Mobile Connect is the mobile operator facilitated authentication solution, that provides simple, secure and convenient access to online services. To get a better understanding on what mobile connect is, read the following article.
The main problem that all Mobile Connect Developers face is the issue on how to obtain necessary credentials to access the services. This process seems to be very complicated since many parties are involved such as the Discovery API, GSMA, Mobile Network Operators, Identity Providers, third party security applications, the privacy policies and so on. But is there an easy way to obtain necessary credentials for the service and start developments straightaway? This blog describes the various environments available in Mobile Connect developments and how to obtain necessary credentials for them.
What are these credentials?
The Mobile Connect process flow consists of two main APIs, namely, "Discovery API" and the "Mobile Connect API" (see image below). To access the "Discovery API" the developer needs a pair of "client_id" and "client_secret" which can be used to gain authorization to the "Discovery API". On the other hand, the "Mobile Connect API" runs on top of the OpenID Connect Protocol and it contains three main endpoints that need credentials to access them. So the main question now is, "which credentials do we really need?".
In the Mobile Connect process flow, the credentials required to access the "Discovery API" should be obtained from the GSMA or the Official Mobile Connect Developer site. In the response sent back by the "Discovery API", we will receive a set of credentials to access the "Mobile Connect API". This set of credentials will be used to access all three endpoints of the "Mobile Connect API". Therefore once we obtain the "Discovery API" credentials, that is more than enough for us to proceed with the "Mobile Connect Authentication" process flow. Refer to Mobile Connect Specifications for more details.
Mobile Connect Environments
There are two main environments in the "Mobile Connect" process.
Sandbox Environment: http://discovery.sandbox2.mobileconnect.io/v2/discovery Production Environment: https://discover.mobileconnect.io/gsma/v2/discovery
The "Sandbox Environment" is being used for testing purposed, where as the "Production Environment" is being used to actual deployments of applications. More on how to obtain credentials for each of these environments, is given below.
Mobile Connect Application On-boarding Process
The "Application On-boarding Process" refers to the registration of the relevant service provider with the Official Mobile Connect Developer Website. A step by step instruction set is given below to proceed with the "Application On-Boarding Process". This is the basic "Application On-Boarding Process". To go more deep into each of the environments given above, please refer to the below sections.
1) Navigate to https://developer.mobileconnect.io/#overlay=user/register and register by entering your name and email (If you are a new user)
2) Go to your email inbox, and click on the one time link received, to confirm your registration
3) Go to "My Account" Dashboard
4) Click on "My Apps"
5) On "My Apps" page, click "Add Application"
6) Complete the "Create Application" form with the following details and click "Create": Name: Travelocity (any name you prefer) URL: localhost:8080/travelocity.com/index.jsp (Any URL that will describe your application) Description: "This is a test application" (Any description that will explain about the application) Redirect URI: https://localhost:9443/commonauth (Use this URI)
7) You will see the confirmation message and your new app will be available in My Apps page now:
8) Go to "My Account" and click on "My Operators"
Select the checkbox "Accept Terms and Conditions for all operators" and click on "Accept"
Get Credentials for Sandbox Environment
After successful completion of the "Application On-zBoarding Process" mentioned above, you should have received the sandbox credentials by now.
But, since we can only use these credentials in a "Sandbox Environment", the mobile numbers that we can use to test the mobile connect process are limited. (Limited to mobile numbers of Indian Mobile Network Operators). Therefore we need to add test numbers manually and let the servers know the numbers that we will be using for authentication via the "Sandbox Credentials". To get this done, follow the given steps below.
Go to "My Account" and click on "My Test Numbers." Add the test numbers and click "Update"
Now, the "Sandbox Credentials" will work just fine. (Remember to only use the numbers you added as test numbers)
Get Credentials for Production Environment
If you are planning to work on the production environment, then you will need to provision the application with the relevant MNO (Mobile Network Operator). Since the production environment refers to the actual deployment of the application, the relevant MNOs that you pick should approve and add your application as a trusted service provider. (more information will be provided below). Follow the below steps to obtain credentials for the Mobile Connect "Production Environment".
1) Go to "My Account" and click on "My Apps"
2) Go to your application that you registered, and click "Promote"
This "Promote" button will not appear if you have not accepted the "Accept Terms and Conditions for all operators" checkbox from the "My Operators" page.
3) Select the required list of "Operators" and hit the "Promote" button. You will get a confirmation message on the same page itself.
The confirmation message will look like this.
4) Within a few minutes, you will receive an email with the acceptance of the ticket for promoting your application.
Within 24 hours, the application will be set up in the "Production Environment". The "Mobile Connect" team will contact you if they need any further clarifications.
What does the Promote button do?
Before hitting the promote button, we have to select the relevant countries and the relevant Mobile Network Operators. With the promote button, the system creates a JIRA and sends it to the relevant Mobile Connect APIs, and they check the details of the application and set up the relevant MNO to provide access to this application.
The Mobile Connect API is usually implemented by another party like WSO2 Telco or Apigee and they the provisioning of the application happens according to the Mobile Connect Privacy Principles. If they have any issues regarding the application being registered, they would simply contact the relevant party and request for more information. They do not provision applications which violates the mobile connect privacy principles and privacy promise.
How to Get UserInfo Endpoint Access?
The claims supported by the "UserInfo Endpoint" are "email", "address", "phone" and "offline_access". But all of these information are sensitive information and it contains information about the relevant MSISDN users. Therefore most "Mobile Network Operators" do not provide access to any of the claims mentioned above. The Mobile Connect API of each MNO, will only provide a field named as "sub" which is a default response from the "UserInfo Endpoint" according to the OpenID Connect Protocol.
But you must be wondering, whether this scenario will comply with the "Mobile Connect Privacy Principles". Yes, all the projects that will be using Mobile Connect should be able to agree to the "Privacy Principles". But at first, even though we promote our application and obtain "Production Credentials" it doesn't necessarily mean that the "MNO"s believe the fact that our application can be trusted in terms of "Sensitive Information". Therefore if you need to gain access to the "Mobile Connect UserInfo Endpoint" of the respective MNO, you need to contact the "MNO" separately.