The following guide outlines some important properties that can be customized for a given installation. Please note that this list is not exhaustive but serves as a checklist for reviewing properties that are likely to differ from the default settings. For a complete list of properties, refer to the files listed below.
Partner Management Services uses the following configuration files:
Copy
This property is used by kernel-authcodeflowproxy-api to check request is coming from allowed urls not.
These properties are used to specify the keymanager API to upload certificates and get original partner uploaded certificates.
These properties are used to set attributes for partner management services.
app id : ApplicationId for partner
client id : Kernel auth client ID for partner management services
client secret : Kernel auth secret key for partner management services
These configurations are used to create user in keycloak and map to a role.
Note : All partner types should be created as roles in keycloak.
These properties are used to specify the auth manager API to validate the token.
This property is used to populate required roles which should be allowed in UI.(Roles are nothing but partner types)
These properties specify the url to redirect after logout and the end session endpoint in OIDC.
These configurations specify the E-Signet claims mapping file url, amr-acr mapping file url and the service apis for create and update OIDC and OAuth Client.
These properties are used to set the user inactivity idle time.
Inactivity Timer : Specifies the duration (in minutes) before the session is timed out due to inactivity.
Prompt Timer : Specifies the duration (in minutes) before the user is prompted about the impending session timeout.
Copy
This property is used to set the server request and response time(in minutes) for Axios.
Copy
These properties are used to set attributes for OIDC client creation and update.
Grant Types : Specifies the grant types used by the OIDC client.
Client Authentication Methods : Specifies the client authentication methods.
Copy
These properties specify partner type roles that are used to grant access to various APIs in partner management service.
Copy
API Path
Method
Description
Changes done in release 1.2.2.0
/oauth/client
GET
This endpoint retrieves a list of all OAuth clients created by the Auth Partners. It supports pagination, sorting, and and filtering based on optional query parameters. If the token used to access this endpoint, does not have the PARTNER_ADMIN role, then it will fetch all the OAuth clients created by all the partners associated with the logged in user only. If the token used to access this endpoint, has PARTNER_ADMIN role, then it will fetch all the OAuth clients created by all the partners. It is configured for PARTNER_ADMIN and AUTH_PARTNER roles.
Newly added in release 1.2.2.0
/oauth/client
POST
This endpoint is used for creating OIDC Client.
Added validation to check the partner id in the request body belongs to the user who’s token is being used to access this endpoint. This will ensure that PMS user can create OIDC client only for the partner id which belongs to the user. This validation is skipped if the user’s role is PARTNER_ADMIN.
/oauth/client/{client_id}
GET
This endpoint retrieves the OIDC client details by client id
Added validation to check the partner id in the request belongs to the user who’s token is being used to access this endpoint. This will ensure that PMS user can access OIDC client only for the partner id which belongs to the user. This validation is skipped if the user’s role is PARTNER_ADMIN.
/oauth/client/{client_id}
PUT
This endpoint is used for updating OIDC Client based on client id
Added validation to check the partner id in the request body belongs to the user who’s token is being used to access this endpoint. This will ensure that PMS user can update OIDC client only for the partner id which belongs to the user. This validation is skipped if the user’s role is PARTNER_ADMIN.
If the status in the request is changed to INACTIVE, only the status is updated in the database other fields remain unchanged. This will ensure that PUT endpoint can be used to deactivate the OIDC client.
Added a bypass for a user with PARTNER_ADMIN role. If the user with PARTNER_ADMIN role is used to access this endpoint, then it will deactivate the OIDC client for any partner ID, even if the partner ID is deactivated.
/devicedetail
GET
This endpoint retrieves a list of all the Devices across all the Device Providers in PMS. It supports pagination, sorting, and filtering. It is configured for the role PARTNER_ADMIN.
Newly added in release 1.2.2.0
/devicedetail
PUT
Service to update Device Detail
This endpoint has been deprecated since the release-1.2.2.0.
/devicedetail
POST
Service to save Device Detail
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new POST /securebiometricinterface/{sbiId}/devices endpoint
This ensures that a device will always be created for a SBI and not without one.
/devicedetail
PATCH
Service to approve/reject Device Detail
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new POST devicedetail/{id}/approval endpoint
/devicedetail/{deviceId}
PATCH
This endpoint deactivates a Device based on the Device Id. It is configured for the roles DEVICE_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/devicedetail/{id}/approval
POST
This endpoint is for the Partner Admin user to approve or reject a Device and activate the mapping between the Device and the SBI. It is configured for the role PARTNER_ADMIN
Newly added in release 1.2.2.0
/devicedetail/deviceSubType/filtervalues
POST
Service to filter Device Sub Types
No changes made in release 1.2.2.0
/devicedetail/deviceType/filtervalues
POST
Service to filter Device Types
No changes made in release 1.2.2.0
/devicedetail/deviceType/search
POST
Service to search Device Types
No changes made in release 1.2.2.0
/devicedetail/filtervalues
POST
Service to filter Device Detail
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /devicedetail endpoint
/devicedetail/search
POST
Service to search Device Detail
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /devicedetail endpoint
/ftpchipdetail
GET
This endpoint retrieves a list of all FTM Chip details created by all the FTM Providers associated with the logged in user. It is configured for the roles FTM_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/ftpchipdetail
PUT
Service to update ftp chip detail
This endpoint has been deprecated since the release-1.2.2.0
/ftpchipdetail
POST
Service to save ftp chip detail
/ftpchipdetail
PATCH
Service to approve/reject ftp chip detail
No changes made in release 1.2.2.0
/ftpchipdetail/{ftmId}
PATCH
This endpoint deactivates the ftp chip detail based on the ftp chip detail Id. It is configured for the roles FTM_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/ftpchipdetail/{ftmId}/certificate-data
GET
This endpoint fetches both the CA signed certificate uploaded by the FTM Chip Provider and the MOSIP signed certificate generated by PMS. It is configured for the roles FTM_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/ftpchipdetail/getPartnerCertificate/{ftpChipDetailId}
GET
Service to get certificate of ftp chip
Improved Key Manager error handling, to capture the correct error code from Key Manager and send it in the endpoint’s response.
/ftpchipdetail/search
POST
Service to search ftp chip details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /ftpchipdetail/v2 endpoint.
/ftpchipdetail/uploadcertificate
POST
Service to upload certificate of ftp chip
Improved Key Manager error handling, to capture the correct error code from Key Manager and send it in the endpoint’s response.
/ftpchipdetail/v2
GET
This endpoint retrieves a list of all FTM Chip details created by all the FTM Providers. Also supports pagination, sorting, and filtering. It is configured for the role PARTNER_ADMIN.
Newly added in release 1.2.2.0
/admin-partners
GET
This endpoint retrieves a list of all Partners. Also supports pagination, sorting, and filtering. It is configured for the role PARTNER_ADMIN.
Newly added in release 1.2.2.0
/admin-partners/{partnerId}
GET
This endpoint retrieves all the details of the Partner based on Partner Id. It is configured for the role PARTNER_ADMIN.
Newly added in release 1.2.2.0
/partner-api-keys
GET
This endpoint retrieves a list of all the API keys created by the Auth Partners. Also supports pagination, sorting, and and filtering based on optional query parameters. If the token used to access this endpoint, does not have the PARTNER_ADMIN role, then it will fetch all the API keys created by all the partners associated with the logged in user only. If the token used to access this endpoint, has PARTNER_ADMIN role, then it will fetch all the API keys created by all the partners.
Newly added in release 1.2.2.0
/partner-policy-requests
GET
This endpoint fetches list of all the policy requests made by the partners. Also supports pagination, sorting, and filtering based on optional query parameters. If the token used to access this endpoint, does not have the PARTNER_ADMIN role, then it will fetch all the policy requests made by all the partners associated with the logged in user only.If the token used to access this endpoint, has PARTNER_ADMIN role, then it will fetch all the policy requests made by all the partners.
Newly added in release 1.2.2.0
/partners
GET
Service to get partner details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partners/v3 endpoint.
/partners/{partnerId}
PATCH
Service to activate/de-activate partner
/partners/{partnerId}/apikey/{apikey}
GET
Service to get policy for given API key
No changes made in release 1.2.2.0
/partners/{partnerId}/apikey/{apikey}/policies
PUT
Service to update policies against to API key
No changes made in release 1.2.2.0
/partners/{partnerId}/policy/{policyId}/apikey/status
PATCH
Service to activate/de-activate partner API key
/partners/apikey
GET
Service to get API key requests
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partner-policy-requests endpoint.
/partners/apikey/{apikey}
GET
Service to get API key request
No changes made in release 1.2.2.0
/partners/policy/{mappingkey}
PUT
Service to approve/reject partner policy mapping
No changes made in release 1.2.2.0
/partners/v2
GET
Service to get partner details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partners/v3 endpoint.
/trust-chain-certificates
GET
This endpoint retrieves a list of all the Trust Certificates uploaded by the Partner Admin. Also supports pagination, sorting, and filtering. It is configured for the role PARTNER_ADMIN.
Newly added in release 1.2.2.0
/trust-chain-certificates/{certificateId}/certificateFile
GET
This endpoint will download p7b file for a CA / Intermediate CA certificate along with the trust chain based on Certificate Id. It is configured for the role PARTNER_ADMIN.
Newly added in release 1.2.2.0
/partners
POST
partner self registration
No changes made in release 1.2.2.0
/partners/{partnerId}
GET
Service to get details of partner
Corrected the version in the response body
/partners/{partnerId}
PUT
Service to update details of partner
/partners/{partnerId}/apikey/request
GET
Service to get API key requests of partner
Corrected the version in the response body
/partners/{partnerId}/certificate
GET
Service to get partner certificate
Added validation to check if the certificate has been uploaded previously.
/partners/{partnerId}/certificate-data
GET
This endpoint retrieves both the CA signed certificate uploaded by the partner and the MOSIP-signed certificate generated by PMS. It is configured for role any of the partner type or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/partners/{partnerId}/generate/apikey
PATCH
To generate API Key for approved policies
/partners/{partnerId}/policy/map
POST
To request for policy mapping
/partners/{partnerId}/policygroup/{policygroupName}
PUT
Service to update the policy group for partner
No changes made in release 1.2.2.0
/partners/apikey/request/filtervalues
POST
Service to filter API key requests
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partner-policy-requests endpoint.
/partners/apikey/request/search
POST
Service to search API key requests
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partner-policy-requests endpoint.
/partners/apikey/search
POST
Service to search API key
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partner-api-keys endpoint.
/partners/certificate/ca/upload
POST
Service to upload ca certificate
No changes made in release 1.2.2.0
/partners/certificate/upload
POST
Service to upload partner certificate
/partners/email/verify
PUT
Service to verify partner email
No changes made in release 1.2.2.0
/partners/filtervalues
POST
Service to filter partner details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partners/v3 endpoint.
/partners/partner-certificates-details
GET
This endpoint retrieves a list of all Partner Certicates uploaded by the logged in user
Newly added in release 1.2.2.0
/partners/partnerType/search
POST
Service to search partner types
No changes made in release 1.2.2.0
partners/search
POST
Service to search partner details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /partners/v3 endpoint.
partners/v2
POST
Registers partner details
No changes made in release 1.2.2.0
partners/v2/{partnerId}
PUT
Service to update details of partner
No changes made in release 1.2.2.0
partners/v3
GET
This endpoint retrieves a list of Partners associated with the logged in user, based on the query parameters. It is configured for role any of the partner type or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/roles
GET
Service to get required roles
No changes made in release 1.2.2.0
/securebiometricinterface
GET
This endpoint retrieves a list of all SBIs created by the Device Providers. Also supports pagination, sorting, and and filtering based on optional query parameters. If the token used to access this endpoint, does not have the PARTNER_ADMIN role, then it will fetch all SBIs created by all the partners associated with the logged in user only. If the token used to access this endpoint, has PARTNER_ADMIN role, then it will fetch all the SBIs created by all the partners.
Newly added in release 1.2.2.0
/securebiometricinterface
PUT
Service to update SecureBiometricInterface
This endpoint has been deprecated since the release-1.2.2.0
/securebiometricinterface
POST
Service to save SecureBiometricInterface details
/securebiometricinterface
PATCH
Service to approve/reject SecureBiometricInterface
/securebiometricinterface/{sbiId}
PATCH
This endpoint deactivates an SBI along with associated Devices. It is configured for the roles DEVICE_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/securebiometricinterface/{sbiId}/devices
GET
This endpoint fetches the list of Devices associated with a given SBI Id. It is configured for the roles DEVICE_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/securebiometricinterface/{sbiId}/devices
POST
This endpoint adds a new Device and creates an inactive mapping between the device and the given SBI. It is configured for the roles DEVICE_PROVIDER or PARTNER_ADMIN.
Newly added in release 1.2.2.0
/securebiometricinterface/devicedetails/map
PUT
Service to map device details with sbi
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new POST /securebiometricinterface/{sbiId}/devices endpoint.
/securebiometricinterface/devicedetails/map/remove
PUT
Service to remove mapped device details with sbi
This endpoint has been deprecated since the release-1.2.2.0.
/securebiometricinterface/devicedetails/map/search
POST
Service to search mapped device details and SecureBiometricInterface details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /securebiometricinterface/{sbiId}/devices endpoint.
/securebiometricinterface/filtervalues
POST
Service to filter SBI's
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /securebiometricinterface endpoint.
/securebiometricinterface/search
POST
Service to search SecureBiometricInterface details
This endpoint has been deprecated since the release-1.2.2.0. It has been replaced by the new GET /securebiometricinterface endpoint.
/system-config
GET
This endpoint fetches the configurations for PMS and sends them to the UI. No roles are required for access.
Newly added in release 1.2.2.0
/users
POST
Service to register user
No changes made in release 1.2.2.0
/users/user-consent
GET
This endpoint fetches the user's consent related to the data captured by PMS. The consent is requested only once after the user's first login, and won't be asked again if already given. It is configured for all Partner Type roles.
Newly added in release 1.2.2.0
/users/user-consent
POST
This endpoint saves the user's consent related to data captured by the PMS portal, which is requested only once after the user's first login. Once provided, the consent will not be asked again. It is configured for all Partner Type roles.
Newly added in release 1.2.2.0
API Path
Method
Description
Changes done in release-1.2.2.0
/policies
GET
Service to get policies
No changes made in release 1.2.2.0
/policies
POST
Service to create a new authentication, data sharing, or credential policy.
Handled missing 'Empty Array and Empty String' Schema Validation
/policies/{policyId}
GET
Service to retrieve the details of a specific policy by its ID.
No changes made in release 1.2.2.0
/policies/{policyId}
PUT
Service to update policy details
No changes made in release 1.2.2.0
/policies/{policyId}
PATCH
This endpoint deactivates a policy based on the Policy Id. It checks if any policy requests are associated with the policy: it can be deactivated if there are no requests or if there are rejected requests. It cannot be deactivated if there are approved or pending requests, returning error codes PMS_POL_063 or PMS_POL_064, respectively. This endpoint is configured for the POLICYMANAGER or PARTNER_ADMIN roles.
Newly added in release 1.2.2.0
/policies/{policyId}/group/{policygroupId}/publish
POST
Service to publish policy
No changes made in release 1.2.2.0
/policies/active/group/{groupName}
GET
Service to get active policy details for policy group name
No changes made in release 1.2.2.0
/policies/group/{policygroupId}
GET
Service to get policy group
No changes made in release 1.2.2.0
/policies/group/{policyGroupId}
PATCH
Service for Partner Admin users to deactivate a Policy Group based on the Policy Group Id. It is configured for the POLICYMANAGER or PARTNER_ADMIN roles.
Newly added in release 1.2.2.0
/policies/group/new
POST
Service to create a new policy group
No changes made in release 1.2.2.0
/policies/group/search
POST
Service to search policy group
No changes made in release 1.2.2.0
/policies/policy-groups
GET
Service to retrieve details about all active Policy Groups
Newly added in release 1.2.2.0
/policies/v2
GET
Service to retrieve the list of all Policies. It is configured for the POLICYMANAGER or PARTNER_ADMIN roles.
Newly added in release 1.2.2.0
Added validation to check if the Partner ID used in the request body is active. This will ensure that OIDC client cannot be created for an inactive partner. ()
If multiple policy requests were created by the partner for a policy, then while creating the OIDC client, this endpoint was checking the status of only the first policy request. So even if there was an approved policy request, it was still throwing an error. Fixed this bug ()
Improved JWK validation for the public key by adding validation that n value (modulus value) of the JWK must be unique ()
Updated client name to be a JSON string to support client name language map ()
Added validation to check if the Partner ID used in the request body is active. This will ensure that OIDC client cannot be updated for an inactive partner. This validation is skipped if the user’s role is PARTNER_ADMIN and status in the request is changed to INACTIVE. ()
Added a validation to check if the OIDC client is already deactivated.()
Updated client name to be a JSON string to support client name language map ()
Improved the validation check by trimming extra spaces in make and model to prevent duplicate entries. ()
Added validation to allow certificate upload only if the FTM chip details certificate status is APPROVED or PENDING_CERT_UPLOAD.(). So for Rejected or Deactivated FTM, a certificate cannot be uploaded.
Set isActive to false after certificate re-upload. This will ensure that after cert is reuploaded, partner admin will have to approve the FTM again. ()
Added a check to verify if the partner is already deactivated. If yes, partner cannot be deactivated again. ()
If the API key is already deactivated, it cannot be deactivated again.()
Added a validation to check if the Partner ID used in the request body is active. This will ensure that API cannot be deactivated if partner has been deactivated. This validation is skipped if the user’s role is PARTNER_ADMIN. ()
Added a check to verify if the partner id in the request exists in the database.()
Added a check to remove extra spaces in the API key label before saving to the database, preventing the creation of duplicate API key labels with extra spaces.()
Updated error messages to indicate if the policy is already mapped and its status is Approved or In Progress.()
Added a validation to check if the Partner ID used in the request body is active. This will ensure that certificate cannot be uploaded if partner has been deactivated. ()
If domain is FTM, do not call the uploadOtherDomainCertificate endpoint of KeyManager.()
Added a check to remove extra spaces in the SBI version before saving to the database, preventing the creation of duplicate SBI versions with extra spaces.()
Added separate error codes for cases when SBI is already approved or rejected.()