diff --git a/code/API_definitions/numberVerify.yaml b/code/API_definitions/numberVerify.yaml new file mode 100644 index 0000000..379c5c5 --- /dev/null +++ b/code/API_definitions/numberVerify.yaml @@ -0,0 +1,328 @@ +openapi: 3.0.0 +info: + title: numberVerify + description: Number Verify service based on Mobile Connect Verified MSISDN specification + version: 0.1.0 + license: + name: Apache 2.0 + url: http://www.apache.org/licenses/LICENSE-2.0.html + contact: + name: Support + email: support@example.com + url: https://support.example.com +externalDocs: + description: GSMA Mobile Connect Verified MSISDN specification + url: https://www.gsma.com/identity/wp-content/uploads/2022/12/IDY.54-Mobile-Connect-Verified-MSISDN-Definition-and-Technical-Requirements-1.0.pdf +servers: + - url: https://{countryServer}.{domain} + variables: + countryServer: + default: api.server + description: a server specific to country where API is delivered + domain: + default: com + description: a domain where server is delivered + description: API server providing CAMARA APIs +tags: + - name: Verified MSISDN + description: Standard Number Verify service based on Mobile Connect Verified MSISDN +paths: + /authorize: + get: + tags: + - Verified MSISDN + externalDocs: + description: Mobile Connect Device Initiated OIDC profile + url: https://www.gsma.com/identity/wp-content/uploads/2022/11/IDY.01-v3.0.pdf + security: + - openId: [mc_vm_match,mc_vm_match_hash] + summary: Authorize request for MC Verified MSISDN service + parameters: + - name: response_type + in: query + required: true + schema: + type: string + enum: + - code + - name: scope + in: query + required: true + description: Scope value impacts resource call consumption. + schema: + type: string + enum: + - mc_vm_match + - mc_vm_match_hash + - name: client_id + in: query + schema: + type: string + format: uuid + description: client_id provided by MNO for mc vm match api consumption + example: '{client_id}' + - name: version + in: query + required: true + schema: + type: string + enum: + - mc_v2.1 + - name: redirect_uri + in: query + required: true + schema: + type: string + format: uri + example: http://localhost + - name: state + in: query + required: true + schema: + type: string + example: teststate + - name: nonce + in: query + required: true + schema: + type: string + example: '123456' + - name: acr_values + in: query + required: true + schema: + type: integer + enum: + - 2 + - 3 + example: '2' + responses: + '302': + description: /authorize endpoint process the reqest and returns either success or error on redirect + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/oidc_auth_response' + - $ref: '#/components/responses/302redirectError' + type: object + '400': + description: invalid request + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + /token: + post: + tags: + - Verified MSISDN + summary: Token + security: + - basicAuth: [] + parameters: + - name: grant_type + in: query + required: true + schema: + type: string + enum: + - authorization_code + - name: code + in: query + required: true + schema: + type: string + format: uuid + example: jUQqqE-mawjwzscVbp00BRrdVWKU6qw78fklU1MSl9A + - name: redirect_uri + in: query + required: true + schema: + type: string + format: uri + example: http://localhost + responses: + '200': + description: success - mc vm match response + content: + application/json: + schema: + $ref: '#/components/schemas/oidc_token_response' + '400': + description: invalid request + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + '401': + description: access denied or invalid request + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + '500': + description: internal error + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + '503': + description: service unavailable + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + + /openid/userinfo: + post: + tags: + - Verified MSISDN + summary: User Info + security: + - bearerAuth: [] + requestBody: + description: delivers end user input for phone number verification + required: true + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/mc_vm_match_resource_request' + - $ref: '#/components/schemas/mc_vm_match_hash_resource_request' + responses: + '200': + description: success - mc vm match response + content: + application/json: + schema: + $ref: '#/components/schemas/mc_vm_match_response' + '400': + description: bad request + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + +security: + - openId: + - mc_vm_match + - mc_vm_match_hash + +components: + securitySchemes: + openId: + type: openIdConnect + openIdConnectUrl: https://example.com/.well-known/openid-configuration + bearerAuth: + type: http + scheme: bearer + basicAuth: + type: http + scheme: basic + responses: + accessDenied: + description: request cannot be completed due to bad request + content: + application/json: + schema: + $ref: '#/components/schemas/serverError' + 302redirectError: + description: error message returned on redirect + content: + application/json: + schema: + $ref: '#/components/schemas/redirectError' + schemas: + mc_vm_match_resource_request: + type: object + properties: + mc_claims: + type: object + properties: + device_msisdn: + type: string + description: country code (with leading +) and phone number + pattern: '^[\+]?[(]?[0-9]{3}[)]?[-\s\.]?[0-9]{3}[-\s\.]?[0-9]{4,6}$' + example: '+4915164818763' + required: + - device_msisdn + mc_vm_match_hash_resource_request: + type: object + properties: + mc_claims: + type: object + properties: + device_msisdn_hash: + type: string + description: SHA256 hash + required: + - device_msisdn_hash + mc_vm_match_response: + type: object + properties: + sub: + type: string + format: uuid + device_msisdn_verified: + type: boolean + required: + - device_msisdn_verified + - sub + oidc_auth_response: + type: object + properties: + code: + type: string + format: uuid + state: + type: string + description: if state is present in auhtorization request, response must match it + example: teststate + required: + - code + - state + oidc_token_response: + type: object + properties: + access_token: + type: string + format: uuid + token_type: + type: string + enum: + - bearer + id_token: + type: string + format: jwt + description: contains auth information of the device namely sub parameter + example: eyJraWQiOiJVZ1JmNEk4WWw2cGo0NHRnZGx3WUJ3PT0iLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiS3BIWlpGb2hFRUZzbUMwQW9iV1BBUSIsInN1YiI6IjlmZTkxNzE4LWI2NmEtNGE3Zi1hYTgxLTU1YWEwZjA0YmViMCIsImF1ZCI6WyIwZDMzM2IzOS05NmNhLTRhZTMtYTcxNS03NGRkZGRjY2M0MWEiLCIwZDMzM2IzOS05NmNhLTRhZTMtYTcxNS03NGRkZGRjY2M0MWEiXSwiYWNyIjoiMiIsImF6cCI6IjBkMzMzYjM5LTk2Y2EtNGFlMy1hNzE1LTc0ZGRkZGNjYzQxYSIsImF1dGhfdGltZSI6MTY2Nzk5NDMwMiwiYW1yIjpbIlNFQU1fT0siXSwiaXNzIjoibW9iaWxlY29ubmVjdC9pc3N1ZXIiLCJleHAiOjE2Njc5OTYzNTgsImlhdCI6MTY2Nzk5NDM1OCwibm9uY2UiOiIxMjM0NTYifQ==.aRJkQjoF4yOBYJ7hXkkDbdoMAWCfKqCx0JwxTcTMXPXTZI4njuaqOvLCQbwN-HTHbfUWp0_VOUovW3dyvao45C36zhiDaSl8RYLw2CuBEeL1471GmWPr-ivkNTTosFC855GHa8I4yiAUnrWnhv2jfiGISNZi2Tkm6Dl_yNAC17P44gAhnh8FTd_FbLJyOaOtaE7cKrgvAvipeqP0wIT-mAVNUhrU3PmmxcxNWZaY8dEE6WKWhbwHQZ5Juq8ikxT84dOGjn7IxxFdRgPpYgsNHta8tYPnc_6jY6jnnEHB8Utpkrl0fyNPDD2wp5dBk9F2lzppdcG-ZJEAZrP22nBf7g + expires_in: + type: integer + example: 500 + required: + - access_token + - token_type + - id_token + - expires_in + serverError: + type: object + properties: + error_description: + type: string + example: Mandatory parameter code is invalid + error: + type: string + example: invalid_request + required: + - error + - error_description + redirectError: + type: object + properties: + error_description: + type: string + example: Mandatory parameter code is invalid + error: + type: string + example: invalid_request + \ No newline at end of file diff --git a/documentation/API_documentation/API_definition.md b/documentation/API_documentation/API_definition.md new file mode 100644 index 0000000..7a99f22 --- /dev/null +++ b/documentation/API_documentation/API_definition.md @@ -0,0 +1,190 @@ +# Reference +Number Verify API is based on Mobile Connect Verified MSISDN standardized product: + +[IDY.54](assets/docs/(placeholder4MCspec).docx) + +**IDY.54 Mobile Connect Verified MSISDN Definition and Technical Requirements** + +## About Mobile Connect + +Mobile Connect is a worldwide initiative by Mobile Operators to bring a wide portfolio of Identity services to market that enable SPs and End-Users to transact with one-another more securely through strong authentication, authorisation and exchange of attributes, subject to User consent. + +The Mobile Connect architecture consists of a Core framework around which additional components can be added to support the different Mobile Connect services as well as other API based services that delivers value to the customer. The Core framework is based upon the OpenID Connect (OIDC) protocol suite and allows Users to be identified by their MSISDN (or a related Pseudonymous Customer Reference) to enable authentication on their mobile device. Attributes sharing services are based upon the OAUTH2.0 framework - Client Credentials grant. + +## Number Verify / Verified MSISDN definition + +Mobile Connect Verified MSISDN allows Developer // Service Provider (SP) to verify the MSISDN (phone number) of the device connected to the mobile data network through which a User is accessing an SP service. In doing so, it enables the SP to check that the device being used to access a particular SP User account belongs to the account holder. Such a service can also be used by the SP for verifying the User’s device as a complementary service when a User is being authenticated. + +Mobile Connect Verified MSISDN is defined as two service variants: + +- **Verified MSISDN Match**: in which the Mobile Operator compares the MSISDN associated with the mobile device against that provided by the SP in the service request1. The MSISDN can be supplied in an E164 format [5] or in a hashed form. Verified MSISDN Match ensures no data is shared by the Mobile Operator. + +Note that the Verified MSISDN service only works for devices which have an active mobile data bearer. It will not work via another data connection such as WiFi. + +## Use Case examples + +Mobile Connect Verified MSISDN supports a range of practical use cases including: + + 1. Android Account Setup + 2. Mobile Banking App installation and password-less login + 3. Android password-less login + 4. RCS client installation / configuration + 5. Posting online ad or reviews on a website + 6. Verified MSISDN service as the second factor authentication + +Some examples are listed below in more detail to explain the use of Verified MSISDN. + +### Android device upgrade (Google) + +Verified MSISDN service could be used as an additional authentication step to provide more confidence to Google when a User first logs in on a new device with their Google credentials. When upgrading to a new/different Android phone, the User needs to enter their Google credentials to personalize the device - at this point, Google need additional confirmation that the individual entering the credentials is the legitimate account owner and not an attacker. + +Google typically solve this issue through the use of SMS OTP but would prefer to use an Mobile Operator API such as Verified MSISDN to verify the association of device to the User without creating friction within the User experience when upgrading to a new Android phone. + +### Password-less login + +A separate but related problem is that it is quite common for a User to forget their Google credentials altogether and need to establish a new set (and new identity) in order to activate their Android device - this creates friction for the User, but also presents a service continuity issue for Google. + +An alternative approach for verifying a new Android device would be for Google to adopt the User's phone number as the username, and possession/control of the Android device associated with that phone number as an implicit factor of authentication. This approach is simple and can then be combined with a lightweight knowledge factor (e.g., related to their Google or mobile account) to sign the User in and mitigate SIM swap fraud. + +### Mobile Banking App & Apple/Android Pay installation + +Similar to the Android upgrade use case, whenever a User wishes to install and/or configure a new SP app on their device, it is important that the SP can check that the device on which the app is being installed is associated with the User in question to mitigate against an attacker gaining access to a User's account by entering the User's credentials (username/password) via their own device. Mobile banking is a good example of this, the bank needing to ensure that the device upon which a mobile banking app is being installed is associated with the same phone number as on file for the bank account for that User. + +A similar use case is where a User requests their debit/credit card to be tokenised and installed on their mobile phone (e.g., for use within Apple Pay, Samsung Pay, Android Pay etc.) and it is important that the issuing bank can verify that the User making the request is the same as the cardholder – by verifying that the phone number associated with the device upon which the debit/credit card will be installed is the same as the phone number on file for the cardholder (and matching other attributes such as name & address registered against that phone number), the issuing bank can mitigate against fraud. + +## Verified MSISDN Functional Description + +### Verified MSISDN Service Flow + +The SP must initiate the Verified MSISDN request via the User’s mobile device which is directly connected to the mobile data network. The Mobile Operator ID GW must support **HTTP Header enrichment or a similar mechanism to be able to extract the User’s MSISDN from the mobile data network.** Verified MSIDN will not work if the device is on Wi-Fi or on a mobile hotspot. + +Because Mobile Connect Verified MSISDN requires the use of the mobile data network it may be that the SP app includes a feature to allow switching the data bearer to ensure that the mobile data network is used. + +**Figure 1** shows a high-level flow for a Verified MSISDN service request. The use case shown is one of registering a mobile app to allow password-less log-in. +- This User is installing an SP’s mobile app on their device and in response to the prompt, the User enters their phone number. +- The SP educates the User about the need to perform number verification whenever the User attempts to login in the future. The SP provides further details such as revocation mechanism in a linked page (shown as “Learn more”). +- The User is asked to provide long-lived consent to the SP. The use of data needs to be clearly stated in terms of the service and the privacy policy. + +![Figure 1 - Mobile Connect Verified MSISDN Service Flow](./assets/images/figure1.png) + +The service flow is as follows: + +- The SP’s app initiates a Mobile Connect Verified MSISDN service request towards the Mobile Operator’s ID GW Authorization endpoint using Mobile Connect Device-Initiated mode. The SP specifies the service required using the scope parameter to indicate whether Verified MSISDN Share, Verified MSISDN Match (Plain) or Verified MSISDN Match (Hashed) is required. + - In this example, it is assumed that the SP already has the relevant Mobile Operator ID GW metadata and credentials to be able to initiate a service request to the correct Mobile Operator ID GW for that User. If not available, then this can be obtained by using the API Exchange Discovery service or by obtaining the details directly from the Mobile Operator. +- The Mobile Operator’s ID GW validates the request (i.e. that the SP has been registered with the Mobile Operator for the Mobile Connect Verified MSISDN service requested) +- The ID GW optionally can check that the source is from a known IP range (white listed) +- The Mobile Operator ID GW checks whether the User is registered for Mobile Connect +- If the MSISDN is not yet registered for Mobile Connect, based on ID GW policies a new Mobile Connect account may be created “on-the-fly” for that MSISDN. +- The Mobile Operator retrieves the MSISDN from the IP Header (or uses an alternate mechanism to obtain the network-authenticated MSISDN for that device) + +In order to be able to share (or match) User information with a SP, the User must give their consent. + +> **Figure 1** illustrates the option where the Mobile Operator ID GW captures User consent which, within the context of this use case, might be at initial registration for the SP service. +> +> User consent can also be captured by the SP, subject to the Mobile Operator’s ID GW consent policies and the contractual agreement with the SP. +> +> Consent can also be long-lived where it exists for an extended period of time to provide a smoother User experience. +> +> If consent is not required (i.e. the User has already given their consent) then this step can be omitted. + +- An Authorization Code is then returned to the SP as part of a standard Device-Initiated flow and the SP can then retrieve the ID Token and Access Token by make a Token Request to the ID GW Token endpoint. +- For Verified MSISDN Share the SP can then make a Resource Request to the Resource endpoint with the Access Token to fetch the MSISDN of the device. +- For Verified MSISDN Match the SP can fetch the MSISDN match result by making a Resource Request with the Access Token and including the appropriate attribute identifier and value within the mc_claims parameter: + - The attribute identifier is “device_msisdn” with a value of the MSISDN in plain text if scope= ”mc_vm_match” was specified in the service request. + - The attribute identifier is “device_msisdn_hash” with a value of the hash of the MSISDN if scope=”mc_vm_match_hash” was specified in the service request. +- The Resource Server matches the attribute value with the previously extracted MSISDN or hash of the MSISDN extracted by the Authorization Server. If they match, the service returns a Boolean value “true” to the SP. +- If the verification fails, then it returns a Boolean value “false” to the SP. + + +### User Consent Management + +The Mobile Connect Verified MSISDN service is designed to be used as a fraud check so typically, User consent will be captured by the SP (at registration and /or included within standard terms and conditions) and the service will be processed in the background without any explicit User consent. + +## Verified MSISDN Service Specification + +### OIDC Authorization Request Parameters - scope + +The SP requests Mobile Connect Verified MSISDN services via the scope parameter in the Mobile Connect OIDC Authorization Request as per Table 1. + +**Table 1 - Mobile Connect Verified MSISDN scope Values** +|Mobile Connect Verified MSISDN|OIDC Authorization Request scope Parameter| +|:---|:---| +|Mobile Connect Verified MSISDN Match [plain]|“mc_vm_match”| +|Mobile Connect Verified MSISDN Match [hashed]|“mc_vm_match_hash”| + +### API details + +Mobile Connect Verified MSISDN is only supported in Device-Initiated mode where the User is accessing an online SP service via their mobile device using a mobile data connection. + +[MC Device Initiated mode](assets/yaml/MC_di_v2.3-build_14.yaml) + +### Verified MSISDN Match details + +For Mobile Connect Verified MSISDN Match, the MSISDN that the SP wishes to match against the device MSISDN captured by the Mobile Operator ID GW is submitted as part of the Resource Request. + +For Mobile Connect Verified MSISDN Match one of the attribute identifiers and associated value shown in **Table 2** must be included in the Resource Request depending upon the scope value specified in the OIDC Authorization Request. + +**Table 2 - Mobile Connect Verified MSISDN Match – Attribute Identifiers and Values for the Resource Request** + +|Attribute Identifier|Type|Description| +|:---|:---:|:---| +|device_msisdn|String|The value is the MSISDN to be verified. E.164 format is RECOMMENDED| +|device_msisdn_hash|String|Hashed value of MSISDN to be verified. SHA256 algorithm recommended.| + +The Resource Request contains a JSON Payload with the mc_claims parameter which contains the requested service scope value (e.g. “mc_vm_match_hash”) followed by the appropriate attribute identifier, as defined in **Table 2**, and the value (hashed value in this case) to be matched. For example, based on an Mobile Connect Verified MSISDN Match (Hashed) service request, the Resource Request would be as follows: + +>POST /connect/mc_vm HTTP/1.1. +user-Agent: XXXXXXXXXX +Host: mc-idgw-Operator.example.com. +Authorization: Bearer LTRjZDMtNDUyYi1iNjk. +Content-Type: application/json. +Accept: application/json. +Content-Length: 73. +. +{ + "mc_claims": + { + "device_msisdn_hash":"3d84a3838599719df7deacc7fb91903bde5430a8c0e007c3eba93bce0c69c5a2" + } + } + +based on an Mobile Connect Verified MSISDN Match (Plain) service request, the Resource Request would be as follows: + +>POST /connect/mc_vm HTTP/1.1. +user-Agent: XXXXXXXXXX +Host: mc-idgw-Operator.example.com. +Authorization: Bearer LTRjZDMtNDUyYi1iNjk. +Content-Type: application/json. +Accept: application/json. +Content-Length: 73. +. +{ +"mc_claims" : { + "device_msisdn" : "+44123456789" + } +} + + +**Table 3** shows the attribute identifier and associated value that is returned in the Resource Response for Mobile Connect Verified MSISDN Match. The response is the same irrespective of whether plain text or hashed values were submitted in the Resource Request. + +**Table 3 - Mobile Connect Verified MSISDN Match – Returned Attributes in the Resource Response** +|Attribute Identifier |Type|Usage Category|Description| +|:---|:---:|:---:|:---| +|device_msisdn_verified|Boolean|REQUIRED|Match result: “true” / “false”| + +The following example shows the Resource Response for the Mobile Connect Verified MSISDN Match service. Note the same result is returned for both plain text and hashed variants. + +>HTTP/1.1 200 OK. +Date: Tue, 03 Oct 2017 09:37:43 GMT. +Server: XXXXXXX +Expires: Thu, 19 Nov 1981 08:52:00 GMT. +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0. +Pragma: no-cache. +Content-Length: xx. +Content-Type: application/json. +. +{ + "sub": "cd45a691-d311-4134-9a0c-2747e5110d22" + "device_msisdn_verified": true +} + diff --git a/documentation/API_documentation/README.MD b/documentation/API_documentation/README.MD deleted file mode 100644 index 5a4ac93..0000000 --- a/documentation/API_documentation/README.MD +++ /dev/null @@ -1 +0,0 @@ -Here you can add your documentation and delete this README.MD file diff --git a/documentation/API_documentation/assets/docs/(placeholder4MCspec).docx b/documentation/API_documentation/assets/docs/(placeholder4MCspec).docx new file mode 100644 index 0000000..e69de29 diff --git a/documentation/API_documentation/assets/images/figure1.png b/documentation/API_documentation/assets/images/figure1.png new file mode 100644 index 0000000..534f936 Binary files /dev/null and b/documentation/API_documentation/assets/images/figure1.png differ diff --git a/documentation/API_documentation/assets/yaml/MC_di_v2.3-build_14.yaml b/documentation/API_documentation/assets/yaml/MC_di_v2.3-build_14.yaml new file mode 100644 index 0000000..f296e8e --- /dev/null +++ b/documentation/API_documentation/assets/yaml/MC_di_v2.3-build_14.yaml @@ -0,0 +1,4148 @@ +swagger: '2.0' +info: + title: Mobile Connect API + description: >- + The Mobile Connect API specifies a set of operations that allow developers + to interact with operator ID Gateways. + version: R2.3 +tags: + - name: OVERVIEW + description: >- +

The Mobile Connect products

+ +

The Mobile Connect APIs support 9 products across four services: + +

Authentication

+ +

Simple and globally ubiquitous user + Authentication.

+ +

Authorisation

User Authorisation of Service Provider requests

+ +

Identity

+ +

The provision of user Identity

+ +

Attributes

+ +

Insights about the user, their device + or a transaction

+ +

Operator implementations

+ +

Operator ID Gateway implementations will be based on specific Mobile + Connect profiles. There may be some differences across + operators although the implementations will normally be consistent within + a country. Please see the country + specific variations pages for more information.

+ +

Details of the technical differences will be discussed in the product + specific implementation guides. You can find more information on different the + Mobile Connect Profiles page.

+ - name: AUTHENTICATION + description: >- +

Mobile Connect Authentication offers a simple and globally ubiquitous + log-in mechanism with no personal information being shared without the + end-user's permission.

+ +

Pre-requisites

+ +

Before you can make an live authentication request you need to ensure that the + following pre-requisites have been completed

+ +

You have obtained Operator endpoints and credentials.

+ +

The Operator Mobile Connect endpoints and credentials can be retrieved + using the Discovery service or will be provided to you if + you are working directly with an operator.

+ +

Access to the operator ID Gateway is confirmed

+ +

You should have received confirmation (either via Mobile Connect + Support or directly from the operator) that your credentials have been + enabled on the operator ID Gateway - note that this will include the + redirect_uri that you will be using and have registered with + the Developer Portal or provided to the operator.

+ +

You can, of course, use the Sandbox at any time.

+ +

Operator Implementations

+ +

There are a number of different Mobile Connect Profiles, a full description + of the profiles can be found here. + You will need to understand which version an operator uses before you implement + authentication. The parameter descriptions below indicate the differences between the profiles + and how they impact authentication.

+ +

Implementation

+ +

As Mobile Connect is based on OpenID Connect, at a high level Authentication is a two stage process:

+ +
    +
  1. Make an oidc authorize call to the Mobile Connect ID Gateway asking for the + end-user to authenticate themselves. If this is succesful then the response can + be used to build the Get Tokens call.
  2. +
  3. The Get Tokens call uses the code received from the authorize + request to get an ID Token. The customer identifer (PCR) can then be extracted + from the token to identify the end-user.
  4. +
+ +

Sequence diagram

+ +

The diagram below breaks down these steps in more detail

+ + + + +
    +
  1. SP applications opens a pop-up window or web-view on the consumption device and loads the Authorize request to the window or web-view.

    +
  2. The consumption device makes the authorize request to the ID Gateway.

    +
  3. The ID Gateway responds with a 302 Found that loads the wait screen in the pop-up window. This screen let's the end-user know that they have been sent a message by their operator.

    +
  4. An authenticator message is sent to the authentication device. The authenticator used will be operator specific, but preferences can be added in the authorize request. +
  5. The end-user authenticates themselves. The process will vary per operator and may include additional steps. +
  6. Once the end-user has authenticated themselves then a 302 Found is returned by the ID Gateway with a Location header of the SP application's redirect URI. The SP application receives the request and extracts the query parameters.

    +
  7. The SP application then makes a Get Token request using the code extracted from the authorize response.

    +
  8. The ID Gateway includes the ID Token & Access Token. The PCR user identifier is then extracted from the ID Token. The pop-up window can now be closed.

    +
+ +

The PCR can now be used to to identify a returning end-user or to set up an account for a new user.

+ - name: AUTHORISATION + description: >- +

Mobile Connect Authorise captures authorisation from a user for a service provider + to perform an action on their behalf. The service provider provides details specific + to their request in the Mobile Connect API, which is displayed on the user’s mobile phone. + The user approves or rejects the request, which is relayed to the service provider + in the API response. The user is authenticated as part of the flow to ensure that + they have the right to provide the authorisation.

+ +

Mobile Connect Authorise Plus works in the same way, but in addition, requires + the end user to authenticate first by entering the Mobile Connect PIN prior to + authorising the request.

+ +

Implementation

+ +
    +
  1. Make an OIDC authorize call to the Mobile Connect ID Gateway asking for the + end-user to authorise an action. If this is succesful then the response can + be used to build the Get Tokens call.
  2. +
  3. The Get Tokens call uses the parameters received from the Authorize + request to get the ID Tokens which can be used to extract the PCR and so identify the end-user.
  4. +
+ +

Sequence diagram

+ +

The diagram below breaks down these steps in more detail

+ + + + +
    +
  1. SP applications opens a pop-up window or web-view on the consumption device and loads the Authorize request to the window or web-view.

    +
  2. The consumption device makes the Authorize request to the ID Gateway.

    +
  3. The ID Gateway responds with a 302 Found that loads the wait screen in the pop-up window. This screen let's the end-user know that they have been sent a message by their operator.

    +
  4. An authenticator message is sent to the authentication device. The authenticator will vary per operator and the Authorize request. +
  5. The end-user authenticates themselves. The process will vary per operator and may include additional steps. +
  6. Once the end-user has authenticated themselves then a 302 Found is returned by the ID Gateway with a Location of the SP application's redirect URI. The SP application receives the request and extracts the query parameters.

    +
  7. The SP application then makes a Get Token using values extracted from the Authorize response.

    +
  8. The ID Gateway includes the ID & Access Tokens. The PCR can be extracted from the ID Token.

    +
+ +

Operator Implementations

+ +

Identity is supported by Mobile Connect Profile v2.0 and Mobile Connect Profile DI v2.3

+ + + + - name: SIGN-UP + description: >- +

Mobile Connect Sign-up allows end-users to consent to share details necessary to sign-up for a service.

+ +

Operator Implementations

+ +

Sign-up is supported by Mobile Connect Profile v2.0 and Mobile Connect Profile DI v2.3

+ + - name: PHONE NUMBER + description: >- +

Mobile Connect Phone Number allows end-users to consent to share their Phone Number.

+ +

Operator Implementations

+ +

Phone Number is supported by Mobile Connect Profile v2.0 and Mobile Connect Profile DI v2.3

+ + - name: NATIONAL ID + description: >- +

Mobile Connect National ID allows end-users to consent to share their National ID

+ +

Operator Implementations

+ +

National ID is supported by Mobile Connect Profile v2.0 and Mobile Connect Profile DI v2.3

+ + - name: KYC MATCH + description: >- +

 

+ +

KYC Match

+ +

KYC Match provides a mechanism for Service Providers to receive feedback + from an operator on key parameters associated with a user’s mobile device account + to prevent it being used as part of an Service Provider account takeover attack. + This mechanism is based on comparing the data held by the Service Provider with + that held by the operator. The actual data compared will be implementation specific + but the underlying mechanism does not change.

+ +

Flavours

+ +

KYC is provided in a two flavours:

+ + + +

The latter approach ensures that the Operator and the TSP do not learn anything new about the user.

+ +

 

+ +

Pre-requisites

+ +

Before you can make a live authentication request you need to ensure that the + following pre-requisites have been completed

+ +

You have obtained Operator endpoints and credentials.

+ +

The Operator Mobile Connect endpoints and credentials can be retrieved + using the Discovery service or will be provided to you if + you are working directly with an operator.

+ +

Access to the operator ID Gateway is confirmed

+ +

You should have received confirmation (either via Mobile Connect + Support or directly from the operator) that your credentials have been + enabled on the operator ID Gateway - note that this will include the + redirect_uri and sector_identifier_uri that you will be + using and have registered with the Developer Portal or provided to the operator.

+ +

You can, of course, use the Sandbox at any time.

+ +

 

+ +

Using attributes

+ +

There are two possible approaches to using attributes in KYC Match

+ + + +

 

+ +

Attribute set

+ +

The following attributes are available in KYC Match.

+ +

Name attributes

+ +

These attributes provide the users name.

+ + + +

Address attributes

+ +

These attributes provide the users address.

+ + + +

Other attributes

+ +

Attributes other name name or address.

+ + + +

 

+ +

Response match values

+ +

The response match values indicate if there has been a match. If the match fails then the response will indicate the reason.

+ + + + + + + + + + + + + + + + + + + + + + + +
ResponseDescription
YMatch is successful
N-NAMatch failed. Data is not available.
N-AVMatch failed. Data is available.
N-ADMatch failed. Data is available, but access is denied.
+ +

 

+ +

Operator Implementations

+ +

KYC Match is only supported as part of Mobile Connect v2.3 and operators are free to decide which variant of the KYC Match service they wish to support.

+ +

The KYC Match service MAY issue a notification to the end user if it receives a request from a TSP with Level2 trusted status (i.e., where the TSP has already captured consent); doing so ensures that the user is aware that the KYC Match service has been invoked against their MSISDN

+ +

Normalisation rules

+ +

Mobile Connect KYC Match normalization rules for attributes should be negotiated offline between Operators and SPs for a given geographic region / market..

+ - name: ERROR HANDLING + description: >- + +

Mobile Connect defines various error messages based on different scenarios that + will be returned to the Service Provider. These error messages are related to:

+ + + +

Notes

+ +

If authorization request contains a state parameter, then the error response MUST + contain "state “parameter value. The value is set to the value received from the + Service Provider. If correlation_id is provided in the authorization request, + then it must be included in the response, and the value must be set to the value + received from the Service Provider.>/p> + +

The following is the example error response.

+ +
+      HTTP/1.1 302 Found
+      Location: https://sp.example.org/redirct_here
+        ?error=invalid_request
+        &error_description=Invalid%20response_type%20value
+        &state=af0ifjsldkj
+        &correlation_id=
+      
+ +

 

+ +

Generic Errors

+ +

If redirect_uri is missing or redirect_uri value is invalid, then Operator ID + Gateway will always treat this as a high priority error and MUST return the + appropriate error response as described in the following table.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
HTTP ResponseError CodeError DescriptionScenario
400 Bad requestinvalid_requestredirect_uri is invalidThe redirect_uri value is invalid or not a registered URI.
302 Foundaccess_deniedUnknown userMSISDN/ENCR MSISDN/ PCR provided does not belong to the Operator.
302 Foundaccess_deniedUser is not recognizedMSISDN/ENCR MSISDN/ PCR provided does not belong to the Operator.
302 Foundaccess_deniedMobile Connect User is not registeredMSISDN/MSISDN belongs to the Operator, but MC services are not enabled.
+ Note: IDGW policy does not allow creation of partially active accounts.
302 Foundaccess_deniedUnknown Mobile Connect UserMSISDN/ENCR_MSISDN belongs to the Operator, but MC services are not enabled.
+ Note: IDGW policy does not allow creation of partially active accounts.
302 Foundtemporarily_unavailableInternal Server ErrorSystem connection problems [internal to IDGW] (or)
+ Authenticator unreachable (or)
+ Expiration in server (or)
+ Any Unexpected error [internal to IDGW] +
302 Foundserver_errorInternal Server ErrorSystem connection problems [internal to IDGW] (or)
+ Authenticator unreachable (or)
+ Expiration in server (or)
+ Any Unexpected error [internal to IDGW] +
302 Foundaccess_deniedThe user is busy with another transactionMultiple requests for the same MSISDN sent at the same time.
302 Foundinvalid_requestMANDATORY parameter response_type is missing or value is invalidThe response_type parameter is missing or invalid.
302 Foundinvalid_requestMANDATORY parameter client_id is missingThe client_id parameter value is invalid.
302 Foundinvalid_requestThe client is not authorized to request an authorization codeThe client_id is valid, but not allowed to make MC service requests
302 Foundaccess_denied The client is not allowed to make MC service requestsThe client_id is valid, but not allowed to make MC service requests.
302 Foundunauthorized_clientThe client is not allowed to make MC service requestsThe client_id is valid, but not allowed to make MC service requests.
302 Foundinvalid_requestMANDATORY parameter scope is missingThe scope parameter is missing.
302 Foundinvalid_requestThe scope value is invalidThe scope value "openid" is missing (or)
+ invalid scope values. +
302 Foundinvalid_scopeMANDATORY parameter scope is missingThe scope parameter is missing.
302 Foundinvalid_scopeThe scope value is invalidThe scope value "openid" is missing (or)
+ invalid scope values. +
302 Foundinvalid_requestMANDATORY parameter version is missing / invalid.The version parameter is missing (or)
+ version parameter value is invalid.
302 Foundinvalid_requestRECOMMENDED parameter state is invalid The state parameter exists, but the value is invalid.
302 Foundinvalid_requestMANDATORY parameter nonce is missing (or) invalid. nonce parameter is missing (or)
nonce parameter exists, but the value is empty
302 Foundinvalid_requestMANDATORY parameters login_hint_token (or) login_hint does not exist.

login_hint and login_hint_token parameters are missing

+

Note: In the following conditions the IDGW SHOULD prompt the user to input MSISDN instead of throwing an error;
+ -- MC service is for stand-alone authentication only in the device-initiated mode.
+ -- If IDGW policy allows to capture MSISDN directly from the user [FC mode only].

+
302 Foundinvalid_requestMalformed request, duplicate parameter entrieslogin_hint and login_hint_token both exist.
302 Foundinvalid_requestInvalid value for login_hint or login_hint_token The login_hint (or) login_hint_token value is invalid
302 Foundinvalid_requestMANDATORY parameter acr_values are missing or invalid values. The acr_values parameter is missing (or)
+ acr_values exist but contains an invalid value, other than supported values +
302 Foundinvalid_requestInvalid display value. / not supported. display parameter exists and it has an invalid value (or)
+ display parameter exists and IDGW does not support the requested value +
302 Foundinvalid_requestMultiple parameter names in the authorization request. Malformed requestThe same parameter exists multiple times.
302 Foundinvalid_requestPrompt value is invalidprompt value exists, and it has an invalid value.
302 Foundinvalid_requestclaims value is invalid, claims parameter exists, but it does not contain any value (or)
+ claims parameter exists, but it has invalid values.
302 Foundinvalid_requestGET request invalid serializationGET request is used, and the request parameter is NOT serialized using URI string serialization, IDGW able to validate the redirect_uri.
302 Foundinvalid_requestPOST request Invalid serializationPOST request is used, the request parameters are NOT serialized using form serialization, IDGW can validate the redirect_uri.
302 Foundinvalid_requestresponse_mode contains same as response_type (or) invalidresponse_mode parameter exists, and it has a value not supported by the Operator IDGW.
302 Foundinvalid_requestInvalid max_age valuemax_age parameter exists, and it has an invalid value.
302 Foundinvalid_requestMalformed request multiple problems existMultiple problems in authorization request [redirect URI is valid].
302 Foundinvalid_requestInvalid correlation_id value. correlation_id exists, but it has an empty value
302 Foundinvalid_requestInvalid client_name value client_name exists but it has empty value (or)
+ client_name parameter exists, but the provided value is not a registered client_name with Operator IDGW and invalid. +
+ +

NOTE: the error messages defined above only apply to Mobile Connevt DI v2.3.

+######################################################################################### +# CALL DEFINITIONS +######################################################################################### +host: operator.com +paths: +######################################################################################### +# AUTHENTICATION +######################################################################################### + /authorize?[Authentication-params]: + get: + tags: + - AUTHENTICATION + summary: Authorize + description: >- +

Requests that the operator ID Gateway authenticate an end-user and return a + value which can be used to make the Get Tokens call.

+ +

Overview

+ +

Once the user has selected the Mobile Connect button the application should open + up a pop-up window or web view. The application will load this window with the + authorise request. A successful authorise request will result in a 302 Found response from + the operator ID Gateway where the Location header will point to the operator wait screen. This + screen displays a message to the end-user that a message has been sent to their device + using the operator's selected authenticator. + (You can see this in the Sandbox where an SMS wait screen is displayed).

+ +

Once the end-user has authenticated themselves another 302 Found + is returned to the redirect_uri + passed in the initial request (and previously registered with the operator ID gateway). + The response will have a number of URI parameters which are used to build the + follow-up Get Tokens call

+ +

Response parameters

+ +

The URI response parameters are:

+ + + +

Error responses

+ +

If there are issues with the request the response will be + 400 Bad Request. All other errors will be provided as part of the + 302 Found response, with URI parameters in the format:

+ + + +

Error responses will vary according to the Mobile Connect Profile. More + details on error responses can be found here.

+ +

+ +

 

+ parameters: + - in: query + name: client_id + description: >- +

The client_id field obtained from the Discovery response + which is used as the unique client identifier of the SP

+ +

This parameter is required for all Mobile Connect Profiles

+ required: true + type: string + x-example: x-a94d903f-ad45-4135-80b8-ac459f41b38f + - in: query + name: redirect_uri + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ +

This parameter is required for all Mobile Connect Profiles

+ required: true + type: string + x-example: 'http://localhost/' + - in: query + name: response_type + description: >- +

Indicates the grant + type (i.e. method). The value must always be code to + indicate the Authorisation Code Flow.

+

This parameter is required for all Mobile Connect Profiles

+ required: true + enum: + - code + type: string + x-example: code + - in: query + name: scope + description: >- +

Space delimited, case-sensitive ASCII, strings of the scope values used to indicate + the services being requested. For more information see the + Scope values + page.

+ +

For Mobile Connect Profile v1.1 Authentication requests the scope values should be + openid + +

For all other Mobile Connect Authentication requests the scope values should be + openid mc_authn + +

This parameter is required for all Mobile Connect Profiles

+ required: true + enum: + - openid + - openid mc_authn + type: string + x-example: openid mc_authn + - in: query + name: version + type: string + required: true + description: >- +

This parameter identifies the Mobile Connect profile version.

+ +

This parameter is required for Mobile Connect DI Profile v2.3 + (mc_di_r2_v2.3) and Mobile Connect Profile v2.0 + (mc_v2.0). It is not supported by Mobile Connect Profile v1.1, but + mc_v1.1 can be used with ID Gateways that support Mobile + Connect Profiles v2.0 & SI v2.3 to ensure a v1.1 flow.

+ enum: + - mc_v1.1 + - mc_v2.0 + - mc_di_r2_v2.3 + x-example: mc_v1.1 + - in: query + name: state + description: >- +

Value used by the client to maintain state between request and callback. + Also used as a security mechanism , if a cryptographic binding is done with + the browser cookie, to prevent Cross-Site Request Forgery. The recommended + format is UUID4.

+ +

This parameter is required for all Mobile Connect Profiles.

+ required: true + type: string + x-example: eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368 + - in: query + name: nonce + description: >- +

String value used to associate a client session with the ID Token. + It is passed unmodified from Authorisation Request to ID Token. The value + SHOULD be unique per session to mitigate replay attacks. The recommended + format is UUID4.

+ +

This parameter is required for all Mobile Connect Profiles.

+ required: true + type: string + x-example: 878aacd7-83f1-4b4f-9582-7347b0a6fa62 + - in: query + name: display + description: >- +

Specifies the user interface display for the Authentication and Consent flow.

+

Values are:

+ +

page: The UI SHOULD be consistent with a full page view of the User-Agent.

+

pop-up: Use a pop-up window. (The popup window SHOULD be 450px X 500px)

+

touch: Display a UI consistent with a “touch” based interface.

+

wap: The UI SHOULD be consistent with a “feature-phone” device display

+ +

These values will only be respected if supported by the ID Gateway.

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ required: false + enum: + - page + - pop-up + - touch + - wap + default: page + type: string + x-example: touch + - in: query + name: prompt + description: >- +

Specifies to the IDGW Server whether to prompt the end-user for re-authentication and consent.

+

Values are:

+ +

none: MUST NOT display any UI for reauthentication or consent to the user. If the user is not authenticated already, or authentication or consent is needed to process the Authorisation Request, a login_required error is returned. This can be used as a mechanism to check existing authentication or consent.

+

no_seam: prompt the end-user if the authentication session is not valid. Caters for the 3G/4Ghot-spots, tethered phone etc. scenarios

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ required: false + enum: + - none + - no_seam + default: TBC + type: string + x-example: consent + - in: query + name: max_age + description: >- +

Indicator of the maximum elapsed time in seconds since the last + authentication of the end-user. If the elapsed time is greater than + this value, a re-authentication must be done. When this parameter is + in present the request, the ID Token will contain the + auth_time claim value

+ +

This parameter is optional for Mobile Connect DI Profile v2.3 and Mobile + Connect Profile v.2.0. It is recommended for Mobile Connect Profile v1.1.

+ required: false + type: string + x-example: 3600 + - in: query + name: ui_locales + description: >- +

Space separated list of user preferred languages and scripts for + the UI as per RFC5646. The parameter is for guidance only and in + case a requested locale is not supported then the user interface + will be provided in the default language of the ID Gateway.

+ +

This is an optional parameter supported by all Mobile Connect + Profiles

+ required: false + type: string + x-example: fr-CA fr en + - in: query + name: claims_locales + description: >- +

Space separated list of user preferred languages and scripts for + the claims, defines as per RFC5646. The parameter is for guidance + only and in case a requested locale is not supported then the claims + will be provided in the default language of the ID Gateway.

+ +

This is an optional parameter supported by all + Mobile Connect Profiles

+ required: false + type: string + x-example: fr-CA fr en + - in: query + name: id_token_hint + description: >- +

Previously issued ID token passed as a hint for the current or past + authentication session, generally used in conjunction with + prompt=none. If the ID Token is still valid and the + end-user is logged in then the server returns a positive response, + otherwise will return a login_error response. For + the ID Token, the server does not need to be listed as audience, + when included in the id_token_hint

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ required: false + type: string + x-example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmM + - in: query + name: login_hint + description: >- +

An indication to the ID Gateway about what ID to use for login. Using this + parameter allows the end-user to skip the login identifier. The values passed + will be a type and associated value (see example).

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ required: false + enum: + - MSISDN: + - ENCR_MSISDN: + - PCR: + type: string + x-example: 'MSISDN:447700900907' + - in: query + name: login_hint_token + description: >- +

Encrypted JSON Web Token (JWT) that contains a user hint + about the SP for an individual Mobile + Network Operator (MNO). The login_hint_token should + be used by the SP as a login hint with the particular MNO, so the + MNO recognises the SP that is trying to get a response.

+ +

This parameter is optional for Mobile Connect DI Profile + v2.3 and Mobile Connect Profile v2.0. and is not + supported by Mobile Connect Profile v1.1

+ required: false + type: string + x-example: n5JhbwerOiJSUzI1NiVm23reNp2DSE6sdfDEgcFnB + - in: query + name: acr_values + description: >- +

Level of Assurance to be used to authenticate an end-user. The values appear + as order of preference. The acr used during authentication + is returned as acr claim value. When it is present the Authentication endpoint should satisfy one for the + end-user's authentication. The recommended values are the LOAs as + specified in ISO/IEC 29115 + Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.

+ +

This parameter is required for all Mobile Connect Profiles.

+ required: false + enum: + - 1 + - 2 + - 3 + - 4 + type: string + x-example: 3 2 + - in: query + name: response_mode + description: >- +

Informs the ID Gateway of the mechanism to be used for returning + parameters from the Authorize Endpoint. Can be used when there is + no user agent

+ +

This parameter is optional for Mobile Connect DI Profile v2.3. It is + not supported by Mobile Connect Profile v2.0 and Mobile Connect Profile 1.1

+ type: string + default: query + required: false + x-example: form_post + - in: query + name: correlation_id + description: >- +

Correlates a transaction across Mobile Connect components. The value is generated by the Service Provider + and must be locally unique.

+ +

This parameter should be used in conjunction + with your operator partner and only for tracing and resolving issues. If you are using the Discovery service then you should use the same correlation ID + that you use in the Discovery call. The recommended format is UUID4.

+ +

This parameter is optional for Mobile Connect DI Profile + v2.3 and Mobile Connect Profile v2.0. and is not + supported by Mobile Connect Profile v1.1

+ type: string + required: false + x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + - in: query + name: dtbs + description: >- +

This is a text string to be signed with the private key owned by the + SIM card of the end-user. The signed data is returned in the ID + Claim, as private JWT claims for this profile.

+ +

This parameter is only supported by Mobile Connect Profile 1.1

+ type: string + required: false + responses: + '302': + description: Found + headers: + Location: + type: string + description: >- +

The resource requested has been temporarily moved to the URL given + by the Location header.

+ +

This will be the location of the MNO wait screen + that tells the end-user that they have been sent a message and should + respond to it.

+ '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Authorize' + x-code-samples: + - lang: HTTPS + source: >- + https://operator-a.sandbox.mobileconnect.io/oidc/authorize?client_id=YzZjNmZjNmItNGZjYS00ZjIyLTkyMWYtNTdjYzM0M2U0YjQ1Om9wZXJhdG9yLWE=&scope=openid&response_type=code&redirect_uri=https://localhost/&acr_values=2&nonce=878aacd7-83f1-4b4f-9582-7347b0a6fa62&state=eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368&login_hint=ENCR_MSISDN:eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjoib3BlcmF0b3ItYV9lbmMiLCJ0eXAiOiJKV0UifQ.ZSQma37JFP_Mx2OMp9VzOZ-Puh4jq0q4x-AiT25-5NvBS00lPTbG4_lUR0-Ie3WO55R088y0ecu_wmFOKtWaUPMsvXiW3L1RdqrjY9eXz8vKTofsqTvIUwoD1yIFn6qj0l8yGQdMshIgFyW84qecyY4GRrUdfGRRanO1fhWTir7zDnUj1ZrtQPwnFK4yfIjl0v9L3HqYNZxTv8mEVIYCFx00jvuOd4T1LrGLai0bcFZFSZqcyQQIBCPCvWdTbYP2i2Le6SnlIf6JugfiW5LSRiWAx6e9eTwfN5g0yEJRCqe7kuNwTl164wsUQz9oGmEC9--wVeA2ScMcP456nBEU_w.LcYmWHsB-0cgBSib1eanrg.knvvx6QBv8cKGNY6oCiIxA.5xnd4-UcUZMgpxCGGALByIiAZnKITeFifazkqkLCHJE +######################################################################################### +# AUTHENTICATION: GET TOKEN +######################################################################################### + /authentication-token_endpoint: + post: + tags: + - AUTHENTICATION + summary: Get Tokens + consumes: + - application/x-www-form-urlencoded + description: >- +

Returns a signed ID Token and an + Access Token when passed the code value + returned from a previous authorize request.

+ +

Handling the response

+ +

The Access Token is used to access further protected resources, but for + Authentication we only need the ID Token as this contains the + end-user PCR. To access this the ID Token will need to be + decoded, validated and verified. Full details on this process can be found on + the tokens page.

+ +

The PCR is your user identifier and will be consistent for each request. + It should be stored against the end-user’s account.

+ +

Mobile Connect Implementations

+ +

Unless specified in the parameter descriptions all parameters apply to + Mobile Connect Profile v1.1, Mobile Connect v2.0 & Mobile Connect Profile DI v2.3

+ parameters: + - in: formData + name: grant_type + type: string + required: true + enum: + - authorization_code + description: >- +

Describes the method to be used for the + processing flow. The value of this parameter must always be + authorization_code. + x-example: authorization_code + - in: formData + name: code + type: string + required: true + description: >- +

Authorisation code received from the ID Gateway as a result of the + successful Authorize request. Allows the SP to obtain the Access Token + and the ID Token from the ID Gateway.

+ x-example: efb1467d-b6b0-4145-834f-72285442f1a9 + - in: formData + name: redirect_uri + type: string + required: true + description: >- +

URI to which the responses from the ID Gateway are sent. The value of this + parameter must match that sent in the authorise request.

+ x-example: 'https://example.com/callback' + - in: formData + name: correlation_id + type: string + required: false + description: >- +

The same correlation_id submitted in the initial + authorize request.

+ +

This parameter is optional for Mobile Connect DI Profile + v2.3 and Mobile Connect Profile v2.0. and is not + supported by Mobile Connect Profile v1.1

+ x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + - in: header + name: Authorization + description: >- +

Uses HTTP basic + authentication to access the API. This is a Base64 encoded + string of your client_id:client_secret

+ required: true + type: string + x-example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2== + - in: header + name: Content-Type + description: >- + Resource content type. + required: true + enum: + - application/x-www-form-urlencoded + type: string + x-example: application/x-www-form-urlencoded + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_for_Get_Tokens' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Tokens' + headers: + Content-Type: + description: Resource content type + type: string + x-example: application/json +######################################################################################### +# AUTHORISATION: +######################################################################################### + /authorize?[Authorisation-params]: + get: + tags: + - AUTHORISATION + summary: Authorize + description: >- +

Requests that the operator ID Gateway capture an end-user authorisation to + allow the SP to perform an action on their behalf and returns values which can be used to make the + Get Tokens + +

Overview

+ +

Once the user has selected the Mobile Connect button and the application has + opened a pop-up or web-view then the browser will make the Authorize request + using a 302 Found sent from the SP application. A successful + request will result in a 302 Found response from + the operator ID Gateway where the location will point the operator wait screen. This + screen displays a message to the end-user that a message has been sent to their device + using the operator's selected authenticator. + (You can see this in the Sandbox where an SMS wait screen is displayed).

+ +

Once the end-user has authorised the transaction a 302 Found + is returned to the redirect_uri + passed in the initial request (and previously registered with the operator ID gateway). + The response will have a number of URI parameters which are used to build the + follow-up Get Tokens call

+ +

Response parameters

+ +

The URI response parameters are:

+ +
    +
  • code: Authorization code as per OAuth 2.0 section 4.1.2. This code will be used in the Get Token call.
  • +
  • state: This must equal the state parameter in the initial Authenticate User request.
  • +
  • correlation_id: If the initial request included a correlation_id then this will be included. Not + supported for Mobile Connect Profile v1.1.
  • +
+ +

Error responses

+ +

If there are issues with the request the response will be + 400 Bad Request. All other errors will be provided as part of the + 302 Found response, with URI parameters in the format:

+ +
    +
  • error: Error type.
  • +
  • error_description: Description of the error.
  • +
+ +

Error responses will vary according to the Mobile Connect Profile. More + details on error responses can be found here.

+ +

+ +

 

+ parameters: + - in: query + name: client_id + description: >- +

The client_id field obtained from the Discovery response + which is used as the unique client identifier of the SP

+ required: true + type: string + x-example: x-a94d903f-ad45-4135-80b8-ac459f41b38f + - in: query + name: redirect_uri + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ required: true + type: string + x-example: 'http://localhost/' + - in: query + name: response_type + description: >- +

Indicates the grant + type (i.e. method). The value must always be code to + indicate the Authorisation Code Flow.

+ required: true + enum: + - code + type: string + x-example: code + - in: query + name: scope + description: >- +

Space delimited, case-sensitive ASCII, strings of the scope values used to indicate + the services being requested. For more information see the + Scope values + page.

+ required: true + enum: + - openid mc_authz + default: + - openid mc_authz + type: string + x-example: openid mc_authz + - in: query + name: version + description: >- +

This parameter identifies the Mobile Connect profile version.

+ type: string + required: true + enum: + - mc_v2.0 + - mc_di_r2_v2.3 + x-example: mc_di_r2_v2.3 + - in: query + name: state + description: >- +

Value used by the client to maintain state between request and callback. + Also used as a security mechanism, if a cryptographic binding is done with + the browser cookie, to prevent Cross-Site Request Forgery. The recommended + format is UUID4.

+ required: true + type: string + x-example: eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368 + - in: query + name: nonce + description: >- +

String value used to associate a client session with the ID Token. + It is passed unmodified from Authorisation Request to ID Token. The value + SHOULD be unique per session to mitigate replay attacks. The recommended + format is UUID4.

+ required: true + type: string + x-example: 878aacd7-83f1-4b4f-9582-7347b0a6fa62 + - in: query + name: display + description: >- +

Specifies the user interface display for the Authentication and Consent flow.

+

Values are:

+ +

page: The UI SHOULD be consistent with a full page view of the User-Agent.

+

pop-up: Use a pop-up window. (The popup window SHOULD be 450px X 500px)

+

touch: Display a UI consistent with a “touch” based interface.

+

wap: The UI SHOULD be consistent with a “feature-phone” device display

+ +

These values will only be respected if supported by the ID Gateway.

+ required: false + enum: + - page + - pop-up + - touch + - wap + type: string + x-example: touch + - in: query + name: prompt + description: >- +

Specifies to the IDGW Server whether to prompt the end-user for re-authentication and consent.

+

Values are:

+ +

none: MUST NOT display any UI for reauthentication or consent to the user. If the user is not authenticated already, or authentication or consent is needed to process the Authorisation Request, a login_required error is returned. This can be used as a mechanism to check existing authentication or consent.

+

no_seam: prompt the end-user if the authentication session is not valid. Caters for the 3G/4Ghot-spots, tethered phone etc. scenarios

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ required: false + enum: + - none + - no_seam + default: TBC + type: string + x-example: consent + - in: query + name: max_age + description: >- +

Indicator of the maximum elapsed time in seconds since the last + authentication of the end-user. If the elapsed time is greater than + this value, a re-authentication must be done. When this parameter is + in present the request, the ID Token must contain the + auth_time claim value

+ required: false + type: string + x-example: 3600 + - in: query + name: ui_locales + description: >- +

Space separated list of user preferred languages and scripts for + the UI as per RFC5646. The parameter is for guidance only and in + case a requested locale is not supported then the user interface + will be provided in the default language of the ID Gateway.

+

This is an optional parameter supported by all Mobile Connect + Profiles

+ required: false + type: string + x-example: fr-CA fr en + - in: query + name: claims_locales + description: >- +

Space separated list of user preferred languages and scripts for + the claims, defines as per RFC5646. The parameter is for guidance + only and in case a requested locale is not supported then the claims + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en + - in: query + name: id_token_hint + description: >- +

Previously issued ID token passed as a hint for the current or past + authentication session, generally used in conjunction with + prompt=none. If the ID Token is still valid and the + end-user is logged in then the server returns a positive response, + otherwise SHOULD return a login_error response. For + the ID Token, the server does not need to be listed as audience, + when included in the id_token_hint + required: false + type: string + x-example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmM + - in: query + name: login_hint + description: >- +

An indication to the ID Gateway about what ID to use for login. Using this + parameter allows the end-user to skip the login identifier. The values passed + will parameter type and the parameter value (see example).

+ required: false + enum: + - MSISDN: + - ENCR_MSISDN: + - PCR: + type: string + x-example: 'MSISDN:447700900907' + - in: query + name: login_hint_token + description: >- +

Encrypted JSON Web Token (JWT) that contains a user hint + about the SP for an individual Mobile + Network Operator (MNO). The login_hint_token should + be used by the SP as a login hint with the particular MNO, so the + MNO recognises the SP that is trying to get a response.

+ required: false + type: string + x-example: n5JhbwerOiJSUzI1NiVm23reNp2DSE6sdfDEgcFnB + - in: query + name: acr_values + description: >- +

Level of Assurance to be used to authenticate an end-user. The values appear + as order of preference. The acr using during authentication + is returned as acr claim value. This parameter is optional, however, + when it is present the Authentication endpoint should satisfy one of + them for end-user's authentication. The recommended values are the LOAs as + specified in ISO/IEC 29115 + Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.

+ required: true + enum: + - 1 + - 2 + - 3 + - 4 + type: string + x-example: 3 2 +##### response_mode + - in: query + name: response_mode + description: >- +

Informs the ID Gateway of the mechanism to be used for returning + parameters from the Authorize Endpoint. Can be used when there is + no user agent

+ +

This parameter is optional for Mobile Connect DI Profile v2.3. + It is not supported by Mobile Connect Profile v2.0>

+ type: string + default: query + required: false + x-example: form_post +##### client_name + - in: query + name: client_name + description: >- +

A short name to identify the SP client application which will + be displayed on end-user de vice during the authorisation flow. This + short name is created when the application is registered + on the Developer Portal.

+ required: true + type: string + x-example: AppName +##### binding_message + - in: query + name: binding_message + description: >- +

Client provided plain text, to interlock the consumption device + and authorisation device for a better + user experience. The message will be displayed on both devices. Empty values + are allowed (zero length).

+ required: true + type: string + x-example: Sample message +##### context + - in: query + name: context + description: >- +

A transaction or action based message provided by the client Application + which will be displayed on the authentication device of the end-user.

+ required: true + type: string + x-example: Transfer $100 +##### correlation_id + - in: query + name: correlation_id + description: >- +

Correlates a transaction across Mobile Connect components. The value is generated by the Service Provider + and must be locally unique.

+ +

This parameter should be used in conjunction + with your operator partner and only for tracing and resolving issues. If you are using the Discovery service then you should use the same correlation ID + that you use in the Discovery call. The recommended format is UUID4.

+ type: string + required: false + x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + responses: + '302': + description: Found + headers: + Location: + type: string + description: >- +

The resource requested has been temporarily moved to the URL given + by the Location header.

+ +

This will be the location of the MNO wait screen + that tells the end-user that they have been sent a message and should + respond to it.

+ '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Authorize' + x-code-samples: + - lang: HTTPS + source: >- + https://operator-g.sandbox.mobileconnect.io/oidc/authorize?redirect_uri=http%3A%2F%2Flocalhost&client_id=YmY4OGQzYzEtZWU5Yy00ZTRiLTkzNGMtMGVmMmI1YjBiOGEyOm9wZXJhdG9yLWc%3D&response_type=code&scope=openid+mc_authz&acr_values=2&state=eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368&nonce=878aacd7-83f1-4b4f-9582-7347b0a6fa62&display=page&max-age=3600&version=mc_di_r2_v2.3&binding_message=transaction%100&client_name=Test%Application%Name&context=transfer%100%to%Bob&login_hint=ENCR_MSISDN%3Aef091a26a09a5b3cd249cbb651a89ad7ee37a41f33336130d5931976af73f3794dc5d4c74ede726605a94b1d76e306e7a8a43c4d7db177f40fdbe27b392b27b41744c6173f99aa3fec955f75623954aa3bee5877c4c058b9e1ce7658bc91039c6cf31e4d16d7fc5147f572eba111e43399353cd727aac4a286b7618d6704b9f57f5b82b47ea26ed871b873da4315f212acce7ee1ec122770b799cd8341737be501b1c1985ba43f074a713bd487eac7d7736bc67597e821c0e69ba1134f8c2536aac7ae9e465ae106e6e2a33dffeca256148a89ccd5b8e7b4621e57c091d609dc91a6dc19da02ad40bc0592ee7ae2e0baa110d744d873458d06f18ad998a0cf94 +######################################################################################### +# AUTHORIZATION: GET TOKENS +######################################################################################### + /authorisation-token_endpoint: + post: + tags: + - AUTHORISATION + summary: Get Tokens + consumes: + - application/x-www-form-urlencoded + description: >- +

Returns an Access Token and a + signed ID Token when passed the code value + returned from a previous Authorize request.

+ +

Handling the response

+ +

The Access Token is used to access further protected resources, but for + Authorisation we only need the ID Token as this contains the + end-user PCR. To access this the ID Token will need to be + decoded, validated and verified. Full details on this process can be found on + the tokens page.

+ +

The PCR is your user identifier and will be consistent for each request. + It should be stored against the end-user’s account.

+ +

Mobile Connect Implementations

+ +

Unless specified in the parameter descriptions all parameters apply to + Mobile Connect v2.0 & Mobile Connect Profile DI v2.3

+ parameters: + - in: formData + name: grant_type + type: string + required: true + enum: + - authorization_code + description: >- +

Describes the method to be used for the + processing flow. The value of this parameter must always be + authorization_code. + x-example: authorization_code + - in: formData + name: code + type: string + required: true + description: >- +

Authorisation code received from the ID Gateway as a result of the + successful Authorize request. Allows the SP to obtain the Access Token + and the ID Token from the ID Gateway.

+ x-example: efb1467d-b6b0-4145-834f-72285442f1a9 + - in: formData + name: redirect_uri + type: string + required: true + description: >- +

URI to which the responses from the ID Gateway are sent. The value of this + parameter must match that sent in the request.

+ x-example: 'https://example.com/callback' + - in: formData + name: correlation_id + type: string + required: false + description: >- +

The same correlation_id submitted in the initial + authorize request. The correlation_id tracks the transaction + correlation across the Mobile Connect components (Discovery, Mobile + Connect). The value for this parameter is generated only by the SP and it + must be locally unique.

+ x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + - in: header + name: Authorization + description: >- +

Uses HTTP basic + authentication to access the API. This is a Base64 encoded + string of your client_id:client_secret

This + parameter is required for all Mobile Connect Profiles

+ required: true + type: string + x-example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2== + - in: header + name: Content-Type + description: >- + Resource content type

This parameter is required for all + Mobile Connect Profiles

+ required: true + type: string + x-example: application/x-ww-form-urlencoded + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_for_Get_Tokens' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Tokens' + headers: + Content-Type: + description: Resource content type + type: string + x-example: application/json +######################################################################################### +# SIGN_UP: AUTHORIZE REQUEST +######################################################################################### + /authorize?[signup-params]: + get: + tags: + - SIGN-UP + summary: Authorize + parameters: +##### client_id + - in: query + name: client_id + description: >- +

The client_id field obtained from the Discovery response + which is used as the unique client identifier of the SP

+ required: true + type: string + x-example: x-a94d903f-ad45-4135-80b8-ac459f41b38f +##### redirect_url + - in: query + name: redirect_uri + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ required: true + type: string + x-example: 'http://localhost/' +##### Response Type + - in: query + name: response_type + description: >- +

Indicates the grant + type (i.e. method). The value must always be code to + indicate the Authorisation Code Flow.

+ required: true + enum: + - code + type: string + x-example: code +##### scope + - in: query + name: scope + description: >- +

Space delimited, case-sensitive ASCII, strings of the scope value used to indicate + the service being requested. For more information see the + Scope values + page.

+ required: true + enum: + - openid mc_identity_signup + type: string + x-example: openid mc_identity_signup +##### version + - in: query + name: version + description: >- +

This parameter identifies the Mobile Connect profile version. This + parameter is required for Mobile Connect DI Profile v2.3 + (mc_di_r2_v2.3) and Mobile Connect Profile v2.0 (mc_v2.0).

+ required: true + enum: + - mc_v2 + - mc_di_r2_v2.3 + type: string + x-example: mc_di_r2_v2.3 +##### state + - in: query + name: state + description: >- +

Value used by the client to maintain state between request and callback. + Also used as a security mechanism, if a cryptographic binding is done with + the browser cookie, to prevent Cross-Site Request Forgery. The recommended + format is UUID4.

+ required: true + type: string + x-example: eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368 +##### nonce + - in: query + name: nonce + description: >- +

String value used to associate a client session with the ID Token. + It is passed unmodified from Authorisation Request to ID Token. The value + SHOULD be unique per session to mitigate replay attacks. The recommended + format is UUID4.

+ required: true + type: string + x-example: 878aacd7-83f1-4b4f-9582-7347b0a6fa62 +##### display + - in: query + name: display + description: >- +

Specifies the user interface display for the Authentication and Consent flow.

+

Values are:

+ +

page: The UI SHOULD be consistent with a full page view of the User-Agent.

+

pop-up: Use a pop-up window. (The popup window SHOULD be 450px X 500px)

+

touch: Display a UI consistent with a “touch” based interface.

+

wap: The UI SHOULD be consistent with a “feature-phone” device display

+ +

These values will only be respected if supported by the ID Gateway.

+ required: false + enum: + - page + - pop-up + - touch + - wap + type: string + x-example: touch +##### prompt + - in: query + name: prompt + description: >- +

Specifies to the IDGW Server whether to prompt the end-user for re-authentication and consent.

+

Values are:

+ +

none: MUST NOT display any UI for reauthentication or consent to the user. If the user is not authenticated already, or authentication or consent is needed to process the Authorisation Request, a login_required error is returned. This can be used as a mechanism to check existing authentication or consent.

+

no_seam: prompt the end-user if the authentication session is not valid. Caters for the 3G/4Ghot-spots, tethered phone etc. scenarios

+ required: false + enum: + - none + - no_seam + type: string + x-example: consent + - in: query +##### max-age + name: max_age + description: >- +

Indicator of the maximum elapsed time in seconds since the last + authentication of the end-user. If the elapsed time is greater than + this value, a re-authentication must be done. When this parameter is + in present the request, the ID Token must contain the + auth_time claim value

+ required: false + type: string + x-example: 3600 +##### ui_locales + - in: query + name: ui_locales + description: >- +

Space separated list of user preferred languages and scripts for + the UI as per RFC5646. The parameter is for guidance only and in + case a requested locale is not supported then the user interface + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en +##### claims_locales + - in: query + name: claims_locales + description: >- +

Space separated list of user preferred languages and scripts for + the claims, defines as per RFC5646. The parameter is for guidance + only and in case a requested locale is not supported then the claims + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en +##### id_token_hint + - in: query + name: id_token_hint + description: >- +

Previously issued ID token passed as a hint for the current or past + authentication session, generally used in conjunction with + prompt=none. If the ID Token is still valid and the + end-user is logged in then the server returns a positive response, + otherwise server SHOULD return a login_error response. For + the ID Token, the server does not need to be listed as audience, + when included in the id_token_hint + required: false + type: string + x-example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmM +##### login_hint + - in: query + name: login_hint + description: >- +

An indication to the ID Gateway about what ID to use for login. Using this + parameter allows the end-user to skip the login identifier. The values passed + will parameter type and the parameter value (see example).

+ required: false + enum: + - MSISDN: + - ENCR_MSISDN: + - PCR: + type: string + x-example: 'MSISDN:447700900907' +##### login_hint_token + - in: query + name: login_hint_token + description: >- +

Encrypted JSON Web Token (JWT) that contains a user hint + about the SP for an individual Mobile + Network Operator (MNO). The login_hint_token should + be used by the SP as a login hint with the particular MNO, so the + MNO recognises the SP that is trying to get a response.

+ required: false + type: string + x-example: n5JhbwerOiJSUzI1NiVm23reNp2DSE6sdfDEgcFnB +##### acr_values + - in: query + name: acr_values + description: >- +

Level of Assurance to be used to authenticate an end-user. The values appear + as order of preference. The acr used during authentication + is returned as acr claim value. This parameter is optional, however, + when it is present the Authentication endpoint should satisfy one for the end-user's authentication. The recommended values are the LOAs as + specified in ISO/IEC 29115 + Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.

+ required: true + enum: + - 1 + - 2 + - 3 + - 4 + type: string + x-example: 3 2 +##### response_mode + - in: query + name: response_mode + description: >- +

Informs the ID Gateway of the mechanism to be used for returning + parameters from the Authorize Endpoint. Can be used when there is + no user agent

+ +

This parameter is not supported by Mobile Connect Profile v2.0>

+ type: string + default: query + required: false + x-example: form_post +##### client_name + - in: query + name: client_name + description: >- +

A short name to identify the SP client application which will + be displayed on end-user de vice during the authorisation flow. This + short name is created when the application is registered + on the Developer Portal.

+ required: true + type: string + x-example: AppName +##### binding_message + - in: query + name: binding_message + description: >- +

Client provided plain text, to interlock the consumption device + and authorisation device for a better + user experience. The message will be displayed on both devices. Empty values + are allowed (zero length).

+ required: true + type: string + x-example: Sample message +##### context + - in: query + name: context + description: >- +

A transaction or action based message provided by the client Application + which will be displayed on the authentication device of the end-user.

+ required: true + type: string + x-example: Transfer $100 +##### correlation_id + - in: query + name: correlation_id + description: >- +

Correlates a transaction across Mobile Connect components. The value is generated by the Service Provider + and must be locally unique.

+ +

This parameter should be used in conjunction + with your operator partner and only for tracing and resolving issues. If you are using the Discovery service then you should use the same correlation ID + that you use in the Discovery call. The recommended format is UUID4.

+ type: string + required: false + x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + responses: + '302': + description: Found + headers: + Location: + type: string + description: >- +

The resource requested has been temporarily moved to the URL given + by the Location header.

+ +

This will be the location of the MNO wait screen + that tells the end-user that they have been sent a message and should + respond to it.

+ '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Authorize' +######################################################################################### +# IDENTITY: GET TOKENS REQUEST +######################################################################################### + /get-token_sign-up-endpoint: + post: + tags: + - SIGN-UP + summary: Get Tokens + consumes: + - application/x-www-form-urlencoded + parameters: +##### grant_type + - in: formData + name: grant_type + type: string + required: true + enum: + - authorization_code + description: >- +

Describes the method to be used for the + processing flow. The value of this parameter must always be + authorization_code. + x-example: authorization_code +##### code + - in: formData + name: code + type: string + required: true + description: >- +

Authorization code received from the ID Gateway as a result of the + successful Authorize request. Allows the SP to obtain the Access Token + and the ID Token from the ID Gateway.

+ x-example: efb1467d-b6b0-4145-834f-72285442f1a9 +##### redirect_uri + - in: formData + name: redirect_uri + type: string + required: true + description: >- +

URI to which the responses from the ID Gateway are sent. The value of this + parameter must match that sent in the request.

+ x-example: 'https://example.com/callback' +##### correlation_id + - in: formData + name: correlation_id + type: string + required: false + description: >- +

The same correlation_id submitted in the initial + authorize request. The correlation_id tracks the transaction + correlation across the Mobile Connect components (Discovery, Mobile + Connect). The value for this parameter is generated only by the SP and it + must be locally unique.

+ x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 +##### Authorization + - in: header + name: Authorization + description: >- +

Uses HTTP basic + authentication to access the API. This is a Base64 encoded + string of your client_id:client_secret

+ required: true + type: string + x-example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2== +##### Content-Type + - in: header + name: Content-Type + description: >- + Resource content type. + required: true + enum: + - application/x-www-form-urlencoded + type: string + x-example: application/x-www-form-urlencoded + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_for_Get_Token_Premiuminfo' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Tokens' +######################################################################################### +# IDENTITY: GET DETAILS +######################################################################################### + /sign-up_premiuminfo_endpoint: + post: + tags: + - SIGN-UP + summary: Get Sign-up Details + description: '' + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_Sign-Up' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Identity' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' +######################################################################################### +# PHONE NUMBER: AUTHORIZE REQUEST +######################################################################################### + /authorize?[phone-number-params]: + get: + tags: + - PHONE NUMBER + summary: Authorize + parameters: +##### client_id + - in: query + name: client_id + description: >- +

The client_id field obtained from the Discovery response + which is used as the unique client identifier of the SP

+ required: true + type: string + x-example: x-a94d903f-ad45-4135-80b8-ac459f41b38f +##### redirect_url + - in: query + name: redirect_uri + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ required: true + type: string + x-example: 'http://localhost/' +##### Response Type + - in: query + name: response_type + description: >- +

Indicates the grant + type (i.e. method). The value must always be code to + indicate the Authorisation Code Flow.

+ required: true + enum: + - code + type: string + x-example: code +##### scope + - in: query + name: scope + description: >- +

Space delimited, case-sensitive ASCII, strings of the scope values used to indicate + the services being requested. For more information see the + Scope values + page.

+ required: true + enum: + - openid mc_identity_phonenumber + type: string + x-example: openid mc_identity_phonenumber +##### version + - in: query + name: version + description: >- +

This parameter identifies the Mobile Connect profile version. This + parameter is required for Mobile Connect DI Profile v2.3 + (mc_di_r2_v2.3) and Mobile Connect Profile v2.0 (mc_v2.0).

+ required: true + enum: + - mc_v2 + - mc_di_r2_v2.3 + type: string + x-example: mc_di_r2_v2.3 +##### state + - in: query + name: state + description: >- +

Value used by the client to maintain state between request and callback. + Also used as a security mechanism, if a cryptographic binding is done with + the browser cookie, to prevent Cross-Site Request Forgery. The recommended + format is UUID4.

+ required: true + type: string + x-example: eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368 +##### nonce + - in: query + name: nonce + description: >- +

String value used to associate a client session with the ID Token. + It is passed unmodified from Authorisation Request to ID Token. The value + SHOULD be unique per session to mitigate replay attacks. The recommended + format is UUID4.

+ required: true + type: string + x-example: 878aacd7-83f1-4b4f-9582-7347b0a6fa62 +##### display + - in: query + name: display + description: >- +

Specifies the user interface display for the Authentication and Consent flow.

+

Values are:

+ +

page: The UI SHOULD be consistent with a full page view of the User-Agent.

+

pop-up: Use a pop-up window. (The popup window SHOULD be 450px X 500px)

+

touch: Display a UI consistent with a “touch” based interface.

+

wap: The UI SHOULD be consistent with a “feature-phone” device display

+ +

These values will only be respected if supported by the ID Gateway.

+ required: false + enum: + - page + - pop-up + - touch + - wap + type: string + x-example: touch +##### prompt + - in: query + name: prompt + description: >- +

Specifies to the IDGW Server whether to prompt the end-user for re-authentication and consent.

+

Values are:

+ +

none: MUST NOT display any UI for reauthentication or consent to the user. If the user is not authenticated already, or authentication or consent is needed to process the Authorisation Request, a login_required error is returned. This can be used as a mechanism to check existing authentication or consent.

+

no_seam: prompt the end-user if the authentication session is not valid. Caters for the 3G/4Ghot-spots, tethered phone etc. scenarios

+ required: false + enum: + - none + - no_seam + type: string + x-example: consent + - in: query +##### max-age + name: max_age + description: >- +

Indicator of the maximum elapsed time in seconds since the last + authentication of the end-user. If the elapsed time is greater than + this value, a re-authentication must be done. When this parameter is + in present the request, the ID Token must contain the + auth_time claim value

+ required: false + type: string + x-example: 3600 +##### ui_locales + - in: query + name: ui_locales + description: >- +

Space separated list of user preferred languages and scripts for + the UI as per RFC5646. The parameter is for guidance only and in + case a requested locale is not supported then the user interface + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en +##### claims_locales + - in: query + name: claims_locales + description: >- +

Space separated list of user preferred languages and scripts for + the claims, defines as per RFC5646. The parameter is for guidance + only and in case a requested locale is not supported then the claims + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en +##### id_token_hint + - in: query + name: id_token_hint + description: >- +

Previously issued ID token passed as a hint for the current or past + authentication session, generally used in conjunction with + prompt=none. If the ID Token is still valid and the + end-user is logged in then the server returns a positive response, + otherwise server SHOULD return a login_error response. For + the ID Token, the server does not need to be listed as audience, + when included in the id_token_hint + required: false + type: string + x-example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmM +##### login_hint + - in: query + name: login_hint + description: >- +

An indication to the ID Gateway about what ID to use for login. Using this + parameter allows the end-user to skip the login identifier. The values passed + will parameter type and the parameter value (see example).

+ required: false + enum: + - MSISDN: + - ENCR_MSISDN: + - PCR: + type: string + x-example: 'MSISDN:447700900907' +##### login_hint_token + - in: query + name: login_hint_token + description: >- +

Encrypted JSON Web Token (JWT) that contains a user hint + about the SP for an individual Mobile + Network Operator (MNO). The login_hint_token should + be used by the SP as a login hint with the particular MNO, so the + MNO recognises the SP that is trying to get a response.

+ required: false + type: string + x-example: n5JhbwerOiJSUzI1NiVm23reNp2DSE6sdfDEgcFnB +##### acr_values + - in: query + name: acr_values + description: >- +

Level of Assurance to be used to authenticate an end-user. The values appear + as order of preference. The acr used during authentication + is returned as acr claim value. This parameter is optional, however, + when it is present the Authentication endpoint should satisfy one for the end-user's authentication. The recommended values are the LOAs as + specified in ISO/IEC 29115 + Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.

+ required: true + enum: + - 1 + - 2 + - 3 + - 4 + type: string + x-example: 3 2 +##### response_mode + - in: query + name: response_mode + description: >- +

Informs the ID Gateway of the mechanism to be used for returning + parameters from the Authorize Endpoint. Can be used when there is + no user agent

+ +

This parameter is not supported by Mobile Connect Profile v2.0>

+ type: string + default: query + required: false + x-example: form_post +##### client_name + - in: query + name: client_name + description: >- +

A short name to identify the SP client application which will + be displayed on end-user de vice during the authorisation flow. This + short name is created when the application is registered + on the Developer Portal.

+ required: true + type: string + x-example: AppName +##### binding_message + - in: query + name: binding_message + description: >- +

Client provided plain text, to interlock the consumption device + and authorisation device for a better + user experience. The message will be displayed on both devices. Empty values + are allowed (zero length).

+ required: true + type: string + x-example: Sample message +##### context + - in: query + name: context + description: >- +

A transaction or action based message provided by the client Application + which will be displayed on the authentication device of the end-user.

+ required: true + type: string + x-example: Transfer $100 +##### correlation_id + - in: query + name: correlation_id + description: >- +

Correlates a transaction across Mobile Connect components. The value is generated by the Service Provider + and must be locally unique.

+ +

This parameter should be used in conjunction + with your operator partner and only for tracing and resolving issues. If you are using the Discovery service then you should use the same correlation ID + that you use in the Discovery call. The recommended format is UUID4.

+ type: string + required: false + x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + responses: + '302': + description: Found + headers: + Location: + type: string + description: >- +

The resource requested has been temporarily moved to the URL given + by the Location header.

+ +

This will be the location of the MNO wait screen + that tells the end-user that they have been sent a message and should + respond to it.

+ '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Authorize' +######################################################################################### +# PHONE NUMBER: GET TOKENS REQUEST +######################################################################################### + /get-token_phone-number-endpoint: + post: + tags: + - PHONE NUMBER + summary: Get Tokens + consumes: + - application/x-www-form-urlencoded + parameters: +##### grant_type + - in: formData + name: grant_type + type: string + required: true + enum: + - authorization_code + description: >- +

Describes the method to be used for the + processing flow. The value of this parameter must always be + authorization_code. + x-example: authorization_code +##### code + - in: formData + name: code + type: string + required: true + description: >- +

Authorization code received from the ID Gateway as a result of the + successful Authorize request. Allows the SP to obtain the Access Token + and the ID Token from the ID Gateway.

+ x-example: efb1467d-b6b0-4145-834f-72285442f1a9 +##### redirect_uri + - in: formData + name: redirect_uri + type: string + required: true + description: >- +

URI to which the responses from the ID Gateway are sent. The value of this + parameter must match that sent in the request.

+ x-example: 'https://example.com/callback' +##### correlation_id + - in: formData + name: correlation_id + type: string + required: false + description: >- +

The same correlation_id submitted in the initial + authorize request. The correlation_id tracks the transaction + correlation across the Mobile Connect components (Discovery, Mobile + Connect). The value for this parameter is generated only by the SP and it + must be locally unique.

+ x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 +##### Authorization + - in: header + name: Authorization + description: >- +

Uses HTTP basic + authentication to access the API. This is a Base64 encoded + string of your client_id:client_secret

+ required: true + type: string + x-example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2== +##### Content-Type + - in: header + name: Content-Type + description: >- + Resource content type. + required: true + enum: + - application/x-www-form-urlencoded + type: string + x-example: application/x-www-form-urlencoded + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_for_Get_Token_Premiuminfo' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Tokens' +######################################################################################### +# PHONE NUMBER: GET PHONE NUMBER +######################################################################################### + /phone-number_premiuminfo_endpoint: + post: + tags: + - PHONE NUMBER + summary: Get Phone Number + description: '' + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_Phone-Number' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Identity' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' + x-code-samples: + - lang: cURL + source: >- +######################################################################################### +# NATIONAL ID: AUTHORIZE REQUEST +######################################################################################### + /authorize?[national-params]: + get: + tags: + - NATIONAL ID + summary: Authorize + parameters: +##### client_id + - in: query + name: client_id + description: >- +

The client_id field obtained from the Discovery response + which is used as the unique client identifier of the SP

+ required: true + type: string + x-example: x-a94d903f-ad45-4135-80b8-ac459f41b38f +##### redirect_url + - in: query + name: redirect_uri + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ required: true + type: string + x-example: 'http://localhost/' +##### Response Type + - in: query + name: response_type + description: >- +

Indicates the grant + type (i.e. method). The value must always be code to + indicate the Authorisation Code Flow.

+ required: true + enum: + - code + type: string + x-example: code +##### scope + - in: query + name: scope + description: >- +

Space delimited, case-sensitive ASCII, strings of the scope values used to indicate + the services being requested. For more information see the + Scope values + page.

+ required: true + enum: + - openid mc_identity_nationalid + type: string + x-example: openid mc_identity_nationalid +##### version + - in: query + name: version + description: >- +

This parameter identifies the Mobile Connect profile version. This + parameter is required for Mobile Connect DI Profile v2.3 + (mc_di_r2_v2.3) and Mobile Connect Profile v2.0 (mc_v2.0).

+ required: true + enum: + - mc_v2 + - mc_di_r2_v2.3 + type: string + x-example: mc_di_r2_v2.3 +##### state + - in: query + name: state + description: >- +

Value used by the client to maintain state between request and callback. + Also used as a security mechanism, if a cryptographic binding is done with + the browser cookie, to prevent Cross-Site Request Forgery. The recommended + format is UUID4.

+ required: true + type: string + x-example: eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368 +##### nonce + - in: query + name: nonce + description: >- +

String value used to associate a client session with the ID Token. + It is passed unmodified from Authorisation Request to ID Token. The value + SHOULD be unique per session to mitigate replay attacks. The recommended + format is UUID4.

+ required: true + type: string + x-example: 878aacd7-83f1-4b4f-9582-7347b0a6fa62 +##### display + - in: query + name: display + description: >- +

Specifies the user interface display for the Authentication and Consent flow.

+

Values are:

+ +

page: The UI SHOULD be consistent with a full page view of the User-Agent.

+

pop-up: Use a pop-up window. (The popup window SHOULD be 450px X 500px)

+

touch: Display a UI consistent with a “touch” based interface.

+

wap: The UI SHOULD be consistent with a “feature-phone” device display

+ +

These values will only be respected if supported by the ID Gateway.

+ required: false + enum: + - page + - pop-up + - touch + - wap + type: string + x-example: touch +##### prompt + - in: query + name: prompt + description: >- +

Specifies to the IDGW Server whether to prompt the end-user for re-authentication and consent.

+

Values are:

+ +

none: MUST NOT display any UI for reauthentication or consent to the user. If the user is not authenticated already, or authentication or consent is needed to process the Authorisation Request, a login_required error is returned. This can be used as a mechanism to check existing authentication or consent.

+

no_seam: prompt the end-user if the authentication session is not valid. Caters for the 3G/4Ghot-spots, tethered phone etc. scenarios

+ required: false + enum: + - none + - no_seam + type: string + x-example: consent + - in: query +##### max-age + name: max_age + description: >- +

Indicator of the maximum elapsed time in seconds since the last + authentication of the end-user. If the elapsed time is greater than + this value, a re-authentication must be done. When this parameter is + in present the request, the ID Token must contain the + auth_time claim value

+ required: false + type: string + x-example: 3600 +##### ui_locales + - in: query + name: ui_locales + description: >- +

Space separated list of user preferred languages and scripts for + the UI as per RFC5646. The parameter is for guidance only and in + case a requested locale is not supported then the user interface + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en +##### claims_locales + - in: query + name: claims_locales + description: >- +

Space separated list of user preferred languages and scripts for + the claims, defines as per RFC5646. The parameter is for guidance + only and in case a requested locale is not supported then the claims + will be provided in the default language of the ID Gateway.

+ required: false + type: string + x-example: fr-CA fr en +##### id_token_hint + - in: query + name: id_token_hint + description: >- +

Previously issued ID token passed as a hint for the current or past + authentication session, generally used in conjunction with + prompt=none. If the ID Token is still valid and the + end-user is logged in then the server returns a positive response, + otherwise server SHOULD return a login_error response. For + the ID Token, the server does not need to be listed as audience, + when included in the id_token_hint + required: false + type: string + x-example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmM +##### login_hint + - in: query + name: login_hint + description: >- +

An indication to the ID Gateway about what ID to use for login. Using this + parameter allows the end-user to skip the login identifier. The values passed + will parameter type and the parameter value (see example).

+ required: false + enum: + - MSISDN: + - ENCR_MSISDN: + - PCR: + type: string + x-example: 'MSISDN:447700900907' +##### login_hint_token + - in: query + name: login_hint_token + description: >- +

Encrypted JSON Web Token (JWT) that contains a user hint + about the SP for an individual Mobile + Network Operator (MNO). The login_hint_token should + be used by the SP as a login hint with the particular MNO, so the + MNO recognises the SP that is trying to get a response.

+ required: false + type: string + x-example: n5JhbwerOiJSUzI1NiVm23reNp2DSE6sdfDEgcFnB +##### acr_values + - in: query + name: acr_values + description: >- +

Level of Assurance to be used to authenticate an end-user. The values appear + as order of preference. The acr used during authentication + is returned as acr claim value. This parameter is optional, however, + when it is present the Authentication endpoint should satisfy one for the end-user's authentication. The recommended values are the LOAs as + specified in ISO/IEC 29115 + Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.

+ required: true + enum: + - 1 + - 2 + - 3 + - 4 + type: string + x-example: 3 2 +##### response_mode + - in: query + name: response_mode + description: >- +

Informs the ID Gateway of the mechanism to be used for returning + parameters from the Authorize Endpoint. Can be used when there is + no user agent

+ +

This parameter is not supported by Mobile Connect Profile v2.0>

+ type: string + default: query + required: false + x-example: form_post +##### client_name + - in: query + name: client_name + description: >- +

A short name to identify the SP client application which will + be displayed on end-user de vice during the authorisation flow. This + short name is created when the application is registered + on the Developer Portal.

+ required: true + type: string + x-example: AppName +##### binding_message + - in: query + name: binding_message + description: >- +

Client provided plain text, to interlock the consumption device + and authorisation device for a better + user experience. The message will be displayed on both devices. Empty values + are allowed (zero length).

+ required: true + type: string + x-example: Sample message +##### context + - in: query + name: context + description: >- +

A transaction or action based message provided by the client Application + which will be displayed on the authentication device of the end-user.

+ required: true + type: string + x-example: Transfer $100 +##### correlation_id + - in: query + name: correlation_id + description: >- +

Correlates a transaction across Mobile Connect components. The value is generated by the Service Provider + and must be locally unique.

+ +

This parameter should be used in conjunction + with your operator partner and only for tracing and resolving issues. If you are using the Discovery service then you should use the same correlation ID + that you use in the Discovery call. The recommended format is UUID4.

+ type: string + required: false + x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + responses: + '302': + description: Found + headers: + Location: + type: string + description: >- +

The resource requested has been temporarily moved to the URL given + by the Location header.

+ +

This will be the location of the MNO wait screen + that tells the end-user that they have been sent a message and should + respond to it.

+ '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Authorize' +######################################################################################### +# NATIONAL ID: GET TOKENS REQUEST +######################################################################################### + /get-token_national-id-endpoint: + post: + tags: + - NATIONAL ID + summary: Get Tokens + consumes: + - application/x-www-form-urlencoded + parameters: +##### grant_type + - in: formData + name: grant_type + type: string + required: true + enum: + - authorization_code + description: >- +

Describes the method to be used for the + processing flow. The value of this parameter must always be + authorization_code. + x-example: authorization_code +##### code + - in: formData + name: code + type: string + required: true + description: >- +

Authorization code received from the ID Gateway as a result of the + successful Authorize request. Allows the SP to obtain the Access Token + and the ID Token from the ID Gateway.

+ x-example: efb1467d-b6b0-4145-834f-72285442f1a9 +##### redirect_uri + - in: formData + name: redirect_uri + type: string + required: true + description: >- +

URI to which the responses from the ID Gateway are sent. The value of this + parameter must match that sent in the request.

+ x-example: 'https://example.com/callback' +##### correlation_id + - in: formData + name: correlation_id + type: string + required: false + description: >- +

The same correlation_id submitted in the initial + authorize request. The correlation_id tracks the transaction + correlation across the Mobile Connect components (Discovery, Mobile + Connect). The value for this parameter is generated only by the SP and it + must be locally unique.

+ x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 +##### Authorization + - in: header + name: Authorization + description: >- +

Uses HTTP basic + authentication to access the API. This is a Base64 encoded + string of your client_id:client_secret

+ required: true + type: string + x-example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2== +##### Content-Type + - in: header + name: Content-Type + description: >- + Resource content type. + required: true + enum: + - application/x-www-form-urlencoded + type: string + x-example: application/x-www-form-urlencoded + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_for_Get_Token_Premiuminfo' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Tokens' +######################################################################################### +# NATIONAL ID: GET DETAILS REQUEST +######################################################################################### + /national-id_premiuminfo_endpoint: + post: + tags: + - NATIONAL ID + summary: Get National ID + description: '' + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer.

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_NationalID' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Identity' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' +######################################################################################### +# ATTRIBUTES: AUTHORIZE REQUEST +######################################################################################### + /authorize?[kyc-params]: + get: + tags: + - KYC MATCH + summary: Authorize + parameters: +##### client_id + - in: query + name: client_id + type: string + required: true + description: >- +

The client_id field obtained from the Discovery response + which is used as the unique client identifier of the SP

+ x-example: a94d903f-ad45-4135-80b8-ac459f41b38f +##### redirect_uri + - in: query + name: redirect_uri + type: string + required: true + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ x-example: 'http://localhost/' +##### response_type + - in: query + name: response_type + type: string + enum: + - code + required: true + description: >- +

The URI to which ID Gateway responses are sent. + The redirect_uri is defined during application + registration.

+ x-example: code +##### scope + - in: query + name: scope + type: string + enum: + - 'openid mc_kyc_plain' + - 'openid mc_kyc_hashed' + required: true + description: >- +

Space delimited, case-sensitive ASCII, strings of the scope values used to indicate + the services being requested. For more information see the + Scope values + page.

+ x-example: openid mc_kyc_plain +##### claims + - in: query + name: claims + type: string + required: false + description: >- +

JSON object listing specific claims to be returned in the response.

+ +

Example JSON Object

+ +
+            {  
+                "premiuminfo":{  
+                    "address_hash":{  
+                        "value":"5a182f28e16bb73cee76e04015736f5c2f681a2ce1f08bafc6a40167b3a344aa"
+                    },
+                    "name_hash":{  
+                        "value":"bb7ff9e6715bf5f87a4adc3620ad2bb194a59ca838c418c033b9c3d55fbcfbce"
+                    }
+                }
+            }
+            
+ +

See the Claims specifications for more details.

+##### version + - in: query + name: version + type: string + enum: + - mc_di_r2_v2.3 + required: true + description: >- +

Identifies the Mobile Connect profile version. The + current version used for the deployment of KYC Match product is + mc_di_r2_v2.3. + x-example: mc_di_r2_v2.3 +##### state + - in: query + name: state + description: >- +

Value used by the client to maintain state between request and callback. + Also used as a security mechanism , if a cryptographic binding is done with + the browser cookie, to prevent Cross-Site Request Forgery. The recommended + format is UUID4.

+ required: true + type: string + x-example: eee40fe4-8a8d-4b26-8dfd-2fb4d52aa368 +##### nonce + - in: query + name: nonce + required: true + type: string + description: >- +

String value used to associate a client session with the ID Token. + It is passed unmodified from Authorisation Request to ID Token. The value + SHOULD be unique per session to mitigate replay attacks. The recommended + format is UUID4.

+ x-example: 878aacd7-83f1-4b4f-9582-7347b0a6fa62 +##### display + - in: query + name: display + description: >- +

Specifies the user interface display for the Authentication and Consent flow.

+

Values are:

+ +

page: The UI SHOULD be consistent with a full page view of the User-Agent.

+

pop-up: Use a pop-up window. (The popup window SHOULD be 450px X 500px)

+

touch: Display a UI consistent with a “touch” based interface.

+

wap: The UI SHOULD be consistent with a “feature-phone” device display

+ +

These values will only be respected if supported by the ID Gateway.

+ required: false + enum: + - page + - pop-up + - touch + - wap + default: page + type: string + x-example: touch +##### prompt + - in: query + name: prompt + type: string + required: false + enum: + - none + - no_seam + description: >- +

Specifies to the IDGW Server whether to prompt the end-user for re-authentication and consent.

+

Values are:

+ +

none: MUST NOT display any UI for reauthentication or consent to the user. If the user is not authenticated already, or authentication or consent is needed to process the Authorisation Request, a login_required error is returned. This can be used as a mechanism to check existing authentication or consent.

+

no_seam: prompt the end-user if the authentication session is not valid. Caters for the 3G/4Ghot-spots, tethered phone etc. scenarios

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ x-example: consent +##### max-age + - in: query + name: max_age + type: string + required: false + description: >- +

Indicator of the maximum elapsed time in seconds since the last + authentication of the end-user. If the elapsed time is greater than + this value, a re-authentication must be done. When this parameter is + in present the request, the ID Token must contain the + auth_time claim value

+ x-example: 3600 +##### ui_locales + - in: query + name: ui_locales + type: string + required: false + description: >- +

Space separated list of user preferred languages and scripts for + the UI as per RFC5646. The parameter is for guidance only and in + case a requested locale is not supported then the user interface + will be provided in the default language of the ID Gateway.

+ x-example: fr-CA fr en +##### claims_locales + - in: query + name: claims_locales + type: string + required: false + description: >- +

Space separated list of user preferred languages and scripts for + the claims returned as per RFC5646. The parameter is for guidance + only and in case a requested locale is not supported then the user + interface will be provided in the default language of the ID + Gateway.

+ x-example: fr-CA fr en +##### id_token_hint + - in: query + name: id_token_hint + type: string + required: false + description: >- +

Previously issued ID token passed as a hint for the current or past + authentication session, generally used in conjunction with + prompt=none. If the ID Token is still valid and the + end-user is logged in then the server returns a positive response, + otherwise SHOULD return a login_error response. For + the ID Token, the server does not need to be listed as audience, + when included in the id_token_hint

+ x-example: eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOGFkZmM +##### login_hint + - in: query + name: login_hint + type: string + enum: + - MSISDN: + - ENCR_MSISDN: + - PCR: + required: false + description: >- +

An indication to the ID Gateway about what ID to use for login. Using this + parameter allows the end-user to skip the login identifier. The values passed + will parameter type and the parameter value (see example).

+ +

This is an optional parameter supported by all Mobile Connect Profiles.

+ x-example: 'MSISDN:447700900907' +##### login_hint_token + - in: query + name: login_hint_token + type: string + required: false + description: >- +

Encrypted JSON Web Token (JWT) that contains a user hint + about the SP for an individual Mobile + Network Operator (MNO). The login_hint_token should + be used by the SP as a login hint with the particular MNO, so the + MNO recognises the SP that is trying to get a response.

+##### acr_values + - in: query + name: acr_values + type: string + enum: + - 1 + - 2 + - 3 + - 4 + required: false + description: >- +

Level of Assurance to be used to authenticate an end-user. The values appear + as order of preference. The acr used during authentication + is returned as acr claim value. This parameter is optional, however, + when it is present the Authentication endpoint should satisfy one for the + end-user's authentication. The recommended values are the LOAs as + specified in ISO/IEC 29115 + Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.

+ +

This parameter is required for all Mobile Connect Profiles.

+ x-example: 3 2 +##### response_mode + - in: query + name: response_mode + description: >- +

Informs the ID Gateway of the mechanism to be used for returning + parameters from the Authorize Endpoint. Can be used when there is + no user agent

+ + + type: string + default: query + required: false + x-example: form_post +##### client_name + - in: query + name: client_name + description: >- +

Short name of the SP's application / web service which can be + used for the end-user's authentication requests. This short name is + created when the SP registers their application / web service on the + Developers Portal.

+ required: false + type: string + x-example: Test Application Name +##### binding_message + - in: query + name: binding_message + description: >- + This parameter contains a text provided by the SP that is intended + to be shown to the end-user on the consumption device as well as on + the authorisation device. This text serves as an interlock between + the SP and the MNO. Empty values are allowed for this parameter + required: false + type: string + x-example: kyc +##### context + - in: query + name: context + description: >- +

This parameter contains a transaction or action based message + which will be displayed on the authentication device of the + end-user. This message must be provided by the SP and should prompt + the end-user to give a consent to share data with the SP's + application / web-service

+ required: false + type: string + x-example: kyc context + responses: + '302': + description: Found + headers: + Location: + type: string + description: >- +

The resource requested has been temporarily moved to the URL given + by the Location header.

+ +

This will be the location of the MNO wait screen + that tells the end-user that they have been sent a message and should + respond to it.

+ '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Authorize' +######################################################################################### +# ATTRIBUTES: GET TOKENS REQUEST +######################################################################################### + /kyc-token_endpoint: + post: + tags: + - KYC MATCH + summary: Get Tokens + consumes: + - application/x-www-form-urlencoded + parameters: +##### grant_type + - in: formData + name: grant_type + type: string + required: true + enum: + - authorization_code + description: >- +

Describes the method to be used for the + processing flow. The value of this parameter must always be + authorization_code. + x-example: authorization_code +##### code + - in: formData + name: code + type: string + required: true + description: >- +

Authorisation code received from the ID Gateway as a result of the + successful Authorize request. Allows the SP to obtain the Access Token + and the ID Token from the ID Gateway.

+ x-example: efb1467d-b6b0-4145-834f-72285442f1a9 +##### redirect_uri + - in: formData + name: redirect_uri + type: string + required: true + description: >- +

URI to which the responses from the ID Gateway are sent. The value of this + parameter must match that sent in the request.

+ x-example: 'https://example.com/callback' +##### correlation_id + - in: formData + name: correlation_id + type: string + required: false + description: >- +

The same correlation_id submitted in the initial + authorize request. The correlation_id tracks the transaction + correlation across the Mobile Connect components (Discovery, Mobile + Connect). The value for this parameter is generated only by the SP and it + must be locally unique.

+ x-example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 +##### Authorization + - in: header + name: Authorization + description: >- +

Uses HTTP basic + authentication to access the API. This is a Base64 encoded + string of your client_id:client_secret

+ required: true + type: string + x-example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2== +##### Content-Type + - in: header + name: Content-Type + description: >- + Resource content type. + required: true + enum: + - application/x-www-form-urlencoded + type: string + x-example: application/x-www-form-urlencoded + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_for_Get_Token_Premiuminfo' + '400': + description: Bad Request + schema: + $ref: '#/definitions/Response_400_Get_Tokens' + headers: + Content-Type: + description: Resource content type + type: string + x-example: application/json +######################################################################################### +# ATTRIBUTES: GET KYC MATCH +######################################################################################### + /kyc_match_split_premiuminfo_endpoint: + get: + tags: + - KYC MATCH + summary: Get KYC Match Split + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_KYC_Match_Split' + '400': + description: Bad request + schema: + $ref: '#/definitions/Response_400_KYC' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401_KYC' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' + /kyc_match_concat_premiuminfo_endpoint: + get: + tags: + - KYC MATCH + summary: Get KYC Match Concat + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_KYC_Match_Concat' + '400': + description: Bad request + schema: + $ref: '#/definitions/Response_400_KYC' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401_KYC' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' + /kyc_match_hashed_split_premiuminfo_endpoint: + get: + tags: + - KYC MATCH + summary: Get KYC Match Hashed Split + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_KYC_Hashed_Split' + '400': + description: Bad request + schema: + $ref: '#/definitions/Response_400_KYC' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401_KYC' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' + /kyc_match_hashed_concat_premiuminfo_endpoint: + get: + tags: + - KYC MATCH + summary: Get KYC Match Hashed Concat + parameters: + - in: header + name: Authorization + description: >- +

Uses an Access Token to access the Premiuminfo resources. The token is of type Bearer

+ type: string + required: true + x-example: Bearer f6e0e342-aefd-4e82-8a9a-a3424be24a90 + responses: + '200': + description: OK + schema: + $ref: '#/definitions/Response_200_KYC_Hashed_Concat' + '400': + description: Bad request + schema: + $ref: '#/definitions/Response_400_KYC' + '401': + description: Unauthorized + schema: + $ref: '#/definitions/Response_401_KYC' + '403': + description: Forbidden + schema: + $ref: '#/definitions/Response_403' +######################################################################################### +# DEFINITIONS +######################################################################################### +definitions: + Request_for_token: + type: object + properties: + grant_type: + type: string + description: >- + This parameter describes the method that is to be used for the + authentication processing flow. The value of this parameter must + always be authorization_code to indicate that the grant + type to use is the Authorisation Code Flow.

This parameter + is required for all Mobile Connect Profiles

+ example: authorization_code + code: + type: string + description: >- + Authorisation code received from the IDGW as a result of the + successful authentication request. The received authorisation code + allows the SP to obtain the Access Token and the ID Token from the + IDGW.

This parameter is required for all Mobile Connect + Profiles

+ example: SplxlOBeZQQYbYS6WxSbIA + redirect_uri: + type: string + description: >- + URI to which the responses from the IDGW are sent. The value of this + parameter must match with that sent in the authentication request. + HTTPS scheme is recommended to be used here, however, HTTP can also be + applied

This parameter is required for all Mobile Connect + Profiles

+ example: 'https://localhost/' + correlation_id: + type: string + description: >- + correlation_id submitted through the authentication + request. correlation_id ensures the transaction + correlation across Mobile Connect components (Discovery, Mobile + Connect Profile requests, IDGW internal components etc.). The value + for this parameter is generated only by the SP and it must be locally + unique.

Please note that the usage of this parameter is not + mandatory. However, if this parameter is present in the request, the + IDGW must add this parameter to the response. When the SP sends a + request without the correlation_id parameter, it's up to + the IDGW whether to include this parameter into the + response.

For more information on the correlation ID please see + the Correlation ID section

This + parameter is optional for Mobile Connect DI Profile 2.3, SI Profile + 1.0, Mobile Connect Profile 2.0 and is not supported by the Mobile + Connect Profile 1.0

+ example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + required: + - grant_type + - code + - redirect_uri +######################################################################################### +# RESPONSE 200 OK +######################################################################################### +######################################################################################### +# RESPONSE 200 OK - TOKENS +######################################################################################### + Response_200_for_Get_Tokens: + type: object + properties: + token_type: + type: string + description: >- +

Type of the HTTP authentication scheme. The value for this parameter + must be bearer unless another token_type + value was agreed between the Service Provider and the ID Gateway.

- +

Token used to provide claims about the authentication of + the end-user and other specific claims, if requested. For the detailed + list of the possible claims to be returned please see Tokens section.

+ +

The ID Token is a JSON Web Token (JWT). It is created and returned + by the ID Gateway and is associated with only one authentication session. A + new authentication session for the same end-user will be provided with + a new ID Token

+ example: eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso + access_token: + type: string + description: >- +

OAuth 2.0 token used to get access to + protected resources from the PremiumInfo endpoint.

+ example: 7d6e93c2-54a8-4b98-b08f-f047e519d788 + expires_in: + type: string + description: >- +

Expiration time of the Access Token in seconds since the response was generated.

+ example: 3600 + correlation_id: + type: string + description: >- +

correlation_id submitted through the authentication + request.

+ +

This parameter is not supported by the Mobile Connect Profile 1.1

+ example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + required: + - access_token + - token_type + - expires_in + - id_token +######################################################################################### +# RESPONSE 200 OK - TOKENS WITH PREMIUMINFO REFERENCE +######################################################################################### + Response_200_for_Get_Token_Premiuminfo: + type: object + properties: + access_token: + type: string + description: >- +

OAUth 2.0 access_token used to get the PremiumInfo object + from the PremiumInfo endpoint (or other specific resource endpoint) + and can be reused for accessing the protected resources, if required.

+ example: f6e0e342-aefd-4e82-8a9a-a3424be24a90 + token_type: + type: string + description: >- +

Value MUST be bearer unless another + token_type value was agreed between the Service Provider and the + ID Gateway.

+ example: Bearer + expires_in: + type: string + description: >- +

Expiration time of the Access Token in seconds since the response was + generated

+ example: 600 + id_token: + type: string + description: >- +

This is an additional token used to provide the ID token claims. The + ID token is a JSON Web Token (JWT) sent by the IDGW to the SP's + Server.For more on how to handle the ID Token and the available claims + please refer to Tokens page.

+ example: eyJhbGciOiJSUzI1Ni1QifQ.eyJh5eUxXST01lIjoxNTIyMzI4NTc0LjAsImF6cCI6I + correlation_id: + type: string + description: >- +

The correlation_id submitted through the authentication + request. correlation_id ensures correlation of the + transaction across Mobile Connect components.

+ example: 42da5b19-457a-4d30-a5c4-038c62dccbb0 + required: + - access_token + - token_type + - expires_in + - id_token +######################################################################################### +# RESPONSE 200 OK - SIGN-UP DETAILS +######################################################################################### + Response_200_Sign-Up: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: 22735ae2-9b1b-4edb-bed0-7b41de9e129e + phone_number_alternate: + type: string + description: The end-user's alternate or secondary telephone number (in E.164 format) + example: 447700900303 + title: + type: string + description: End user's title. + example: Mr + given_name: + type: string + description: Given name(s) or first name(s) of the end-user + example: Henry + family_name: + type: string + description: Family name(s), surname(s) or last name(s) of the end-user + example: Case + middle_name: + type: string + description: Middle name(s) of the end-user + example: Dorsett + street_address: + type: string + description: Address of the end-user + example: 25 Walbrook + city: + type: string + description: End-user's city + example: London + state: + type: string + description: End-user's state or county + example: London + postal_code: + type: string + description: End-user's Zip or Postal code + example: EC4N 8AF + country: + type: string + description: End-user's country + example: UK + email: + type: string + description: End-user's email + example: henrydorsettcase@yopmail.com + required: + - sub + - given_name + - family_name + - street_address + - postal_code + - country + - phone_number_alternate +######################################################################################### +# RESPONSE 200 OK - NATIONALID DETAILS +######################################################################################### + Response_200_NationalID: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: 22735ae2-9b1b-4edb-bed0-7b41de9e129e + phone_number: + type: string + description: End-user's mobile phone number + example: 447700900303 + title: + type: string + description: End user's title. + example: Mr + given_name: + type: string + description: Given name(s) or first name(s) of the end-user + example: Henry + family_name: + type: string + description: Family name(s), surname(s) or last name(s) of the end-user + example: Case + middle_name: + type: string + description: Middle name(s) of the end-user + example: Dorsett + street_address: + type: string + description: Address of the end-user + example: 25 Walbrook + state: + type: string + description: End-user's state or county + example: London + postal_code: + type: string + description: End-user's Zip or Postal code + example: EC4N 8AF + country: + type: string + description: End-user's country + example: UK + email: + type: string + description: End-user's email + example: henrydorsettcase@yopmail.com + birthdate: + type: string + description: Date of birth of the end-user + example: 1948-03-17T00:00:00.000Z + national_identifier: + type: string + description: End-user's national identification number + required: + - sub + - given_name + - family_name + - street_address + - birthdate + - national_identifier +######################################################################################### +# RESPONSE 200 OK - PHONE NUMBER DETAILS +######################################################################################### + Response_200_Phone-Number: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: e9c3c0dc-049a-4fd6-9263-1f7c1382d05e + phone_number: + type: string + description: End-user's Mobile Connect designated mobile number + example: 441234657890 + required: + - sub + - phone_number +######################################################################################### +# RESPONSE 200 OK - KYC PLAIN TEXT SPLIT +######################################################################################### + Response_200_KYC_Match_Split: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: 22735ae2-9b1b-4edb-bed0-7b41de9e129e + given_name: + type: string + description: End-user's given name(s) or first name(s) + example: John + given_name_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + family_name: + type: string + description: End-user's family name(s), surname(s) or last name(s) + example: Case + family_name_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + houseno_or_housename: + type: string + description: End-users house number or name of house + example: 25 + houseno_or_housename_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + postal_code: + type: string + description: End-user's postal or zip code + example: EC4N 8AF + postal_code_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + town: + type: string + description: End-user's town or city + example: London + town_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + country: + type: string + description: End-user's country + example: UK + country_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + birthdate: + type: string + description: Date of birth of the end-user + example: 1948-03-17T00:00:00.000Z + birthdate_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result. Required if birthdate is present. + example: Y + is_lost_stolen: + type: string + enum: + - false + - true + description: Has the end-user account been marked as lost or stolen + example: false + billing_segment: + type: string + enum: + - PAYM + - PAYG + - Business + description: End-users billing type + example: PAYM + account_state: + type: string + enum: + - active + - inactive + description: End-users account status + example: active + required: + - sub + - given_name + - given_name_match + - family_name + - family_name_match + - houseno_or_housename + - houseno_or_housename_match + - postal_code + - postal_code_match + - town + - town_match + - country + - country_match +######################################################################################### +# RESPONSE 200 OK - KYC PLAIN TEXT CONCAT +######################################################################################### + Response_200_KYC_Match_Concat: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: 22735ae2-9b1b-4edb-bed0-7b41de9e129e + name: + type: string + description: Concatenated given_name and family_name. + example: Case + name_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + address: + type: string + description: Concatenated houseno_or_housename_match, postal_code, town and country. + example: 25 Walbrook, London, EC4N 8AF, UK + address_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + birthdate: + type: string + description: Date of birth of the end-user + example: 1948-03-17T00:00:00.000Z + birthdate_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result. Required if birthdate is present. + example: Y + is_lost_stolen: + type: string + enum: + - false + - true + description: Has the end-user account been marked as lost or stolen + example: false + billing_segment: + type: string + enum: + - PAYM + - PAYG + - Business + description: End-users billing type + example: PAYM + account_state: + type: string + enum: + - active + - inactive + description: End-users account status + example: active + required: + - sub + - name + - name_match + - address + - address_match +######################################################################################### +# RESPONSE 200 OK - KYC HASHED SPLIT +######################################################################################### + Response_200_KYC_Hashed_Split: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: 22735ae2-9b1b-4edb-bed0-7b41de9e129e + given_name_hash: + type: string + description: The hashed given name(s) or first name(s) of the end-user + example: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + given_name_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + family_name_hash: + type: string + description: Hashed family name(s), surname(s) or last name(s) of the end-user' + example: 3fd4e1c67a2d28fced849ee1bb76e7391b93eb13 + family_name_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + houseno_or_housename_hash: + type: string + description: End-users house number or name of house + example: g12f2c7fd25e1b3afad3e69a0bd17d9b100db4b2 + houseno_or_housename_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + postal_code_hash: + type: string + description: End-user's postal or zip code + example: b784e1c67a2d28fced849ee1bb76e739112bc43 + postal_code_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + town_hash: + type: string + description: End-user's town or city + example: 3e85a0bd17d9b100db4b1feff2c7fd25e1b3afad + town_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + country_hash: + type: string + description: End-user's country + example: b4b27fd25e1b3afad3e69a0bd17d9bg12f2c100d + country_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + birthdate_hash: + type: string + description: Date of birth of the end-user + example: 2c7fd25e1b3afad0db4b33e85a0bde9fd17d9b10 + birthdate_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result. Required if birthdate_hash is present. + example: Y + is_lost_stolen: + type: string + enum: + - false + - true + description: Has the end-user account been marked as lost or stolen + example: false + billing_segment: + type: string + enum: + - PAYM + - PAYG + - Business + description: End-users billing type + example: PAYM + account_state: + type: string + enum: + - active + - inactive + description: End-users account status + example: active + required: + - sub + - given_name_hash + - given_name_match + - family_name_hash + - family_name_match + - houseno_or_housename_hash + - houseno_or_housename_match + - postal_code_hash + - postal_code_match + - town_hash + - town_match + - country_hash + - country_match +######################################################################################### +# RESPONSE 200 OK - KYC HASHED CONCAT +######################################################################################### + Response_200_KYC_Hashed_Concat: + type: object + properties: + sub: + type: string + description: >- + Subject identifier, a globally unique identifier (see PCR) of the + end-user generated by the operator. + example: 22735ae2-9b1b-4edb-bed0-7b41de9e129e + name_hash: + type: string + description: Hashed concatenation of given_name and family_nme + example: de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3 + name_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + address_hash: + type: string + description: Concatenated houseno_or_housename_match, postal_code, town and country. + example: feff2c7fd25e1b3afad3e85a0bd17d9b100db4b1 + address_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result + example: Y + birthdate_hash: + type: string + description: Date of birth of the end-user + example: 2c7fd25e1b3afad0db4b33e85a0bde9fd17d9b10 + birthdate_match: + type: string + enum: + - Y + - N-NA + - N-AV + - Y-AD + description: Match result. Required if birthdate_hash is present. + example: Y + is_lost_stolen: + type: string + enum: + - false + - true + description: Has the end-user account been marked as lost or stolen + example: false + billing_segment: + type: string + enum: + - PAYM + - PAYG + - Business + description: End-users billing type + example: PAYM + account_state: + type: string + enum: + - active + - inactive + description: End-users account status + example: active + required: + - sub + - name_hash + - name_match + - address_hash + - address_match +######################################################################################### +# RESPONSE 400 BAD REQUEST +######################################################################################### + Response_400_Authorize: + type: object + properties: + error: + type: string + description: >- +

Error code. This will be invalid_request.

+ example: invalid_request + error_description: + type: string + description: >- +

Error description. This will be redirect_uri is invalid.

+ example: redirect_uri is invalid + required: + - error + - error_description + Response_400_Get_Tokens: + type: object + properties: + error: + type: string + description: >- + Error code. + enum: + - invalid_request + - unsupported_grant_type + - invalid_grant + - access_denied + - invalid_client + example: invalid_grant + error_description: + type: string + description: >- + Error description. + example: Mandatory parameter grant_type is missing (or) invalid + required: + - error + - error_description + Response_400_Get_Identity: + type: object + properties: + error: + type: string + description: >- + Error code. + example: invalid_request + error_description: + type: string + description: >- + Error description. + example: 'Malformed request, invalid url encoding' + required: + - error + - error_description + Response_400_KYC: + type: object + properties: + error: + type: string + description: >- + Error code. + example: invalid_request + error_description: + type: string + description: >- + Error description. + example: 'Malformed request, invalid url encoding' + required: + - error + - error_description +######################################################################################### +# RESPONSE 401 +######################################################################################### + Response_401: + type: object + properties: + error: + type: string + description: >- + Error code. This is a query parameter which is present in the response + only when an error has occurred during the flow + enum: + - invalid_request + - invalid_token + example: invalid_request + error_description: + type: string + description: >- + Error description. This is a query parameter which is present in the + response only when an error has occurred during the flow + example: access_token does not exist + required: + - error + - error_description + Response_401_KYC: + type: object + properties: + error: + type: string + description: >- + Error code. This is a query parameter which is present in the response + only when an error has occurred during the flow + enum: + - invalid_request + - invalid_token + example: invalid_request + error_description: + type: string + description: >- + Error description. This is a query parameter which is present in the + response only when an error has occurred during the flow + example: access_token does not exist + required: + - error + - error_description +######################################################################################### +# RESPONSE 403 +######################################################################################### + Response_403: + type: object + properties: + error: + type: string + description: >- + Error code. + enum: + - insufficient_scope + - access_denied + example: insufficient_scope + error_description: + type: string + description: >- + Error description. + example: Insufficient scope + required: + - error + - error_description \ No newline at end of file diff --git a/documentation/MeetingMinutes/README.MD b/documentation/MeetingMinutes/README.MD index 81c3801..a111d4c 100644 --- a/documentation/MeetingMinutes/README.MD +++ b/documentation/MeetingMinutes/README.MD @@ -1 +1,37 @@ -Here you can add your meeting minutes and delete this README.MD file +#Meeting details + +## Kick-off +2022/11/15 +2022/11/17 (for Asia) + +## Hours: + +Tuesday --> 4:30PM CET +Thursday --> 8:30AM CET + +## When +every 2 weeks + +## Link + +Tuesday: +[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZWQ4OGE0ZGUtYjY2MC00MjBiLWFmYzItNWRjMmQyN2JjYmZl%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d) + +Thursday: +[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_NzIxMmIzM2YtYTU3ZS00NDUwLTg0MTktZjExNmVlZjU3ZDA1%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d) + +Upcoming meetings: +|Date|Link| +|---|---| +|2022/11/15|[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZWQ4OGE0ZGUtYjY2MC00MjBiLWFmYzItNWRjMmQyN2JjYmZl%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d)| +|2022/11/17|[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_NzIxMmIzM2YtYTU3ZS00NDUwLTg0MTktZjExNmVlZjU3ZDA1%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d)| +|2022/11/29|[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZWQ4OGE0ZGUtYjY2MC00MjBiLWFmYzItNWRjMmQyN2JjYmZl%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d)| +|2022/12/01|[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_NzIxMmIzM2YtYTU3ZS00NDUwLTg0MTktZjExNmVlZjU3ZDA1%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d)| +|2022/12/13|[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZWQ4OGE0ZGUtYjY2MC00MjBiLWFmYzItNWRjMmQyN2JjYmZl%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d)| +|2022/12/15|[click to join MS Teams](https://teams.microsoft.com/l/meetup-join/19%3ameeting_NzIxMmIzM2YtYTU3ZS00NDUwLTg0MTktZjExNmVlZjU3ZDA1%40thread.v2/0?context=%7b%22Tid%22%3a%22a1859c9b-6466-499c-adbc-ddbcb69c97dd%22%2c%22Oid%22%3a%227716fdb3-6a83-4680-90c5-a32f08253ae4%22%7d)| + +## MoMs + +|Week|Link| +|:-:|:-:| +|Week 46|[MoMs](Week46_syncCalls.md)| \ No newline at end of file diff --git a/documentation/MeetingMinutes/Week46_syncCalls.md b/documentation/MeetingMinutes/Week46_syncCalls.md new file mode 100644 index 0000000..af6513d --- /dev/null +++ b/documentation/MeetingMinutes/Week46_syncCalls.md @@ -0,0 +1,54 @@ +#Participants + + +**Week 46** + +15 November 2022: +|No|Name|Company| +|:---:|:---|:---:| +|1|Garreth Williams|GSMA| +|2|Mona Mokhber|Telefonica| +|3|José Luis Urien Pinedo|Telefonica| +|4|Ludovic Robert|Orange| +|5|Dawid Wróblewski|DT| + +17 November 2022: +|No|Name|Company| +|:---:|:---|:---:| +|1|Maria Virtudes Briz Ruiz|Telefonica| +|2|Jung Yun-sun (Serena)|SK Telecom| +|3|Toshi Wakayama|KDDI| +|4|Harin Honesyandi Parandika|XL Indonesia| +|5|Heny Setywan|XL Indonesia| +|6|Dawid Wróblewski|DT| + + +#Agenda +1. progress of work +2. backlog items (grooming) +3. priorities for items +4. AOB + +#MoM + +1. Dawid Wroblewski (DW) presented information about Mobile Connect API services that are commercially available and CAMARA is willing to adopt them: + 1. **Mobile Connect Verified MSISDN** as *Number Verify* + 2. **Mobile Connect Authenticate with SMS OTP** as *Number Verify SMS 2FA* + 3. **Mobile Connect Account Takeover Protection** as *SimSwap* + +2. DW mentioned about off-line discussion between Orange and DT regarding Sim Swap API: + 1. there are two different ideas how to handle API result + - sim swap timestamp + - boolean (Yes/No) i a given period (checks if sim swap was present in e.g. last 24h) + + 2. additionally, there are two different API design patterns on a table: + - API logic triggered by a dedicated "scope" value inside OAUTH2.0 Token Request - Mobile Connect like + - API logic triggered by a dedicated URL path + 3. DW took action to rise an issue inside Commonalities Working Group to discuss this topic and shape the final design of CAMARA APIs + + [Issue #105](https://github.com/camaraproject/WorkingGroups/issues/105) + +3. Maria Virtudes Briz Ruiz (MVBR) mentioned that Telefonica (TEF) has sim swap API commercially available based on Mobile Connect API. Addition that TEF wants to make is to expose additional sim Swap flavour - boolean. +4. Toshi Wakayama (TW) asked if it is mandatory to deploy whole Mobile Connect platform to serve Mobile Connect services - DW response that it is not required. Mobile Connect defines the way that APIs are consumed nortbound (by developer/SP), but gives freedom to MNO how it is depoyed internaly (only gives some hints/recommendations about how to handle processes). +5. DW claimed that Number Verify service cannot be handled by a single endpoint - this requires a dedicated flow due to the fact that MSISDN discovery is handled by MNOs in a varioius ways, e.g. Header Enrichment, Token Servers, Dedicated OAUTH platforms, EAP-AKA, etc. +6. Participants agree that it is critical to have a common approach to API design pattern to progress with firther API services design. diff --git a/documentation/MeetingMinutes/Week50_syncCalls.md b/documentation/MeetingMinutes/Week50_syncCalls.md new file mode 100644 index 0000000..8947512 --- /dev/null +++ b/documentation/MeetingMinutes/Week50_syncCalls.md @@ -0,0 +1,101 @@ +# Week 50 meeting + +## Participants + +13 December 2022: +|No|Name|Company| +|:---:|:---|:---:| +|1|Dawid Wróblewski **(organizer)**|DT| +|2|Jens Pöschl|DT| +|3|Andrzej Ochocki|DT| +|4|Ludovic ROBERT|Orange| +|5|Patrice CONIL|Orange| +|6|MARIA VIRTUDES BRIZ RUIZ|Telefonica| +|7|MONA MOKHBER|Telefonica| +|8|José Luis Urien Pinedo|Telefonica| +|9|GLYN POVAH|Telefonica| +|10|Adri Loloci|Vodafone| +|11|Mus Dumenci|Hutchison| +|12|Fabrizio Moggio|TIM Italy| +|13|Helene Vigue|GSMA| +|14|Toyeeb Rehman|GSMA| +|15|Mark Cornall|GSMA| + +17 November 2022: +|No|Name|Company| +|:---:|:---|:---:| +|1|Maria Virtudes Briz Ruiz|Telefonica| +|2|Jung Yun-sun (Serena)|SK Telecom| +|3|Toshi Wakayama|KDDI| +|4|Harin Honesyandi Parandika|XL Indonesia| +|5|Heny Setywan|XL Indonesia| +|6|Dawid Wróblewski|DT| + +## Agenda + +1. Current activities status & introduction to guests +2. presenting Mobile Identity APIs +3. Telefonica presentation (10min) +4. Vodafone presentation (10min) +5. DT presentation (10min) +6. Q&A session + +## MoM + +1. Dawid Wroblewski (DW) presented the status of current activities inside GitHub: +### **simSwap API** + #### Recommendation: + >Enable simSwap API via OAUTH2.0 flows: + - OAUTH2.0 code flow/OpenID Connect + - OAUTH2.0 Client Credentials grant + + >Enable simSwap API flavors: + - based on dedicated endpoint (Orange + TEF proposal) + - based on MC ATP API description + +MNOs continue work and aiming to deliver APIs by the end of this week. + + ------- + + >discussion continued on Thursday 15th Dec'22 + +### NumberVerify SMS 2FA + +#### Recommendation: + + **Rename API family** to create more self-explanatory name. + Proposal: **OTP Verification API** + Supperted by: DT, Orange +
Current shape of this service has nothing to do with Number Verify, therefore naming is misleading. It looks that it is more related with messaging APIs rather than identity APIs. It is highly appreciated that **Telefonica** representatives takes the lead in shaping this API.
+ +### NumberVerify + +#### Recommendation: + + >Enable Number Verify API with two flavors: + - Based on dedicated endpoint (Orange + TEF proposal) + - Keep CAMARA flow consistent with Number Verify / Mobile Connect Verified MSISDN service design. +In the second case, this particular service has to be considered by MNO community as a whole service flow, starting from /authorize, ending with resource call. Otherwise, software developers might get confused due t ovarious ways of handling device authentication. Number Verify service hides this complexity behind ***/authorize*** endpoint. Device authentication is handled by MNOs in various ways, e.g. by using redirects to dedicated device indentification services, Header Enrichment, private IP based device detection, public IP+port based device detection. Protected resources, either it is a dedicated endpoint (**/number_verify**) or a common (**/userinfo**) should be protected with OAUTH2.0/OpenID Connect **Authorization Code** flow (three-legged-token). This helps to assure that only authorized clients are capable of consuming protected resources. + +----- + +>meetng covered AoB topics that orbited API design & CAMARA goals topics. + +## AoB + +1. Vodafone (Adri) & Hutchison (Mus) requested information of CAMARA's goals. +2. Vodafone supports simSwap over MC ATP with Client Credentials. +3. GSMA (Mark) provided information about CAMARA & Openverse initiatives. + - vision: Enable 5G APIs + - API federtion + - ease of use for developers +4. Hutchison (Mus) shared lessons learnt from delivering Identity APIs countries where Hutchison operates. +5. Deutsche Telekom (Jens) requested information about the ideas for CAMARA Business Model. +6. Vodafone states that MNOs should focus on customers, trying to identify the problem, aligning on desired attributes, functional and non-funcional features, + +## APs + +1. GSMA to provide information about Openverse stakeholders (Done - Helen provided list to Vodafone and Hutchoison). +2. simSwap - work with 2 yaml files with API description +3. Number Verify - work with 2 yaml files with API description. +4. Number Verify SMS 2FA - change the name of API and continue work to deliver OTP validation API. \ No newline at end of file diff --git a/documentation/SupportingDocuments/README.MD b/documentation/SupportingDocuments/README.MD index 220f01c..43f107e 100644 --- a/documentation/SupportingDocuments/README.MD +++ b/documentation/SupportingDocuments/README.MD @@ -1 +1 @@ -Here you can add your supporting documents and delete this README.MD file +# Backlog \ No newline at end of file diff --git a/documentation/SupportingDocuments/backlog.md b/documentation/SupportingDocuments/backlog.md new file mode 100644 index 0000000..d0b0a45 --- /dev/null +++ b/documentation/SupportingDocuments/backlog.md @@ -0,0 +1,3 @@ +|No|Item name|Issued by|Issued when| +|:---:|:---|:---:|:---:| +|1|schedule bi-weekly calls|DT-DW|Nov'22| \ No newline at end of file