Introduction

OpenID Provider Metadata, also described as openid-configuration, is a list of metadata that describes the OIDC implementation of a given Operator. The metadata is hosted on a so called "openid-configuation" url which is constructed from a given "issuer" provided by the end-user's operator. The URL is constructed as below.

<issuer>/.well-known/openid-configuration

The issuer can be obtained as part of the discovery response or will be provided by your operator if you are not using discovery. Once the application obtains the issuer value, it will be able to construct the openid-configuration url and retrieve the metadata that describes the operator.

 

The metadata document

The openid-configuration content will be in returned in application/json format. See the example HTTP response below for details.

> GET /mobileconnect/.well-known/openid-configuration HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: reference.mobileconnect.io
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 01 Jun 2018 07:50:17 GMT
< Server: Apache/2.4.7 (Ubuntu)
< Last-Modified: Thu, 17 May 2018 15:14:17 GMT
< ETag: "f32-56c684a016fad"
< Accept-Ranges: bytes
< Content-Length: 3890
< 
{  
   "version":"3.0",
   "issuer":"https://reference.mobileconnect.io/mobileconnect",
   "authorization_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/auth",
   "token_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/token",
   "userinfo_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/userinfo",
   "premiuminfo_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/premiuminfo",
   "mc_atp_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/atp",
   "check_session_iframe":"https://reference.mobileconnect.io/mobileconnect/opframe.php",
   "end_session_endpoint":"https://reference.mobileconnect.io/mobileconnect/index.php/endsession",
   "jwks_uri":"https://reference.mobileconnect.io/mobileconnect/op.jwk",
   "scopes_supported":[  
      "openid",
      "mc_authn",


  ....

 

Values

The metadata values follows the standard set by the OIDC that can be referenced here. Additionally there will be number of Mobile Connect specific values. The table below describes the values relevant to Mobile Connect.

Value Description
issuer The asserted Issuer value of the Operator. This should match with the issuer you received from discovery as well as the "iss" claim within a returned id_token
jwks_uri A URL of the Operator JSON Web Key Set [JWK] document. This contains the signing key(s) where the SP will use to validate signed object from the Operator (eg, id_token)
scopes_supported JSON array containing a list of the scope values (Mobile Connect Products) that this server supports. this is the value that you use to pass as the scope parameter of the AuthN request.
acr_values_supported JSON array containing a list of the Level Of Assurance the Operator supports.
id_token_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms (alg values) supported by the Operator for the ID Token to encode the Claims in a JWT [JWT]. RS256 will be the base support, however a Operator may choose to support additional algorithm.
op_policy_uri A URL of a page containing the Operator's Policy towards the SP.
service_documentation A URL of a page containing human-readable information that SP might want or should know about the Operator when using the service.
op_tos_uri A URL of a page containing the Operator's Terms of service towards the SP.
authorization_endpoint The Authorization Endpoint of the Serving Operator.
token_endpoint The Token Endpoint of the Serving Operator.
*<resource>_endpoint Additional Resource endpoint per Mobile Connect Product. This values will be paired up with "scopes_supported". If a new Mobile Connect Product that has a resource endpoint is supported, it will be stated within "scopes_supported" as will as a specific endpoitn with the matching scope name.
*login_hint_methods_supported Mobile Connect defines 3 types of "login_hint" methods, "MSISDN,ENCR_MSISDN,PCR", A JSON array containing the method the Operator Supports.
*mobile_connect_version_supported A JSON array of key value pairs of the Mobile Connect Products and the Mobile Connect Version the Operator Supports. This will inform the SP that they will need to pass the use the different version standards when using those products.

Values marked with * are not part of the standard OIDF specification but are Mobile Connect specific extensions.

 

Summary

When the application obtains the Provider Metadata (openid-configuration) URL constructed from the issuer value, it will be able to perform further checks to validate if that Operator supports the "Service/Mobile Connect Product" they wish to use. Under normal circumstances, this would always be true. However there might be a chance that this could vary so the check should be performed. At this point the application can provide an appropriate warning message stating that the end-users Operator has yet to support the specific functionality. When the Operator deploys the specific functionality there is no changes required from the application to support that operator.

 

Further information

For further information you can view the Sandbox Provider Metadata files here:

Further technical information can be found within the OpenID specification here as referenced above.