FAST LOGIN API
Authentication Endpoint URL: https://mobcon.turkcell.com.tr/mobileconnect/oauth/authorize
http method: GET
|*client_id||This is your application id from your
settings on Fast Login Platform
|*scope||A space-delimited list of the permissions
you are requesting
|*redirect_uri||Where Fast Login sends the user after the
user grants or denies consent. If user approves then Service
Provider should get authentication_code with this URI.
If there is more than one redirect uri, Service
Provider should get authentication_code for each redirect uri.
|*response_type||The value MUST be "code", to indicate that
the grant type flow to be used is Authorisation Code.
|*acr_values||The recommended values are the LOAs as
specified in ISO/IEC 29115 Clause 6 - 1, 2, 3, 4 - representing
the LOAs of LOW, MEDIUM, HIGH and VERY HIGH
|*state||This parameter will also be added to the
redirect URI and it is for against cross-site request forgery
It should be produced as random for each request
|*nonce||The value SHOULD be unique per session to
mitigate replay attacks
About Scope Parameter:
Fast Login "scope" values determine the specific set of claim values
to return in the response.
Scope values definition:
The scope value "openid" is mandatory to indicate that the request is an OpenID Connect request. The other scope values are related to the UserInfo.
|Value||Mandatory in Spec||Mandatory in Profile||Description|
|*openid||*Mandatory||*Mandatory||This value indicates the Request is an OpenID Connect request.|
|*profile||Optional||Optional||Requests access to the default basic profile claims: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.|
|Optional||Optional||Request access to the claims : email and email_verified|
|*address||Optional||Optional||Requests access to the claim : address
Currently not provided by Mobile Connect
|*phone||Optional||Optional||Requests access to the claims : phone_number and phone_number_verified|
About ACR Values:
How are the levels defined in Fast Login?
Within Fast Login there are 4 levels of assurance identified as per the ISO/IEC 29115 Clause 6:
|Level||Description||Exists in Fast Login?||ACR Value|
|1 - Low||Little or no confidence in the asserted identity.||No / out of scope||1|
|2 - Medium||Some confidence in the asserted identity.||Yes||2|
|3 - High||High confidence in the asserted identity.||Yes||3|
|4 - Very High||Very high confidence in the asserted identity.||No||4|
|*display||specifies the user interface display for
the Authentication and Consent flow. Now, only "page" is
|*prompt||specify to the Authorisation Server
whether to prompt or not for reauthentication and consent.
Now, only "login" is supported
|*login_hint||An indication to the IDP/Authorisation
Server on what ID to use for login.
The login_hint can contain the MSISDN or the Encrypted MSISDN and SHOULD be tagged as MSISDN:<Value> and ENCR_MSISDN:<Value> respectively - in case MSISDN or Encrypted MSISDN is passed in login_hint. Encrypted MSISDN value is returned by Discovery API in the form of "subscriber_id"
MSISDN must be encrypted with Fast Login public key that is provided by Turkcell
This parameter is only used for if Service Provider implements its own Login page
|Specifies the language used in Fast Login
pages, supported values:
- The client MUST provide one or more "redirect uri" to be used for responding back for Authorisation Requests through redirect.
- Redirect URI is a simple http listener that takes authentication code from Fast Login Platform.
- Service Providers have to provide their "redirect uri" while registration.
- You can see furthermore details on the next "Response" section.
- Redirect URI could be any it is up to Service Provider's responsibility to set the correct redirect URI
- Fast Login Authentication Response is met by the Redirect URI of the Service Provider.
- So, in redirect uri Service Provider has to check the code first from the query parameter
- If code exists then go for token by exchange code
- If not then Service Provider should watch the error parameter
- State parameter is used to avoid the reply attacks
|*code||Authorisation Code as per OAuth 2.0. To
be used as parameter in Token request to exchange for Tokens
|*state||The same value as the "state" parameter
sent during the authentication request. Use as a security
mechanism to confirm that the response comes from the same
|*error||if code parameter is missing in the
response then Service Provider should check the error
USER_DID_NOT_APPROVE: User denies from Click Ok, it comes only for ClickOK authentication type
FRAUD_DETECTED: when user tries to break the authentication urls
BROKEN_SESSION: when user session is expired or does not exist
TIMED_OUT: when authentication messages are expired
- SFSafariViewController class should be used instead of switching to Safari
- Using WKWebView or UIWebView class is not allowed and is not supported
- Chrome Custom Tabs should be used instead of switching to the default browser
- Using WebView is not allowed and is not supported
- You should directly call the auth url ( exp: fulltrip.com ,
You should call the auth url in the popup window