GSMA Mobile Connect

GSMA Mobile Connect is an application of OpenID Connect (OIDC). It enables mobile phones to serve as authentication devices independently of the service and the device.

Mobile Connect offers a standard way for Mobile Network Operators (MNOs) to act as general-purpose identity providers. It offers a range of Levels of Assurance (LoAs) and profile data to Mobile Connect-compliant service providers.

Mobile Connect roles

In a Mobile Connect deployment, PingOne Advanced Identity Cloud can play the following roles:

The OpenID provider: The provider implements the Mobile Connect Profile as part of the Service Provider (Identity Gateway interface).

The OpenID provider responds to a successful authorization request with all the required fields and the optional expires_in field. PingOne Advanced Identity Cloud supports the mandatory ID Token properties. The relying party must use the expires_in value instead of specifying max_age as a request parameter.

PingOne Advanced Identity Cloud returns the standard userinfo claims and the updated_at property. The updated_at property holds the time last updated as seconds since January 1, 1970 UTC.
The authenticator: The authenticator implements the Mobile Connect Profile as part of the Identity Gateway (Authenticators interface).

The authenticator makes users authenticate at the appropriate LoA. A service provider can request LoAs without regard to the implementation. The Identity Gateway includes a claim in the ID Token to indicate the LoA achieved.

LoA support

PingOne Advanced Identity Cloud maps LoAs to an authentication mechanism:

A service provider acting as a relying party requests a LoA with the acr_values parameter.
PingOne Advanced Identity Cloud returns the corresponding acr claim in the ID token.

LoA support:

1 (low—little or no confidence)
2 (medium—some confidence, as in single-factor authentication)
3 (high—high confidence, as in multi-factor authentication)

LoA support does not include support for 4, which involves digital signatures. The dtbs authorization parameter is not supported.

Configure Mobile Connect

Configure the OAuth 2.0 provider OIDC authentication context settings to return acr and amr claims in the ID tokens.

For details, refer to Authentication requirements.

Authorization parameters

You must use the authorization code grant to request ID tokens.

Request parameter Supported? Description

Request parameter	Supported?	Description
`acr_values`	Yes	The OpenID Connect authentication context class reference values. For details, refer to The `acr` claim.
`client_id`	Yes	A unique string identifier for the application making the request.
`display`	Yes	A string value specifying the user interface display.
`dtbs`	No	Data to be signed. LoA 4 is not supported.
`login_hint`	Yes	A string specifying the ID used to log in. Set the `login_hint` to the value of the `oidcLoginHint` cookie. This is an HttpOnly cookie (only sent over HTTPS).
`nonce`	Yes	A string linking the client session with the ID token to mitigate against replay attacks. Required for Mobile Connect.
`redirect_uri`	Yes	The URI to return the end user to after authorization is complete; must match the `redirect_uri` in the client application profile.
`response_type`	Yes	A string specifying the response expected from the authorization server; use `response_type=code`.
`scope`	Yes	A string specifying the permissions the client application requests from the end user. Separate scopes with spaces. Required: `openid` Optional: `address` `email` `offline_access` `phone` `profile`
`state`	Yes	A string value to maintain state between the request and the callback. Required for Mobile Connect.

acr_values

Yes

The OpenID Connect authentication context class reference values.

For details, refer to The acr claim.

client_id

Yes

A unique string identifier for the application making the request.

display

Yes

A string value specifying the user interface display.

dtbs

Data to be signed.

LoA 4 is not supported.

login_hint

Yes

A string specifying the ID used to log in.

Set the login_hint to the value of the oidcLoginHint cookie. This is an HttpOnly cookie (only sent over HTTPS).

nonce

Yes

A string linking the client session with the ID token to mitigate against replay attacks.

Required for Mobile Connect.

redirect_uri

Yes

The URI to return the end user to after authorization is complete; must match the redirect_uri in the client application profile.

response_type

Yes

A string specifying the response expected from the authorization server; use response_type=code.

scope

Yes

A string specifying the permissions the client application requests from the end user. Separate scopes with spaces.

Required:
openid

Optional:
address
email
offline_access
phone
profile

state

Yes

A string value to maintain state between the request and the callback.

Required for Mobile Connect.