!!! Overview[1]
[{$pagename}] is an [OPTIONAL] [Authentication Request] parameter that was added in the [OpenID Connect MODRNA Authentication Profile 1.0].
[{$pagename}] is used to pass a user hint into the [authentication] process at the [OpenID Connect Provider].
[{$pagename}] is opaque to the client by design.
There are several ways for a client to obtain a [{$pagename}].
The [MODRNA] discovery service [MODRNA.Discovery] creates a [{$pagename}] if the user has entered their [MSISDN] in the course of the [Mobile Network Operator] discovery process. In the case of a [{$pagename}] produced by the MODRNA Discovery Service it is an encrypted [JSON Web Token] ([JWT] [RFC 7519]) that contains a [{$pagename}] for the [OpenID Connect Provider]. The [{$pagename}] [SHALL] be used by the client as login hint with [OpenID Connect Provider] identified by the [MODRNA] discovery service [MODRNA.Discovery]. In this case, the [{$pagename}] is supposed to be a signed ([JWS]) and encrypted [[JWE]) [JWT].
The [Authorization Server] [MAY] produce [{$pagename}] in other formats for use in [Account Chooser] or other discovery profiles, as long as they are [confidentiality] protected from the client.
The [{$pagename}] produced by the MODRNA discovery service [MODRNA.Discovery] has the following elements:
* [iss] - [REQUIRED]. The party creating the [{$pagename}]. This value [MUST] be used by the [Identity Provider (IDP)] receiving the token to obtain the [JWK] [RFC 7517] file required to validate the tokens's signature (see Section 6.1).
* [aud] - [REQUIRED]. The party to receive the token, typically the users [OpenID Connect Provider]. The value [MUST] be the issuer [URI] of the [OpenID Connect Provider] as exposed in the [Identity Provider (IDP)]'s [openid-configuration] meta-data.
* [iat] - [REQUIRED]. When the token was issued.
* [MSISDN] - [REQUIRED]. The Subscriber identifier formated according to [ITU-T] recommendation [E.164]
The following is a non-normative [example] of [JWT] body (with line wraps within values for display purposes only):
%%prettify
{{{
{
"iss": "https://discovery-provider.com",
"aud": "https://babytel.com",
"iat": 1311280970,
"MSISDN": "+1999550123"
}
}}} /%
!! [{$pagename}] [encryption] and [signing|Digital Signature]
The [{$pagename}] [MUST] be [encrypted] using the [Public Key] of the [OpenID Connect Provider] designated by the claim "[aud]" in the [{$pagename}]. The appropriate [Public Key] is obtained using the rules defined in [OpenID Connect Discovery].
In the first step, the [openid-configuration] for the [Identity Provider (IDP)] is retrieved by performing discovery Per Section 4 of [OpenID.Discovery] using the issuer string for the users [Identity Provider (IDP)] as the input.
In the next step, the value of the "jwks_uri" claim Per Section 3 of [OpenID.Discovery] is used to retrieve the [OpenID Connect Provider]'s [JWK] [RFC 7517]. A public key in the JWK with a use paramater of "enc" per Section 4.2 of JWK [RFC 7517] is used as the encryption key. The [{$pagename}] is then encrypted as a JWE using that key.
The login_hint token MUST be signed using the private key of the Discovery Service.
It is best practice to sign then encrypt tokens, as signatures over encrypted information may leak information in the envelope, and may not be considered legally valid.
For an example of a nested [JWT] that is signed and then encrypted see Appendix 2 of [JWT] [RFC 7519].
NOTE: The login_hint_token is opaque to the client by design. The [Authorization Server] may produce [{$pagename}] in other formats for use in [Account Chooser] or other discovery profiles, as long as they are [confidentiality] protected from the client.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [openid-connect-modrna-authentication-1_0|https://openid.net/specs/openid-connect-modrna-authentication-1_0-06.html|target='_blank'] - based on information obtained 2017-03-07-