Security & Authentication

OAuth2 Client Setup & Authentication

Overview

As part of the integration approach, two specific APIs are exposed:

Create a packet API from the MOSIP packet manager module to create a packet
Trigger the API from the registration processor module to process the packet

allowing external systems (in this case, CRVS) to use these APIs to initiate requests.

To facilitate this, the external system must be assigned a specific new client ID and secret, ensuring secure and authenticated communication. Additionally, a new, specific role should be created for the external user, which will be associated with the API request in subsequent calls for packet creation and processing.

This role helps MOSIP validate and verify that the request is coming from an authorized and authentic source, ensuring secure and accurate handling of the registration process.

Step 1: Create Client ID/Role for the CRVS

Create the Client

Log in to Keycloak Admin Console
- Access the keycloak admin console.
- Ensure you have the necessary administrative privileges to create clients.
Select Your Realm
- If you are not already in the desired realm, switch to it from the top-left drop-down menu. The realm should be the one where you want to create the client.
Create a New Client
- In the left-hand menu, go to Clients and click on Create.
Enter the Client Details
- Client ID: Enter mosip-crvs1-client as the client ID (or a relevant name based on your deployment).
- Client Protocol: Select openid-connect.
- Root URL: Leave this field blank or enter the URL if required.
Save the Client
- After entering the necessary details, click Save to create the client.

Once the client is created, please update the properties in the locations below:

auth.server.admin.allowed.audience In the Packet manager default properties.
auth.server.admin.allowed.audience In the Registration processor default properties.

Note: The client name specified here is a placeholder and can be customised to suit the specific requirements of the System Integrator SI/CRVS.

Configuring the Client

Access the Settings Tab
- After creating the client, navigate to the Settings tab.
Configure Client Settings
- Access Type: Set this to confidential if you intend to use client credentials for authentication.
- Service Accounts Enabled: Turn this option ON if you are using client credentials flow for secure communication.
- Valid Redirect URIs: Enter * (or specify specific URLs if known and necessary).
Save the Changes
- Once the configuration is complete, click Save to apply the changes.

Generate and Note the Secret Key

Navigate to the Credentials tab.
If you selected the confidential access type, keycloak will generate a Secret Key. Note this secret as it will be used for authentication in subsequent API calls.

Creating the Role

Go to the Roles Section
- In the Keycloak Admin Console, under your realm, navigate to Roles.
Create a New Role
- Click on Add Role.
- Enter the following details:
  - Role Name: ONLINE_REGISTRATION_CLIENT
- Click Save to create the role.

Assigning the Role to the Client

Assign the Role to the Client
- Go back to the Clients section and select the client mosip-crvs1-client that you previously created.
Navigate to Service Account Roles
- Under the Service Account Roles tab (this tab is visible only if Service Accounts Enabled is turned on), click on Add Role.
Select the Role
- From the Client Roles dropdown, select either realm-management or your specific desired client role (if the role is specific to a client).
- Add the ONLINE_REGISTRATION_CLIENT role to the selected client.

Step 2: Fetch Access Token to Call the APIs

Once the role is created and mapped to the client ID. As a follow-up step, below keycloak API is to be called to authenticate the CRVS associated with the new role. In the response of the API, there is an access token returned in the response header. This is the access token that should be used when initiating any request using the packet manager API.

Authenticate Endpoint: {domainname}/v1/authmanager/authenticate/clientidsecretkey

Method: POST

API Request Structure:

{
  "id": "string",
  "metadata": {},
  "request": {
    "appId": "{{appId}}",
    "clientId": "{{clientId}}",
    "secretKey": "{{secretKey}}"
  },
  "requesttime": "{{requestTime}}",
  "version": "string"
}

In the API above, the fields Client ID and Secret key are the values created in the previous steps, as mentioned above. Once the authentication is successful, in the response header, we will receive an access token, which is to be noted and used for the subsequent packet manager API request.

eSignet Authentication Flow

Overview

eSignet is MOSIP's authentication service that enables secure identity verification. For CRVS integration, eSignet is used to authenticate informants/parents before submitting registration requests to MOSIP.

When is eSignet Used?

During birth registration (to authenticate parent/informant)
For demographic update requests
When CRVS does not collect biometric data of the applicant

Authentication Flow

CRVS redirects user to eSignet for authentication
User completes authentication (e.g., OTP, biometric)
eSignet generates authentication token
CRVS receives token and includes it in MOSIP request
MOSIP validates token for audit and authorization

Partner Certificate Management

API Security (TLS, Encryption)

Access Control & Authorization

Audit & Compliance Requirements

PreviousAPI Reference & Data Models NextNotifications & Event Handling

Last updated 1 hour ago

Was this helpful?

hashtagOAuth2 Client Setup & Authentication

hashtagOverview

hashtagStep 1: Create Client ID/Role for the CRVS

hashtagStep 2: Fetch Access Token to Call the APIs

hashtageSignet Authentication Flow

hashtagPartner Certificate Management

hashtagAPI Security (TLS, Encryption)

hashtagAccess Control & Authorization

hashtagAudit & Compliance Requirements