mobile ID App
22

3-
Mobile ID App screens can present the Data-To-Be-Displayed (DTBD) in two formats.
3+
Mobile ID supports three request variants for the Data-To-Be-Displayed (DTBD): Classic, Transaction Approval, and a mixed format that contains both.
44

55
::: tip
66
Use **Classic DTBD** for short confirmations and when you must support SIM users. Keep messages concise and always include the "DTBD Prefix".
@@ -21,10 +21,14 @@ Use **Transaction Approval** when readability matters (e.g., [PSD2](https://eur-
2121

2222
Approve/Cancel becomes active only after the user scrolls to the end if content exceeds one screen.
2323

24-
RPs request this by sending a JSON object in the dtbd authorization parameter.
24+
RPs request this by sending a JSON object in the `dtbd` authorization parameter.
2525

2626
<img src="/img/message-formats-transaction-approval.png" alt="message-formats-transaction-approval" width="350">
2727

28+
3. **Mixed DTBD** (JSON array with Classic + Transaction Approval) lets the RP send both representations in one request.
29+
30+
This is useful with `_any` ACR values (for example `mid_al3_any`) where the final method is resolved at runtime.
31+
2832

2933
## Classic DTBD
3034

@@ -72,6 +76,43 @@ How to request it: Send a JSON object via the `dtbd` authorization request param
7276
- **DTBD Prefix** (required): your configured prefix must be in the value of the first pair
7377
e.g., `{"key":"Company","value":"Acme AG: ..."}`
7478

79+
## Mixed DTBD (Classic + Transaction Approval)
80+
81+
Send a JSON array in `dtbd` that contains:
82+
83+
- exactly one Classic DTBD string
84+
- exactly one Transaction Approval object
85+
86+
The order does not matter. The OP detects element types by JSON type (string vs object).
87+
88+
```json
89+
[
90+
"MobileID: Confirm sign in to MyBank? Ref: #SESSION#",
91+
{
92+
"type": "MyBank Login",
93+
"dtbd": [
94+
{ "key": "Username", "value": "MobileID: Nora Keller" },
95+
{ "key": "IP Address", "value": "185.45.16.238" },
96+
{ "key": "City", "value": "Basel" },
97+
{ "key": "Agent", "value": "Apple iPhone" },
98+
{ "key": "Reference ID", "value": "LOGIN-VRFY-XZ1" }
99+
]
100+
}
101+
]
102+
```
103+
104+
Selection behavior:
105+
106+
- **SIM resolved:** Classic DTBD is used.
107+
- **App resolved:** Transaction Approval is used when present.
108+
- **Passkey resolved:** `dtbd` is ignored (existing behavior).
109+
110+
Validation notes:
111+
112+
- The `dtbd` array must contain one string and one object (max two elements).
113+
- Empty arrays, duplicate types, malformed JSON, or unsupported element types are rejected with `mid_auth_4000`.
114+
- Existing Classic and Transaction Approval limits apply unchanged inside the array.
115+
75116
## Transaction Approval Example
76117

77118
### Pretty JSON
@@ -141,10 +182,13 @@ Request an App ACR (e.g., `mid_al3_mobileapp`) if you want to ensure the App met
141182

142183
i.e., the `dtbd` array only; the `type` label is not part of the signed bytes.
143184

185+
**Mixed DTBD:** only the representation selected for the resolved method is signed (Classic text for SIM, Transaction Approval normalized content for App).
186+
144187
## Best practices
145188

146189
::: info
147190
- **Build → URL-encode → send:** generate the JSON with your library, then URL-encode as `dtbd`. Avoid hand-crafted strings. (Use PAR for large payloads/confidentiality.)
191+
- **Use mixed format for `_any` ACRs:** when method resolution may end on SIM or App, send both representations in one array.
148192
- **Select App method:** use `acr_values` (e.g., `mid_al3_mobileapp`) when you want to ensure App UX.
149193
- **Prefix rule:** include your DTBD prefix in the value of the first pair.
150194
- **Respect byte limits:** limits are in bytes, not characters; UTF-8 non-ASCII uses 2–4 bytes.

docs/oidc-integration-guide/passkey-authentication.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -186,9 +186,11 @@ To receive passkey-related claims, add the `mid_passkey` scope to the authorizat
186186
| | `mid_pk_cred_fingerprint` | string | `pQECAyYgASFY...` | SHA-256 of the credential public key ([COSE](https://datatracker.ietf.org/doc/html/rfc9052) format) |
187187
| | `mid_pk_auth_attachment` | string | `platform` \| `cross-platform` | Authenticator attachment modality |
188188
| | `mid_pk_os_family` | string | `iOS` \| `Android` \| `Windows` | OS family of the authenticator platform |
189+
| | `mid_pk_aal3` | boolean | `true` | Whether the authenticator used in the transaction is NIST AAL3-compliant |
189190

190191
::: tip Claim delivery and availability
191192
The `mid_pk_keyringid` claim is also available via the `mid_profile` scope, allowing RPs to retrieve the KeyRingID without requesting the full `mid_passkey` scope.
193+
The signer certificate chain claim `mid_profile_signer_cert_chain` is delivered via `mid_profile` scope (not `mid_passkey`).
192194

193195
**ID Token** should carry the minimal set of claims needed for cryptographic proof (sub, iss, aud, acr, amr, nonce, etc.). **UserInfo endpoint** is the recommended delivery channel for passkey detail claims, as they may change and can be verbose.
194196

0 commit comments

Comments
 (0)