Introduction
OpenID Provider Metadata, also described as openid-configuration, is a list of metadata that describes the OIDC implementation of a given Operator. The metadata is hosted on a so called "openid-configuation" url which is constructed from a given "issuer" provided by the end-user's operator. The URL is constructed as below.
<issuer>/.well-known/openid-configuration
The issuer can be obtained as part of the discovery response or will be provided by your operator if you are not using discovery. Once the application obtains the issuer value, it will be able to construct the openid-configuration url and retrieve the metadata that describes the operator.
The metadata document
The openid-configuration content will be in returned in application/json
format. See the example HTTP response below for details.
> GET /mobileconnect/.well-known/openid-configuration HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: reference.mobileconnect.io
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 01 Jun 2018 07:50:17 GMT
< Server: Apache/2.4.7 (Ubuntu)
< Last-Modified: Thu, 17 May 2018 15:14:17 GMT
< ETag: "f32-56c684a016fad"
< Accept-Ranges: bytes
< Content-Length: 3890
<
{
"version":"3.0",
"issuer":"https://reference.mobileconnect.io/mobileconnect",
"authorization_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/auth",
"token_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/token",
"userinfo_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/userinfo",
"premiuminfo_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/premiuminfo",
"mc_atp_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/atp",
"check_session_iframe":"https://reference.mobileconnect.io/mobileconnect/opframe.php",
"end_session_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/endsession",
"jwks_uri":"https://reference.mobileconnect.io/mobileconnect/op.jwk",
"scopes_supported":[
"openid",
"mc_authn",
....
Values
The metadata values follows the standard set by the OIDC that can be referenced here. Additionally there will be number of Mobile Connect specific values. The table below describes the values relevant to Mobile Connect.
Value | Description |
---|---|
issuer | The asserted Issuer value of the Operator. This should match with the issuer you received from discovery as well as the "iss" claim within a returned id_token |
jwks_uri | A URL of the Operator JSON Web Key Set [JWK] document. This contains the signing key(s) where the SP will use to validate signed object from the Operator (eg, id_token) |
scopes_supported | JSON array containing a list of the scope values (Mobile Connect Products) that this server supports. this is the value that you use to pass as the scope parameter of the AuthN request. |
acr_values_supported | JSON array containing a list of the Level Of Assurance the Operator supports. |
id_token_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms (alg values) supported by the Operator for the ID Token to encode the Claims in a JWT [JWT]. RS256 will be the base support, however a Operator may choose to support additional algorithm. |
op_policy_uri | A URL of a page containing the Operator's Policy towards the SP. |
service_documentation | A URL of a page containing human-readable information that SP might want or should know about the Operator when using the service. |
op_tos_uri | A URL of a page containing the Operator's Terms of service towards the SP. |
authorization_endpoint | The Authorization Endpoint of the Serving Operator. |
token_endpoint | The Token Endpoint of the Serving Operator. |
*<resource>_endpoint | Additional Resource endpoint per Mobile Connect Product. This values will be paired up with "scopes_supported". If a new Mobile Connect Product that has a resource endpoint is supported, it will be stated within "scopes_supported" as will as a specific endpoitn with the matching scope name. |
*login_hint_methods_supported | Mobile Connect defines 3 types of "login_hint" methods, "MSISDN,ENCR_MSISDN,PCR", A JSON array containing the method the Operator Supports. |
*mobile_connect_version_supported | A JSON array of key value pairs of the Mobile Connect Products and the Mobile Connect Version the Operator Supports. This will inform the SP that they will need to pass the use the different version standards when using those products. |
Values marked with * are not part of the standard OIDF specification but are Mobile Connect specific extensions.
Summary
When the application obtains the Provider Metadata (openid-configuration) URL constructed from the issuer value, it will be able to perform further checks to validate if that Operator supports the "Service/Mobile Connect Product" they wish to use. Under normal circumstances, this would always be true. However there might be a chance that this could vary so the check should be performed. At this point the application can provide an appropriate warning message stating that the end-users Operator has yet to support the specific functionality. When the Operator deploys the specific functionality there is no changes required from the application to support that operator.
Further information
For further information you can view the Sandbox Provider Metadata files here:
Further technical information can be found within the OpenID specification here as referenced above.