GSMA Mobile Connect

GSMA Mobile Connect is an application of OpenID Connect (OIDC). It enables mobile phones to serve as authentication devices independently of the service and the device.

Mobile Connect offers a standard way for Mobile Network Operators (MNOs) to act as general-purpose identity providers. It offers a range of Levels of Assurance (LoAs) and profile data to Mobile Connect-compliant service providers.

Mobile Connect roles

In a Mobile Connect deployment, AM can play the following roles:

The OpenID provider: The provider implements the Mobile Connect Profile as part of the Service Provider (Identity Gateway interface).

The OpenID provider responds to a successful authorization request with all the required fields and the optional expires_in field. AM supports the mandatory ID Token properties. The relying party must use the expires_in value instead of specifying max_age as a request parameter.

AM returns the standard userinfo claims and the updated_at property. The updated_at property holds the time last updated as seconds since January 1, 1970 UTC.
The authenticator: The authenticator implements the Mobile Connect Profile as part of the Identity Gateway (Authenticators interface).

The authenticator makes users authenticate at the appropriate LoA. A service provider can request LoAs without regard to the implementation. The Identity Gateway includes a claim in the ID Token to indicate the LoA achieved.

LoA support

AM maps LoAs to an authentication mechanism:

A service provider acting as a relying party requests an LoA with the acr_values parameter.
AM returns the corresponding acr claim in the ID token.

LoA support:

1 (low—little or no confidence)
2 (medium—some confidence, as in single-factor authentication)
3 (high—high confidence, as in multi-factor authentication)

LoA support does not include support for 4, which involves digital signatures. The dtbs authorization parameter is not supported.

Configure Mobile Connect

Configure the OAuth 2.0 provider OIDC authentication context settings to return acr and amr claims in the ID tokens.

For details, refer to Authentication requirements.
Update the identity store user configuration.

The userinfo endpoint returns updated_at values in the ID token. If the user profile has never been updated updated_at reflects creation time.

When using DS as an identity store, AM takes updated_at from the modifyTimestamp attribute if it exists, and the createTimestamp attribute if not.

In the AM admin UI, go to Realms > Realm Name > Identity Stores > Identity Store Name > User Configuration and add the relevant attributes to the LDAP User Attributes list.
Save your work.

Authorization parameters

You must use the authorization code grant to request ID tokens.

Request parameter Supported? Description

Request parameter	Supported?	Description
`acr_values`	Yes	The OpenID Connect authentication context class reference values. For details, refer to The `acr` claim.
`client_id`	Yes	A unique string identifier for the application making the request.
`display`	Yes	A string value specifying the user interface display.
`dtbs`	No	Data to be signed. LoA 4 is not supported.
`login_hint`	Yes	A string specifying the ID used to log in. Set the `login_hint` to the value of the `oidcLoginHint` cookie. This is an HttpOnly cookie (only sent over HTTPS).
`nonce`	Yes	A string linking the client session with the ID token to mitigate against replay attacks. Required for Mobile Connect.
`redirect_uri`	Yes	The URI to return the end user to after authorization is complete; must match the `redirect_uri` in the client application profile.
`response_type`	Yes	A string specifying the response expected from the authorization server; use `response_type=code`.
`scope`	Yes	A string specifying the permissions the client application requests from the end user. Separate scopes with spaces. Required: `openid` Optional: `address` `email` `offline_access` `phone` `profile`
`state`	Yes	A string value to maintain state between the request and the callback. Required for Mobile Connect.

acr_values

Yes

The OpenID Connect authentication context class reference values.

For details, refer to The acr claim.

client_id

Yes

A unique string identifier for the application making the request.

display

Yes

A string value specifying the user interface display.

dtbs

Data to be signed.

LoA 4 is not supported.

login_hint

Yes

A string specifying the ID used to log in.

Set the login_hint to the value of the oidcLoginHint cookie. This is an HttpOnly cookie (only sent over HTTPS).

nonce

Yes

A string linking the client session with the ID token to mitigate against replay attacks.

Required for Mobile Connect.

redirect_uri

Yes

The URI to return the end user to after authorization is complete; must match the redirect_uri in the client application profile.

response_type

Yes

A string specifying the response expected from the authorization server; use response_type=code.

scope

Yes

A string specifying the permissions the client application requests from the end user. Separate scopes with spaces.

Required:
openid

Optional:
address
email
offline_access
phone
profile

state

Yes

A string value to maintain state between the request and the callback.