Access Token Represents an authorisation from the user, after successful authentication, to access user information within a given time window. The Access Token is associated with permissions (known in OIDC as ‘scopes’) which control which information or services an application has permitted access to.
Active Consent See Explicit Consent
API Endpoints The various URLs which applications use to invoke the various API services that make up the Mobile Connect products. API Endpoints are provided by the API Exchange for the discovery and by the Mobile Network Operator for Mobile Connect products.
API Exchange The federated API solution that allows developers to quickly and easily receive details of an end-users operator end-points.
Attribute A description of a characteristic of an Identity. Examples include: hair colour, age, presence status, location. Note that an attribute may be uniquely identifying the identity in which case it is an identifier. Also see: Identifier, Identity.
Authentication The process by which a system verifies the identity of a user who wishes to access it.
Authentication Device The device upon which an end-user authenticates themselves, normally a mobile phone. The authentication device maybe the same as the Consumption Device.
Authenticator The method by which a user is authenticated. More details can be found here.
Authorization To be added
Authorization Code The intermediate token representing a successful authentication and user authorisation, which can then be exchanged for an Access Token.
AuthN Authentication
AuthZ Authorization
Claim An individual item of user-information such as a name, a phone number or an email address.
Credentials Specific information that is transferred, stored and processed in order to authenticate or authorize. Credentials may be of three different types: - “Something you know” (e.g. a password) - “Something you have” (e.g. a bank card,) - “Something you are” (e.g. an iris reading, a MAC address).
Consumption Device The device where the service or application that the end-user wishes to access is available. This may also be the Authentication Device.
Discovery The process of identifying a users MNO and the retrieving the necessary details to make a request to that MNO.
End-user The end-user is the person whose identity is being asserted. They are an end-user of the Operator and the Service Provider.
Explicit Consent The Operator explicitly asks the end-user to give agreement on a per-transactional basis to share attributes with an application or service. The end-user actively gives consent as part of the user journey.
The Fido Alliance The Fido Alliance is an industry consortium defining a protocol for interoperability for strong authentication.
I&A Identity & Attributes
Identifier An attribute that is unique within a defined scope. Examples are: MSISDN, email address, account number. Also see: Attribute and Identity.
Identity The collective aspect of the set of characteristics by which an actor is uniquely recognizable or known. The set of behavioural or personal characteristics by which an individual or group is recognizable. An identity is described by its attributes, some of which may be identifiers. Also see: Attribute andIdentity.
Identity Gateway Exposes the Mobile Connect API, enabling requests that a user be authenticated and to request a preferred level of assurance.
Identity Token The ID token resembles the concept of an identity card, in a standard JWT format, signed by the OpenID Provider (OP). To obtain one the client needs to send the user to their OP with an authentication request.

Features of the ID token:

  • Asserts the identity of the user, called subject in OpenID (sub).
  • Specifies the issuing authority (iss).
  • Is generated for a particular audience, i.e. client (aud).
  • May contain a nonce (nonce).
  • May specify when (auth_time) and how, in terms of strength (acr), the user was authenticated.
  • Has an issue (iat) and an expiration date (exp).
  • May include additional requested details about the subject, such as name and email address.
  • Is digitally signed, so it can be verified by the intended recipients.
  • May optionally be encrypted for confidentiality.

The ID token statements, or claims, are packaged in a simple JSON object

ID GW Identity Gateway
ID Gateway Identity Gateway
ID Token Provides a set of metadata regarding the Authentication to the Service Provider. This includes the PCR, authenticator used, Level of Assurance etc. See Identity Token for more details.
Issuing Authority To be added
JSON Web Token Client apps receive the user’s identity encoded in a secure JSON Web Token (JWT), called the ID token (Identity Token).
JWT JSON Web Token
KYC Know Your Customer
Level of Assurance Describes the degree of confidence in the processes leading up to and including an authentication. It provides assurance that the entity claiming a particular identity, is the entity to which that identity was assigned. More information can be found here.
LoA Level of Assurance.
Login hint Hint to the Authorization Server about the login identifier the end-user might use to log in (if necessary). This hint can be used by an RP if it first asks the end-user for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion.
MCC Mobile Country Code
MFA Multi-factor Authentication
Mobile Network Operator To be added
MNC Mobile Network Code
MNO Mobile Network Operator.
MSISDN Mobile Subscriber ISDN Number, a Mobile phone including country code but excluding the +.
OAuth2 Is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.
OpenID Connect OpenID Connect a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
nonce The nonce ties the session to the issued id_token. The RP generates the nonce. The IdP MUST return the nonce unchanged as the value of the id_token "nonce" parameter. The IdP MUST NOT reject duplicates.
PCR The Pseudonymous Customer Reference that allows a developer to match a Mobile Connect user with a service account.
Prompt Question displayed to the end-user on the Authorisation Device to approve or deny the Transaction.
Scope Pre-defined collection of attributes that are logical to group together either for sharing or for simplifying policy management (some degree of commonality in the policy for each attribute within the scope)
Scope hash Hash of the individual attribute values within the scope; used as a checksum by the service provider to determine whether any of the values (attributes) in the scope have changed (e.g., for periodic KYC checks)
Service Provider The organisation that provides services or applications to end-users.
SP Service Provider
Transaction An operation initiated by the application which uses one or more Mobile Connect products to complete a certain task
Trusted Service Provider A Service Provider that is trusted to request data directly from end-users