ID Authentication

eSignet is integrated with the MOSIP ID Authentication module as an authentication provider. The defined plugins interface has been implemented using the APIs available in the MOSIP ID Authentication module.

Here is a list of the APIs that have been integrated into the eSignet plugin interface implementation.

KYC Authentication API to perform authentication for an identity provider like eSignet
KYC Exchange API to share an encrypted KYC token to an identity provider
Key Binding API to authenticate a user to bind the ID and Wallet of an user
VC Exchange API to share the VC associate to a user who was authenticated earlier and has shared the associated KYC Token

Appendix - API Specifications

KYC Authentication

API to perform the ID Authentication based on allowed auth policy. Does validation of provided path parameters before doing the actual authentication. Returns a new KYC token and partner specific user token. This API should be called from IdP service only.

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/key-auth/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}

Path parameters

Auth-Partner-ID*string

Relying Party (RP) Partner ID. This ID will be provided during partner self registration process

oidc-client-id*string

OIDC client Id. Auto generated while creating OIDC client in PMS

IdP-LK*string

IdP Service License Key. This LK is similar MISP-LK.

Header parameters

Body

Auth Request Body

id*string

IDA standard request ID. Eg: mosip.identity.kycauth

version*string

Version of the API. Current supported version is '1.0'

individualId*string

UIN/VID of the individual.

individualIdTypestring

Parameter to indicate individual type. Type can be UIN/VID

transactionID*string

any random alpha numberic string. Allowed max size is 10.

requestTime*string

Request created time

specVersion*string

IDA Specification version. Current Supported version is 1.0

thumbprint*string

Thumbprint of the certificate used for encrypting the auth request.

domainUri*string

Domain uri of the server

env*string

Name of the environment

request*object

Authentication Request with one of the auth challenges. Supported Challenges are: OTP, DEMO and BIOMETRICS

consentObtained*boolean

User provided Consent either true or false

requestHMAC*string

HMAC value generated of the whole request.

requestSessionKey*string

Session key used to encrypt the request.

metadataobject

Any additional attributes needs to be processedin authentication.

allowedKycAttributesarray of string

Allowed KYC Attributes List.

Response

Body

id*string

IDA standard response ID. Eg: mosip.identity.kycauth

version*string

Version of the API. Current supported version is '1.0'

responseTime*string

Response Time of the request.

response*object

The Response Object contains the details whether auth is successful or not. If Auth successful kycToken will be included in the response otherwise kycToken will be null.

errors*array of object

In case of auth failed, respective all errors will be returned as an array. Each error object contains error code and error message. If auth success, error object will be null.

Request

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/key-auth/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "id": "text",
      "version": "text",
      "individualId": "text",
      "transactionID": "text",
      "requestTime": "text",
      "specVersion": "text",
      "thumbprint": "text",
      "domainUri": "text",
      "env": "text",
      "request": {
        "otp": "text",
        "timestamp": "text",
        "demographics": {},
        "biometrics": [
          {
            "data": {}
          }
        ],
        "keyBindedTokens": {}
      },
      "consentObtained": false,
      "requestHMAC": "text",
      "requestSessionKey": "text"
    }),
});
const data = await response.json();

Response

{
  "id": "text",
  "version": "text",
  "responseTime": "text",
  "response": {
    "kycToken": "text",
    "authToken": "text",
    "kycStatus": false
  },
  "errors": [
    {
      "errorCode": "text",
      "errorMessage": "text"
    }
  ]
}

kyc-exchange

API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id and returns encrypted kyc to the caller. This API should be called from IdP service only.

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/kyc-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}

Path parameters

IdP-LK*string

IdP Service License Key. This LK is similar MISP-LK.

Auth-Partner-ID*string

Relying Party (RP) Partner ID. This ID will be provided during partner self registration process

oidc-client-id*string

OIDC client Id. Auto generated while creating OIDC client in PMS

Header parameters

Body

id*string

IDA standard request ID. Eg: mosip.identity.kycexchange

version*string

Version of the API. Current supported version is '1.0'

requesttime*string

Request created time.

transactionID*string

Same transaction ID used in kyc-auth request.

individualId*string

UIN/VID of the individual.

kycToken*string

kyc token received in kycAuth API response.

consentObtained*array of string

List of consents obtained from user.

localesarray of string

user selected list of languages.

resTypestring

Response Type for the user claims. Currently defaulted to signed JWT.

Response

Body

id*string

IDA standard response ID. Eg: mosip.identity.kycexchange

version*string

Version of the API. Current supported version is '1.0'

responseTime*string

Response Time of the request.

response*object

The Response Object contains the user kyc. KYC will be build based the consented user claims.

errors*array of object

In case of invalid kyc token, errors will be returned as an array. Each error object contains error code and error message. if kyc token is valid the errors object will be null.

Request

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/kyc-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "id": "text",
      "version": "text",
      "requesttime": "text",
      "transactionID": "text",
      "individualId": "text",
      "kycToken": "text",
      "consentObtained": [
        "text"
      ]
    }),
});
const data = await response.json();

Response

{
  "id": "text",
  "version": "text",
  "responseTime": "text",
  "response": {
    "encryptedKyc": "text"
  },
  "errors": [
    {
      "errorCode": "text",
      "errorMessage": "text"
    }
  ]
}

Key Binding

API to perform the ID Authentication based for the provided identity data and based on allowed auth policy. To identity the auth partner API will perform validation of provided path parameters before performing the actual authentication. Wallet will include a public key in the request to be binded for the input VID/UIN Returns a status of key binding, partner specific user token, certificate generated for the input public key (this certificate will be binded to the input VID/UIN). Certificate will be returned only when the authenticate is passed. This API should be called from eSignet service and from Inji Wallet.

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/identity-key-binding/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}

Path parameters

Auth-Partner-ID*string

Relying Party (RP) Partner ID. This ID will be provided during partner self registration process

IdP-LK*string

IdP Service License Key. This LK is similar MISP-LK.

OIDC-Client-Id*string

Header parameters

Body

Auth Request Body

id*string

IDA standard request ID. Eg: mosip.identity.keybinding

version*string

Version of the API. Current supported version is '1.0'

individualId*string

UIN/VID of the individual.

individualIdTypestring

Parameter to indicate individual type. Type can be UIN/VID

transactionID*string

any random alpha numberic string. Allowed max size is 10.

requestTime*string

Request created time

specVersion*string

IDA Specification version. Current Supported version is 1.0

thumbprint*string

Thumbprint of the certificate used for encrypting the auth request.

domainUri*string

Domain uri of the server

env*string

Name of the environment

request*object

Authentication Request with one of the auth challenges. Supported Challenges are: OTP, DEMO and BIOMETRICS

consentObtained*boolean

User provided Consent either true or false

requestHMAC*string

HMAC value generated of the whole request.

requestSessionKey*string

Session key used to encrypt the request.

metadataobject

Any additional attributes needs to be processedin authentication.

identityKeyBinding*object

Key details needs to be binded to the identity after successful authentication.

Response

Body

id*string

IDA standard response ID. Eg: mosip.identity.keybinding

version*string

Version of the API. Current supported version is '1.0'

responseTime*string

Response Time of the request.

response*object

The Response Object contains the details whether auth is successful or not. If Auth successful kycToken will be included in the response otherwise kycToken will be null.

errors*array of object

In case of auth failed, respective all errors will be returned as an array. Each error object contains error code and error message. If auth success, error object will be null.

Request

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/identity-key-binding/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "id": "text",
      "version": "text",
      "individualId": "text",
      "transactionID": "text",
      "requestTime": "text",
      "specVersion": "text",
      "thumbprint": "text",
      "domainUri": "text",
      "env": "text",
      "request": {
        "otp": "text",
        "timestamp": "text",
        "demographics": {},
        "biometrics": [
          {
            "data": {}
          }
        ]
      },
      "consentObtained": false,
      "requestHMAC": "text",
      "requestSessionKey": "text",
      "identityKeyBinding": {
        "publicKeyJWK": {},
        "authFactorType": "text"
      }
    }),
});
const data = await response.json();

Response

{
  "id": "text",
  "version": "text",
  "responseTime": "text",
  "response": {
    "identityCertificate": "text",
    "authToken": "text",
    "bindingAuthStatus": false
  },
  "errors": [
    {
      "errorCode": "text",
      "errorMessage": "text"
    }
  ]
}

vci-exchange

API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id & issued to the same identity used in kyc-auth and returns verifiable credentials to the caller. This API should be called from eSignet service.

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/vci-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}

Path parameters

IdP-LK*string

IdP Service License Key. This LK is similar MISP-LK.

Auth-Partner-ID*string

Relying Party (RP) Partner ID. This ID will be provided during partner self registration process

OIDC-Client-Id*string

OIDC client Id. Auto generated while creating OIDC client in PMS

Header parameters

Body

id*string

IDA standard request ID. Eg: mosip.identity.vciexchange

version*string

Version of the API. Current supported version is '1.0'

requesttime*string

Request created time.

transactionID*string

Tansaction ID used in kyc-auth request.

individualId*string

UIN/VID of the individual.

vcAuthToken*string

kyc token received in kycAuth API response.

credSubjectId*string

JWK DID of the Identity. Eg: did:jwk:ewogICAgImt0eSI6ICJSU0EiLAogICAgImUiOiAiQVFBQiIsCiAgICAibiI6ICJtaFZOaERpaW1WdTQxV0xCRWJzYVpLWUZRTTJrZXBHREQwWDRZNHp2VW8zZEVET3lTbDd0bXhha3RfVnlodXRJdWp3ZlJQMmxTTTRIQ2lZS3BYSXdBNmljVHIyWThDSnc2VDU1bWVRWWJmRHZxLV9QRXNWMDRobEYzUS10cnU2ajhPbUpRdWwzTGtSR05mN3Z6VFNSRmstUU9rcmNuVDRPaC1YbGhCRjhFNFFHNFdTVFF2Qk1xOVdTQ05lZjZkVWFOQ3JXY0lDQ1Q2bi1peHFKLTJBREEzYk5TcWpqS0REQktTM1VPRy1jbUlfTTdKY19BYWJod1JLLTM2blphWGJWLUdQYjR5UjdTNVY5MUhtdTZhS3JJdVdRM1ByY0FlWkZvZ1VuYjlLMUpHS0dhOWJ2S3F0TWd5TjNLdS1aMFdDT3Z1dUtMNndNNzduSDJWdGtJRDZNNVEiCn0

vcFormat*string

Verifiable credential format needed in response object. Supported Format : ldp_vc

credentialsDefinition*object

Credential Definition Object of the Identity.

localesarray of string

list of locales to be included in the issued VC.

metadataobject

Response

Body

id*string

IDA standard response ID. Eg: mosip.identity.kycexchange

version*string

Version of the API. Current supported version is '1.0'

responseTime*string

Response Time of the request.

response*object

The Response Object contains the issued VC. Different response object types will be returned based the requested format. Eg: for ldp_vc the returned response object is JsonLDObject

errors*array of object

In case of invalid kyc token, errors will be returned as an array. Each error object contains error code and error message. if kyc token is valid the errors object will be null.

Request

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/vci-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "id": "text",
      "version": "text",
      "requesttime": "text",
      "transactionID": "text",
      "individualId": "text",
      "vcAuthToken": "text",
      "credSubjectId": "text",
      "vcFormat": "text",
      "credentialsDefinition": {
        "type": [
          "text"
        ]
      }
    }),
});
const data = await response.json();

Response

{
  "id": "text",
  "version": "text",
  "responseTime": "text",
  "errors": [
    {
      "errorCode": "text",
      "errorMessage": "text"
    }
  ]
}

Last updated 5 months ago

kyc-exchange

API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id and returns encrypted kyc to the caller. This API should be called from IdP service only.

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/kyc-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/kyc-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}', { method: 'POST', headers: { "Content-Type": "application/json" }, body: JSON.stringify({ "id": "text", "version": "text", "requesttime": "text", "transactionID": "text", "individualId": "text", "kycToken": "text", "consentObtained": [ "text" ] }), }); const data = await response.json();

{ "id": "text", "version": "text", "responseTime": "text", "response": { "encryptedKyc": "text" }, "errors": [ { "errorCode": "text", "errorMessage": "text" } ] }

vci-exchange

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/vci-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/vci-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}', { method: 'POST', headers: { "Content-Type": "application/json" }, body: JSON.stringify({ "id": "text", "version": "text", "requesttime": "text", "transactionID": "text", "individualId": "text", "vcAuthToken": "text", "credSubjectId": "text", "vcFormat": "text", "credentialsDefinition": { "type": [ "text" ] } }), }); const data = await response.json();

KYC Authentication

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/key-auth/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/key-auth/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}', { method: 'POST', headers: { "Content-Type": "application/json" }, body: JSON.stringify({ "id": "text", "version": "text", "individualId": "text", "transactionID": "text", "requestTime": "text", "specVersion": "text", "thumbprint": "text", "domainUri": "text", "env": "text", "request": { "otp": "text", "timestamp": "text", "demographics": {}, "biometrics": [ { "data": {} } ], "keyBindedTokens": {} }, "consentObtained": false, "requestHMAC": "text", "requestSessionKey": "text" }), }); const data = await response.json();

{ "id": "text", "version": "text", "responseTime": "text", "response": { "kycToken": "text", "authToken": "text", "kycStatus": false }, "errors": [ { "errorCode": "text", "errorMessage": "text" } ] }

Key Binding

POSThttps://api-internal.collab.mosip.net/idauthentication/v1/identity-key-binding/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}

const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/identity-key-binding/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}', { method: 'POST', headers: { "Content-Type": "application/json" }, body: JSON.stringify({ "id": "text", "version": "text", "individualId": "text", "transactionID": "text", "requestTime": "text", "specVersion": "text", "thumbprint": "text", "domainUri": "text", "env": "text", "request": { "otp": "text", "timestamp": "text", "demographics": {}, "biometrics": [ { "data": {} } ] }, "consentObtained": false, "requestHMAC": "text", "requestSessionKey": "text", "identityKeyBinding": { "publicKeyJWK": {}, "authFactorType": "text" } }), }); const data = await response.json();

{ "id": "text", "version": "text", "responseTime": "text", "response": { "identityCertificate": "text", "authToken": "text", "bindingAuthStatus": false }, "errors": [ { "errorCode": "text", "errorMessage": "text" } ] }