GSMA Mobile Connect
GSMA Mobile Connect is an application of OpenID Connect that facilitates the use of mobile phones as authentication devices independent of the service provided, and independent of the device used to consume the service.
Mobile Connect thus offers a standard way for Mobile Network Operators to act as general-purpose identity providers, providing a range of levels of assurance and profile data to Mobile Connect-compliant Service Providers.
In a Mobile Connect deployment, AM can play the following roles:
The OpenID provider role, implementing the Mobile Connect Profile as part of the Service Provider (Identity Gateway interface).
As OpenID provider, AM responds to a successful authorization request with a response containing all the required fields, and also the optional
expires_infield. AM supports the mandatory ID Token properties, though the relying party is expected to use the
expires_invalue, rather than specifying
max_ageas a request parameter:
In addition to the standard user information returned with
userinfo, AM as OpenID provider for Mobile Connect returns the
updated_atproperty, representing the time last updated as seconds since the epoch.
The Authenticator role, implementing the Mobile Connect Profile as part of the Identity Gateway (Authenticators interface).
In the Authenticator role, AM ensures that users authenticate at the appropriate Level of Assurance (LoA). A Service Provider can request LoAs without regard to the implementation, and the Identity Gateway includes a claim in the ID Token that indicates the LoA achieved.
In AM, LoAs map to an authentication mechanism. Service Providers acting as relying parties request an LoA by using the
acr_valuesfield in an authentication request.
AM returns the corresponding
acrclaim in the ID token.
1(low - little or no confidence)
2(medium - some confidence, as in single-factor authentication)
3(high - high confidence, as in multi-factor authentication)
LoA support does not include support for
4, which involves digital signatures. Therefore, the
dtbsauthorization parameter is not supported when requesting tokens to the authorization endpoint.
Perform the steps in this procedure to set up the OAuth2 provider service:
Configure an OAuth2 provider service in the realm. See "To Configure the OAuth 2.0 Provider Service".
Mobile Connect is an extension of OpenID Connect. Therefore, review the additional configuration options shown in OpenID Provider Configuration.
Go to Realms > Realm Name > Services > OAuth2 Provider.
Configure OpenID Connect authentication context settings for AM to return
amrclaims in the ID tokens.
For information and examples, see Adding Authentication Requirements to ID Tokens.
Go to Realms > Realm Name > Identity Stores > Identity Store Name > User Configuration.
The user info endpoint returns
updated_atvalues in the ID Token. If the user profile has never been updated
updated_atreflects creation time.
When using DS as an identity store, the value is read from the
modifyTimestampattribute, or the
createTimestampattribute for a profile that has never been modified.
Add the relevant attributes to the LDAP User Attributes list, and save your changes.
You can now use OpenID Connect with Mobile Connect. As per the specification, you must use the Authorization Code flow to request ID tokens.
Request Parameter Support Description
OAuth 2.0 grant type to use. Set this to
codefor the authorization grant.
Set this to the client identifier.
Space delimited OAuth 2.0 scope values.
OAuth 2.0 URI where the authorization request callback should go. Must match the
redirect_uriin the client profile that you registered with AM.
Value to maintain state between the request and the callback. Required for Mobile Connect.
String value to associate the client session with the ID Token. Optional in OIDC, but required for Mobile Connect.
String value to specify the user interface display.
String value that can be set to the ID the user uses to log in. For example,
email@example.com, depending on how the authentication node or module is configured to search for users.
When provided as part of the OIDC Authentication Request, the
login_hintis set as the value of a cookie named
oidcLoginHint, which is an HttpOnly cookie (only sent over HTTPS).
Authentication Context class Reference values used to communicate acceptable LoAs that users must satisfy when authenticating to the OpenID provider.
For more information, see "The Authentication Context Class Reference (acr) Claim".
Data To Be Signed
At present AM does not support LoA 4.
For access to a simple, non-secure GSMA Mobile Connect relying party sample, see How do I access and build the sample code provided for AM (All versions)? in the ForgeRock Knowledge Base.