---
title: GSMA Mobile Connect
description: GSMA Mobile Connect is an application of OpenID Connect (OIDC). It enables mobile phones to serve as authentication devices independently of the service and the device.
component: pingoneaic
page_id: pingoneaic:am-oidc1:oidc-mobile-connect
canonical_url: https://docs.pingidentity.com/pingoneaic/am-oidc1/oidc-mobile-connect.html
keywords: ["OpenID Connect (OIDC)", "Standards", "Integration"]
page_aliases: ["oidc1-guide:oidc-mobile-connect.adoc"]
section_ids:
  mobile_connect_roles: Mobile Connect roles
  loa_support: LoA support
  mobile-connect-configure: Configure Mobile Connect
  mobile-connect-table-auth-request-params: Authorization parameters
---

# GSMA Mobile Connect

[GSMA Mobile Connect](https://www.gsma.com/identity/mobile-connect) is an application of OpenID Connect (OIDC). It enables mobile phones to serve as authentication devices independently of the service and the device.

Mobile Connect offers a standard way for Mobile Network Operators (MNOs) to act as general-purpose identity providers. It offers a range of Levels of Assurance (LoAs) and profile data to Mobile Connect-compliant service providers.

## Mobile Connect roles

In a Mobile Connect deployment, Advanced Identity Cloud can play the following roles:

* The OpenID provider

  The provider implements the Mobile Connect Profile as part of the Service Provider (Identity Gateway interface).

  The OpenID provider responds to a successful authorization request with all the required fields and the optional `expires_in` field. Advanced Identity Cloud supports the mandatory ID Token properties. The relying party must use the `expires_in` value instead of specifying `max_age` as a request parameter.

  Advanced Identity Cloud returns the standard `userinfo` claims and the `updated_at` property. The `updated_at` property holds the time last updated as seconds since January 1, 1970 UTC.

* The authenticator

  The authenticator implements the Mobile Connect Profile as part of the Identity Gateway (Authenticators interface).

  The authenticator makes users authenticate at the appropriate LoA. A service provider can request LoAs without regard to the implementation. The Identity Gateway includes a claim in the ID Token to indicate the LoA achieved.

## LoA support

Advanced Identity Cloud maps LoAs to an authentication mechanism:

* A service provider acting as a relying party requests a LoA with the `acr_values` parameter.

* Advanced Identity Cloud returns the corresponding `acr` claim in the ID token.

LoA support:

* `1` (low—​little or no confidence)

* `2` (medium—​some confidence, as in single-factor authentication)

* `3` (high—​high confidence, as in multi-factor authentication)

LoA support does not include support for `4`, which involves digital signatures. The `dtbs` authorization parameter is not supported.

## Configure Mobile Connect

Configure the OAuth 2.0 provider OIDC authentication context settings to return `acr` and `amr` claims in the ID tokens.

For details, refer to [Authentication requirements](oidc-authentication-requirements.html).

## Authorization parameters

You must use the authorization code grant to request ID tokens.

| Request parameter | Supported? | Description                                                                                                                                                                                         |
| ----------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `acr_values`      | Yes        | The OpenID Connect authentication context class reference values.For details, refer to [The `acr` claim](oidc-authentication-requirements.html#acr-claim).                                          |
| `client_id`       | Yes        | A unique string identifier for the application making the request.                                                                                                                                  |
| `display`         | Yes        | A string value specifying the user interface display.                                                                                                                                               |
| `dtbs`            | No         | Data to be signed.LoA 4 is not supported.                                                                                                                                                           |
| `login_hint`      | Yes        | A string specifying the ID used to log in.Set the `login_hint` to the value of the `oidcLoginHint` cookie. This is an HttpOnly cookie (only sent over HTTPS).                                       |
| `nonce`           | Yes        | A string linking the client session with the ID token to mitigate against replay attacks.Required for Mobile Connect.                                                                               |
| `redirect_uri`    | Yes        | The URI to return the end user to after authorization is complete; must match the `redirect_uri` in the client application profile.                                                                 |
| `response_type`   | Yes        | A string specifying the response expected from the authorization server; use `response_type=code`.                                                                                                  |
| `scope`           | Yes        | A string specifying the permissions the client application requests from the end user. Separate scopes with spaces.Required: `openid`Optional: `address` `email` `offline_access` `phone` `profile` |
| `state`           | Yes        | A string value to maintain state between the request and the callback.Required for Mobile Connect.                                                                                                  |