Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Demonstration of MOSIP Authentication API integration with a Digital Signature system offered by eMudhra.
Integration of MOSIP with other systems.
Release Name: MTS 1.0
Release Version: Version 1.0.0
Upgrade From: NA
Release Date: 6th October, 2022
The 1.0.0 version of MTS covers basic features of MOSIP Token Seeder as listed below. This version is tested for functionality. Non-functional requirements (Performance, scale etc.) will be taken up in subsequent releases.
Authentication and token issuance using MOSIP Token Seeder with input/output formats and specifications as stated below:
Input type: CSV, JSON, ODK
Output type: CSV, JSON
Delivery type: Download
Asynchronous token seeding
Status API
Download API
Authfield Mapping
Dockerization
Helm chart
Processes 5k entries in one request
MTS 1.0.0 is compatible with following versions of MOSIP IDA:
MOSIP v1.1.5.x
MOSIP v1.2.0.x
Test repositories
For a basic overview, refer architecture and high level design
Functional user stories:
Authentication and token issuance using MTS with input/output formats as stated below:
<Input: JSON/CSV format> and <Output: JSON/CSV format> - #MOSIP-23029
<Input: ODK format> and <Output: JSON/CSV format> - #MOSIP-23224
For API documentation, click here
For installation, refer README
Name: MTS 1.0
Date: 6th October, 2022
Name: MTS 1.0.1
Date: 9th November, 2022
This demonstration showcases the integration of MOSIP's Authentication API with the Mental Healthcare Management system offered by e-Manas. This integration enables secure means of sharing health records of a patient across hospitals with the patient's consent, where the authentication is enabled by MOSIP ID.
Below is the demonstration of the same.
MTS Connector (MTS-C) is a OpenG2P module which will be an addon to . MOI will help in fetching the tokenized data from the ODK Central by calling the (MTS) and store the same in beneficiary registry. This will be an important module in deduplication process when OpenG2P system is using MOSIP as its id platform.
Generates MOSIP token while fetching from the ODK
Uses callback delivery type of MTS
Completely asynchronous execution
OpenG2P can schedule a daily job to fetch the delta for the day
A manual import feature will also be provided
In OpenG2P, the user can configure for following fields to setup an interface with MTS.
Name: A string to identify the connector
URL to reach MTS: URL for MTS API
MTS Input type: MTS-C connects over "ODK" which is the first option in this selection. OMC option could be proceeded by selecting "OpenG2P Registry".
Output Type: MTS-C only supports JSON output type of MTS.
Delivery Type: Currently supporting only "Callback". Callback feature can be used to make MTS do a submission of results onto an API within Odoo. The output formatting will help in making the desired input for the api.
Job Type: MTS-C provide both recurring and one time execution. Recurring can be configured to do continuous pull from the ODK over MTS.
Interval in minutes: Interval at which the MTS-C job runs.
MOSIP Language: Mosip language setup. Default is "eng".
ODK Base URL: Base URL or the complete domain address for the ODK central installation
ODK Odata url : OData service (.svc) URL for the ODK form to fetch the submissions.
ODK User email: Email Id to authenticate MTS for accessing Odata URL
ODK User password: Password used to authenticate Odata URL
Callback URL: A URL end point which would be called upon successful processing at MTS
Callback HTTP Method: HTTP Method (POST/PUT/GET/PATCH) used while MTS makes the callback
Callback Timeout: Timeout awaited by the callback until acknowledged with a response.
Callback Auth Type: Type of authentication expected by callback url. MTS-C currently support Odoo type which uses the session-based authentication implemented by Odoo.
Callback Auth Database: DB instance used by Odoo.
Callback auth username: Username to access callback api
Callback auth password: Password to access callback api
MOSIP Token Seeder (MTS) is a standalone service that outputs for a given input list of UIN/VIDs after performing authentication with . The service is a convenience module that makes it easy for to perform bulk authentication to onboard users to their systems. Refer section for details on the usage of MTS.
Bulk upload
Support for multiple and (see diagram below). For instance, a CSV file may be uploaded, and the downloaded file will contain a column with tokens populated.
Support for multiple
REST interface
PII at rest is encrypted. Further, the PII is erased after processing
Works in asynchronous mode - queues all the requests
:
Processes multiple records per request
Processes multiple requests simultaneously
Enables :
Output formatting of fields
Setting up fields as mandatory/optional
Defining data clean-up policy
One of the intended use cases of MTS is to seed existing beneficiary registries for deduplication.
Google Sheets (TBD)
Form.IO Sheets (TBD)
Verifiable Credentials (VC) (TBD)
CSV
JSON
Download
Synchronous response
WebSub (TBD)
SFTP (TBD)
Process multiple records per request
Process multiple requests simultaneously
Output formatting of fields
Setting up fields as mandatory/optional
Defining data clean-up policy
Token seeder is a batch processing module which initiates the token authentication process. Once a new request is enqueued into the token seeder, it fetches the same and sends the request on a record level to the authenticator module. Token seeder is also responsible for updating the success and failure status to the database. There is also a expiry program for clearing off the request already processed from the system based on the expiry settings configured.
Mapping: MTS Field mapping as required by the API. Please refer Format of Mapping would be JSON.
Output Format: Output format is a string which will be used by MTS to format its output to suite the caller's requirement.
based
MTS is capable of processing millions of records per request. There is no specific limitation to the number of records it can handle per request. Refer for details.
MTS processes multiple requests in a simultaneous manner, rather than a sequential pattern. Refer for details.
When MTS receives an authentication and tokenization request, it processes the request and sends out the output, in the requested format. Additionally, whilst formulating the output response, MTS is capable of sending the response back, based on the preferred field mapping. e.g. A request received may carry fields First name and Last name. However, the requesting party may need the response to carry fields as per the mapped naming convention: First name to FN and Last name to LN. MTS enables this requirement, through configuration of the output format template which provides the flexibility to define the field mapping as preferred. Refer for details.
Every request that MTS receives comprises of a set of fields. However, MTS provides the flexibility of defining which field is mandatory/optional as part of the request. This is a one time activity that will have to be carried out at the time of initial installation setup of MTS. Based on this definition, MTS validates each request for the presence of mandatory fields. If this config file is not setup distinctly, then the default IDA setup will be considered. Refer for details. Refer <installation guide> for setup related information.
For each request received and processed, the data is held in MTS. Whilst the data is held in-memory, MTS provides a feature to clean-up the data held and also define the timeframe based on which the data clean-up job may be run. This will help control the volume of data stored and also limit the availability of data for potential security threats. The process of defining the policy is a one time activity that will have to be carried out at the time of initial installation setup of MTS. Refer for details. Refer <installation guide> for setup related information.
Authtoken API is a RESTful interface to accept various auth request input for the Token Seeder system. The API works in a complete asynchronous mode. is returned a request identifier when they make successful authtoken request. Status check API can be used to poll the status of the request placed. In case the status returns a processed state, the output can be accessed, as configured in the primary request for. Eg. If the request was for a file download, the file download API can be called to return the output file. Refer for a detailed API documentation.
Authenticator process takes in a valid authentication request and performs the demographic authentication with the server. Each auth request is well formed, encrypted and signed before its sent to the . It passes on the response received to the caller regardless of the status received. Authenticator module can also be used as a individual library outside of MOSIP token seeder for any use case it applies to.
Refer
Refer
Refer
Refer
Release Name: MTS 1.0.1
Release Version: Version 1.0.1
Upgrade From: Version 1.0.0
Release Date: 9th November, 2022
The 1.0.1 version of MTS is the first patch release above version 1.0. This patch release mainly comprises of fixes for bugs identified in the previous release.
For more information, refer Fixed issues.
MTS 1.0.1 is compatible with following versions of MOSIP IDA:
MOSIP v1.1.5.x
MOSIP v1.2.0.x
Release Name: MTS 1.1
Release Version: Version 1.1.0
Upgrade From: MTS 1.0
Release Date: TBD
Delivery type: Callback
Output formatting
Configurable mandatory fields
Processes records in millions
Process multiple requests simultaneously
Auth request data expiry
MTS 1.0.0 is compatible with following versions of MOSIP IDA:
MOSIP v1.1.5.x
MOSIP v1.2.0.x
For a basic overview, refer architecture and high level design
Functional user stories:
Authentication and token issuance using MTS with input/output formats as stated below:
<Input: JSON/CSV format> and <Output: JSON/CSV format> - #MOSIP-23029
<Input: ODK format> and <Output: JSON/CSV format> - #MOSIP-23224
For API documentation, click here
For installation, refer README
This document describes plan & scope of integration of MOSIP and OpenCRVS.
Phase 1: Technical Proof Of Concept integration (v0.5)
Phase 2: Detailed design of production implementation (v1.0)
Phase 3: Implementation of v1.0.
Phase 4: Installation at MEC.
The following is a list of possible scenarios for this integration.
A birth is certified by OpenCRVS. MOSIP receives event data and creates UIN for the birth.
A death is certified by OpenCRVS. MOSIP receives event data and deactivates the particular UIN.
A birth is corrected on OpenCRVS. MOSIP receives event data and corrects the particular details of that person.
A death is corrected on OpenCRVS. MOSIP receives event data and corrects the particular details of that person.
Upon birth certification, once MOSIP generates UIN, MOSIP issues the relevant details/credentials back to OpenCRVS.
Upon birth certification, if MOSIP encounters a problem while generating UIN, MOSIP issues back an error to OpenCRVS.
TBD
In this phase, v0.5 POC, only 1, 2, and 5 scopes are handled.
The following new components are added:
OpenCRVS Side Mediator. (Maintained and deployed by OpenCRVS)
MOSIP Side Mediator.
OpenCRVS Stage - Registration Processor.
Runs on OpenCRVS cluster. Maintained by OpenCRVS.
Subscribes to OpenCRVS Webhooks for BIRTH_REGISTERED
and DEATH_REGISTERED
events.
Receive data from webhooks, for the above events. Encrypts that data. Sends it over to MOSIP Side Mediator on private/internal MOSIP channel.
Receives UIN from MOSIP Side Mediator when uin generation is successful.
For the purposes of this phase, it was decided that MOSIP would send the UIN back. TBD whether this can continue in later phases.
Runs on MOSIP cluster. Maintained by MOSIP.
Subscribes to MOSIP WebSub, for CREDENTIAL_ISSUED
event.
Receives data from OpenCRVS.
On Birth:
Puts the birth data to Kafka.
Reads data from Kafka asynchronously. Creates a registration packet with the data from OpenCRVS, using packetmanager library, with process type as OPENCRVS_NEW
and source as OPENCRVS
.
Uploads the packet to regproc-packetreceiver service.
Syncs the packet with regproc-status service.
Updates rid, and status in mosip-opencrvs/birth_transactions
database table.
For the purposes of this phase, this birth process is just emulating the way Registration Client would make a registration.
A better procedure for creating registrations through partners is TBD.
On Death: WIP
Receives data from WebSub, upon credential being issued. Proxies the data, off to OpenCRVS Side Mediator.
Only the following stages are included in the registration processor route (in the same order) for the packet with OPENCRVS_NEW
process type:
Packet Receiver
Securezone Notifier
Packet Uploader
Packet Validator
Packet Classifier
Introducer Validator
UIN Generator
Finalization
Print Stage
OpenCRVS Stage
This is a new stage, that just issues the credential to opencrvs
partner.
The following stages are omitted:
CMD Validator
Operator Validator
Supervisor Validator
Quality Classifier
Demographic Deduplication
Biometric Deduplication
ABIS Handler
ABIS Middleware
Verification
Manual Adjudication
Biometric Extraction.
For MOSIP Side Components installation, refer to mosip-opencrvs deployment instructions.
For MOSIP Side Components (Mediator and Regproc Stage), refer to mosip-opencrvs repository.
For OpenCRVS Side Mediator, refer to opencrvs's mosip-mediator repository.
OpenG2P-registry MTS Connector (OMC) is a OpenG2P module which will be an addon to Odoo. OMC can generate a MOSIP Auth Token against the any record in OpenG2P registry by calling MOSIP Token Seeder (MTS) and store the same in beneficiary registry. This will be an important module in deduplication process when OpenG2P system uses MOSIP as its ID platform.
Generates MOSIP token against the OpenG2P registry by calling MTS.
Uses callback
delivery type of MTS
Completely asynchronous execution
OpenG2P can schedule a daily job to fetch the delta for the day
A manual import feature will also be provided
Removes VID if MOSIP Auth Token is generated
In OpenG2P, the user can configure for following fields to setup an interface with MTS through OMC.
Name: A string to identify the connector
URL to reach MTS: URL for MTS API
MTS Input type: OMC option could be proceeded by selecting "OpenG2P Registry".
Mapping: MTS Field mapping as required by the API. Please refer MTS Documentation. Format of Mapping would be JSON.
Output Type: MTS-C only supports JSON output type of MTS.
Output Format: Output format is a JQ string which will be used by MTS to format its output to suite the caller's requirement.
Delivery Type: Currently supporting only "Callback". Callback feature can be used to make MTS do a submission of results onto an API within Odoo. The output formatting will help in making the desired input for the api.
Job Type: MTS-C provide both recurring and one time execution. Recurring can be configured to do continuous pull from the ODK over MTS.
MOSIP Language: Mosip language setup. Default is "eng".
Interval in minutes: Interval at which the MTS-C job runs.
Filters to apply to Registry: A domain filter can be used to identify the records for tokenization. For. eg. Only records which have VID associated with it and is not tokenized need to be picked for tokenization.
List of fields to be used: List of fields which will be supplied as auth data. This field list may be a superset of fields required for auth as it may contain data required by the callback API. This list should be a valid JSON string array.
Callback URL: A URL end point which would be called upon successful processing at MTS
Callback HTTP Method: HTTP Method (POST/PUT/GET/PATCH) used while MTS makes the callback
Callback Timeout: Timeout awaited by the callback until acknowledged with a response.
Callback Auth Type: Type of authentication expected by callback URL. MTS-C currently support Odoo type which uses the session-based authentication implemented by Odoo.
Callback Auth Database: DB instance used by Odoo.
Callback auth username: Username to access callback api
Callback auth password: Password to access callback api
In these times of digital transformation, most services are moving online globally. Personalized access to online services is enabled through the use of a trusted digital identity. eSignet aims to offer a simple yet powerful mechanism for end users to identify themselves in order to avail of online services and also share their profile information.
eSignet supports multiple modes of identity verification to promote inclusion and increase access, thus narrowing potential digital divides. It also provides an elegant and easy way for an existing trusted identity database to make the identity digital and provision identity verification and service access.
There is a need to support more verification methods to be inclusive. Current approaches do not address privacy concerns comprehensively. We are constantly looking at ways to bridge the digital divide with better privacy. Here is a short introduction to identity verification methods. Also, do check out to understand modern approaches to identity using verifiable credentials for decentralized verification.
What can eSignet be used for?
eSignet can be a login provider for a relying party application to enable access to the service without creating yet another set of login credentials (username/password combination).
eSignet can be used for assured identity verification of an individual against an identity provider. The identity provider could be a national identity database/ driver's license system/ passport license system or any other trusted identity provider. The assurance level is based on the authentication factor used, with biometric authentication offering user presence assurance.
eSignet can be used for consented data sharing for profile creation or eKYC needs of relying parties. Authentication requests from a relying party can be accompanied by a request for a set of attributes suitable for profile creation or meeting eKYC process norms. The requested information is shared after the user provides consent as part of the eSignet login flow.
To know more about eSignet, its features, components, integrations etc., read through the eSignet documentation.
To know more about integrations with MOSIP, refer to the following documents:
This page details only on very specific areas of MOSIP Token Seeder. For a elaborate understanding on the MTS API, please refer the API documentation page.
Refer API documentation.
When using above format, you may not need any mapping configuration. But in case you change any column name in the csv, please do provide the same in the mapping configuration.
Output might have mix of successful and failed records except for the case where whole of the input throws error. If successful, the record would be having the token placed against the vid. And if there is error processing a record, the same is updated against the vid and the error code and description is mentioned along.
submitted
submitted
is the first status immediately after you have placed a authtoken request.
invalid
If in case there is basic validation error such that the request could not be processed, the request in marked as invalid
.
submitted_with_errors
Once the system passes through the basic validation but has found that none of the records can go through due to varied record level validation issues, the system will update the request with submitted_with_errors
status.
processing
This status is updated when the seeder enqueues the request for processing
.
processed
Once the request is completed processing and ready for a result, the system updates the record with processed
status. There can be error codes mentioned in the output line items in case few but not entire records have any processing error.
processed_with_errors
When the request is processed but every record in the request has some or other processing errors, the system updates the request with processed_with_errors
status.
In case there is a prior request placed with considerably higher number of records, and you have placed subsequent request submitted even before getting output for your earlier request, the system might take a while to update the status of your newer request. It might be still in the submitted
state until the system finds a window to start processing.
ATS-REQ-001
json is not in valid format
ATS-REQ-003
name is not provided
ATS-REQ-004
gender is empty
ATS-REQ-006
date of birth is empty
ATS-REQ-008
address is empty
ATS-REQ-009
vid or its mapping not present
ATS-REQ-010
name or its mapping not present
ATS-REQ-011
gender or its mapping not present
ATS-REQ-012
dateOfBirth or its mapping not present
ATS-REQ-015
fullAddress or its mapping not present
ATS-REQ-016
no auth request found for the given identifier
ATS-REQ-017
auth request not processed yet
ATS-REQ-018
no odk baseurl provided
ATS-REQ-019
no email provided
ATS-REQ-020
no password provided
ATS-REQ-021
no odk project id provided
ATS-REQ-022
no odk form id provided
ATS-REQ-023
no submissions found for odk pull
ATS-REQ-100
unknown error
ATS-REQ-101
none of the record form a valid request
ATS-REQ-102
invalid input
AUT_CRY_001
Error parsing encryption certificate provided in config file.
AUT_CRY_002
Error reading P12 file provided in config file.
AUT_CRY_003
Error Encrypting Auth Data
AUT_CRY_004
Error Signing Auth Request Data
AUT_BAS_001
Not Able to process auth request
There are cases where MTS might successfully pass on the request but IDA generates error based on the its implementation scenario. MTS will log such error directly to the output json/csv/file. In any case there are uncaught errors thrown by IDA, MTS will output the same as unknown error (ATS-REQ-100).
The names on the left side of the mapping config denotes the original expected names and the value part will hold the change of name, if any. The mapping config if not supplied, the system will assume that there are no changes in the names used. The same applies if any one or more element of the mapping is not provided.
"mapping": {
"vid": "vid_1", //default:"vid"
"name": [ //default:"name"
"firstname","middlename","lastname"
],
"gender": "gender", //default:"gender"
"dob": "dob", //default:"dob"
"phoneNumber": "phoneNumber", //default:"phoneNumber"
"emailId": "emailId", //default:"emailId"
"fullAddress": [ //default:"fullAddress"
"addressline1", "addressline2","city","state","pincode"
]
}
Except for name and full address, the majority of the fields in authdata are direct mapping. MTS expects that there can be exceptions for name and full address for which the mapping is configured as a string array. For example, if the calling application or program stores the address fields in separate variables or columns like addressline1, addressline2, street, area, or zipcode; the same can be supplied directly as authdata with mapping supplied as a list of variable or column names as in the calling program.
vid
only valid vid/uin generated by MOSIP
Mandatory
name
string
Mandatory
gender
male/female/others
Mandatory
dob
"YYYY/MM/DD"
Mandatory
phoneNumber
country specific length without any country code
Optional
emailId
string
Optional
fullAddress
string
Mandatory
This page details only on very specific areas of MOSIP Token Seeder. For a elaborate understanding on the MTS API, please refer the API documentation page.
Refer API documentation.
When using above format, you may not need any mapping configuration. But in case you change any column name in the csv, please do provide the same in the mapping configuration.
Output might have mix of successful and failed records except for the case where whole of the input throws error. If successful, the record would be having the token placed against the vid. And if there is error processing a record, the same is updated against the vid and the error code and description is mentioned along.
submitted
submitted
is the first status immediately after you have placed a authtoken request.
invalid
If in case there is basic validation error such that the request could not be processed, the request in marked as invalid
.
submitted_with_errors
Once the system passes through the basic validation but has found that none of the records can go through due to varied record level validation issues, the system will update the request with submitted_with_errors
status.
processing
This status is updated when the seeder enqueues the request for processing
.
processed
Once the request is completed processing and ready for a result, the system updates the record with processed
status. There can be error codes mentioned in the output line items in case few but not entire records have any processing error.
processed_with_errors
When the request is processed but every record in the request has some or other processing errors, the system updates the request with processed_with_errors
status.
In case there is a prior request placed with considerably higher number of records, and you have placed subsequent request submitted even before getting output for your earlier request, the system might take a while to update the status of your newer request. It might be still in the submitted
state until the system finds a window to start processing.
Call back functionality enables MTS api to submit the output to a specified URI. Callback might also need authorization on most occasions. MTS currently supports following authorization types.
If the caller can supply a token while calling the MTS api, it can be configured in the authStaticBearer
attribute of callbackProperties
section.
"authStaticBearer": {
"token": "string"
}
The functionality is added to support the OpenG2P use case where in OpenG2P odoo modules can call the MTS and get the result directly imported to odoo database. Following are the parameters supported.
"authOdoo": {
"authUrl": "http://example.com",
"database": "string",
"username": "string",
"password": "string",
"extraHeaders": {}
},
OAuth protocol is also supported in MTS callback functionality. This helps numerous systems which implements OAuth specification to integrate with MTS seamlessly. Below are the configurations available to setup OAuth based callback.
"authOauth": {
"authUrl": "http://example.com",
"username": "",
"password": "",
"clientId": "",
"clientSecret": "",
"extraHeaders": {}
},
ATS-REQ-001
json is not in valid format
ATS-REQ-003
name is not provided
ATS-REQ-004
gender is empty
ATS-REQ-006
date of birth is empty
ATS-REQ-008
address is empty
ATS-REQ-009
vid or its mapping not present
ATS-REQ-010
name or its mapping not present
ATS-REQ-011
gender or its mapping not present
ATS-REQ-012
dateOfBirth or its mapping not present
ATS-REQ-015
fullAddress or its mapping not present
ATS-REQ-016
no auth request found for the given identifier
ATS-REQ-017
auth request not processed yet
ATS-REQ-018
no odk baseurl provided
ATS-REQ-019
no email provided
ATS-REQ-020
no password provided
ATS-REQ-021
no odk project id provided
ATS-REQ-022
no odk form id provided
ATS-REQ-023
no submissions found for odk pull
ATS-REQ-024
callbackProperties cannot be empty for deliverytype callback
ATS-REQ-025
requestFileName is not valid in callbackProperties
ATS-REQ-026
callInBulk cannot be false for csv output
ATS-REQ-027
unsupported authType in CallbackProperties
ATS-REQ-028
authOdoo cannot be empty for authType odoo
ATS-REQ-029
authOauth cannot be empty for authType oauth
ATS-REQ-030
authStaticBearer cannot be empty for authType staticBearer
ATS-REQ-031
authUrl in authOdoo, cannot be empty for authType odoo
ATS-REQ-032
username in authOdoo, cannot be empty for authType odoo
ATS-REQ-033
database in authOdoo, cannot be empty for authType odoo
ATS-REQ-034
token in authStaticBearer cannot be empty for authType staticBearer
ATS-REQ-100
unknown error
ATS-REQ-101
none of the record form a valid request
ATS-REQ-102
invalid input
ATS-REQ-103
outputFormat is not a valid jq expression
ATS-REQ-104
for csv output, outputFormat cannot be list. Has to be json
AUT_CRY_001
Error parsing encryption certificate provided in config file.
AUT_CRY_002
Error reading P12 file provided in config file.
AUT_CRY_003
Error Encrypting Auth Data
AUT_CRY_004
Error Signing Auth Request Data
AUT_BAS_001
Not Able to process auth request
There are cases where MTS might successfully pass on the request but IDA generates error based on the its implementation scenario. MTS will log such error directly to the output json/csv/file. In any case there are uncaught errors thrown by IDA, MTS will output the same as unknown error (ATS-REQ-100).
The names on the left side of the mapping config denotes the original expected names and the value part will hold the change of name, if any. The mapping config if not supplied, the system will assume that there are no changes in the names used. The same applies if any one or more element of the mapping is not provided.
"mapping": {
"vid": "vid_1", //default:"vid"
"name": [ //default:"name"
"firstname","middlename","lastname"
],
"gender": "gender", //default:"gender"
"dob": "dob", //default:"dob"
"phoneNumber": "phoneNumber", //default:"phoneNumber"
"emailId": "emailId", //default:"emailId"
"fullAddress": [ //default:"fullAddress"
"addressline1", "addressline2","city","state","pincode"
]
}
Except for name and full address, the majority of the fields in authdata are direct mapping. MTS expects that there can be exceptions for name and full address for which the mapping is configured as a string array. For example, if the calling application or program stores the address fields in separate variables or columns like addressline1, addressline2, street, area, or zipcode; the same can be supplied directly as authdata with mapping supplied as a list of variable or column names as in the calling program.
With the output formatting capability, MTS can give you the result exactly the way in which you would want it ready for your further processing of data. The output format string to be supplied follows the jq format. In case the output format is not supplied, the default output will be generated which will be the same as the previous versions. The below section details on an example case for output formatting.
{
"vid": "456564345214",
"demographics":{
"fname": "Peter",
"lname": "Parker",
"gender": "male"
},
"contacts": [{
"email": "peter.parker@somewhere.com",
"fulladdress":"Cecilia Chapman, 711-2880 Nulla St.,Mankato Mississippi 96522, (257) 563-7401"
}]
}
"{
\"pcn\": .input.vid,
\"firstName\": .input.demographics.fname,
\"lastName\": .input.demographics.lname,
\"gender\": .input.demographics.gender,
\"email\": .input.contacts[0].lname,
\"address\": .input.contacts[0].fulladdress,
\"authToken\": .output.token,
\"authTokenStatus\": .output.status,
\"authTokenError\": (.output.errorCode + \"::\" + .output.errorMessage),
}"
{
"pcn": "456564345214",
"firstName": "Peter",
"lastName": "Parker",
"gender": "male",
"email": "peter.parker@somewhere.com",
"address": "Cecilia Chapman, 711-2880 Nulla St.,Mankato Mississippi 96522, (257) 563-7401",
"authToken": "2944061782623593820388819382121346429",
"authTokenStatus": "error",
"authTokenError": ""
}
**input
**keyword in the output format string is used to represent the data you input into MTS as authdata parameter. output
keyword is used to identify that you intend to pick the data from the default auth request result. Please find below a sample for the default auth request output.
{
"vid": "456564345214",
"token": "2944061782623593820388819382121346429",
"status": "success",
"errorCode": "",
"errorMessage": "",
}
vid
only valid vid/uin generated by MOSIP
Mandatory
name
string
Mandatory
gender
male/female/others
Mandatory
dob
"YYYY/MM/DD"
Mandatory
phoneNumber
country specific length without any country code
Optional
emailId
string
Optional
fullAddress
string
Mandatory
This document explains the Print Service and other associated components along with a detailed technical understanding of the architecture and design of integrating MOSIP with external print partners.
Are you a print partner looking to integrate with MOSIP? Feel free to Sign Up here!
As per the current approach, after a UIN is successfully processed, the Registrations Processor’s Printing Stage calls the Credential Service to create a credential for print. This credential is pushed to the WebSub and the Printing systems consumes the same.
MOSIP has introduced the Print Service as a reference implementation to print the euin, reprint, qrcode, credential types in PDF format. This service is intended to be customized and used by a card printing agency who will need to on-board onto MOSIP as a Credential Partner before deploying the service.
Below is an entity relationship diagram highlighting the relationship of Print Service with other modules.
Receives events from WebSub.
Fetches templates from Masterdata.
After creating the PDF card, Print Service uploads the same to Datashare.
Publishes the event to WebSub with updated status and Datashare link.
The card data in JSON format is published as a WebSub event. The print service consumes the data from event, decrypts using partner private key and converts into PDF using a pre-defined template.
To know more about the different configurations, steps for build and deployment, refer to the documentation in the Print repository.
MOSIP Server : All the components that are responsible for generating and sharing credentials resides inside the MOSIP server. Registration requests or updates are sent to the MOSIP server for processing. The MOSIP server after successfully processing the registration data generates a Unique Identification Number (UIN) which is unique to every resident of a country.
Print Stage : This is a component inside the MOSIP server which is responsible for generating a credential and sharing it with the Partner printing system.
Print Service : An external printing solution onboarded as a credential partner
by MOSIP using MOSIP’s partner management framework. It securely consumes the credential from the MOSIP server through a standard interface and uses the data inside the credential for printing. The partner printing system may offer the following services based on the country’s printing choices
Ability to print plastic cards
Ability to print a PDF document and email it to the registered email ID
Generate a QR code to be used while printing ID cards
A centralized printing management system developed by a third party that might manage the printing and posting of ID cards to designated residents
WebSub : WebSub is a websocket used by MOSIP for sharing data with MOSIP partners. MOSIP’s print stage shares the credential with the partner printing system through WebSub. The credentials shared are in the form of Verifiable Credentials(VCs).
The diagram below depicts the technical architecture of the solution.
Print Stage : This s a stage on the MOSIP server that requests the credential request generator to generate a credential for a given print partner or partners based on a custom-built logic. For example, the custom logic may be to route the print request to a a specific regional print partner.
Credential Request Generator : This is a component on the MOSIP server that stores the credential request in the Credential transaction Database to be consumed by the Credential Service.
Credential Service : This is a component on the MOSIP server that is responsible for generating a credential. The credential service does the following
Constructs the credential based on the partner policy (that defines the type of the credential and the data that must be shared as a part of the credential) and stores the credential into the datashare.
The datashare returns the URL which is published by the credential service inside WebSub event hub as a message against a partner topic.
WebSub picks up the event from the event hub and shares it with the Partner Print System through a callback mechanism via a standard REST interface.
The partner print system retrieves the datashare URL from the event and downloads the credential from the Datashare and returns the status back to WebSub.
The following statuses may be returned:
RECEIVED: Indicates that the credential request has been received.
DOWNLOADED: Indicates that the credential has been downloaded.
VALIDATED : Indicates that the credential has been validated.
PRINTED: Indicates that the credential has been printed.
ERROR: An error occurred while processing the credential.
To know more details, refer Credential Service.
To learn about the Credential Types, refer Verifiable Credentials Data Model v1.1.
To view a sample VC that is created by MOSIP, refer Verified credentials.
The partner printing system has to be amended with the functionality to receive the credential from MOSIP and interpret it. The following are key sequence of operations:
Receive the datashare URL of the credential from WebSub
Download the credential from the datashare URL
Decrypt the credential using the private key
Validate the credential
Parse and extract the demographic and biometric data (eg:- photograph)
Print the ID card
Note: The way the credential is processed and interpreted is left to the implementation of the partner printing system and is outside the scope of MOSIP.
The partner printing system is expected to expose an API end point for MOSIP to publish the datashare URL of the credential.
For MOSIP to communicate with the partner printing system, the partner printing system is expected to implement a print service.
Note: The print service may be considered as an extension to the functionality of the partner printing system. It may also be implemented as a separate microservice and linked to the partner printing system. The technology, architecture and language of the print service implementation is outside the scope of MOSIP.
For implementing the print service, follow the procedure mentioned below:
The Print Service will be called/ invoked only by WebSub (Subscription engine) with credential request event using registered callback URL.
Sample callback url: https://{PrintProviderName}-printservice.print/v1/print/callback/notifyPrint
Sample credential request:
{
"publisher": "CREDENTIAL_SERVICE",
"topic": "{mosip.partner.id}/CREDENTIAL_ISSUED",
"publishedOn": "2023-05-04T13:21:01.565Z",
"event": {
"id": "324190df-3071-429a-9eec-182008c7b123",
"transactionId": "37238d20-3dcd-4aa3-851b-6240956fb432",
"type": {
"namespace": "mosip",
"name": "mosip"
},
"timestamp": "2023-05-04T13:21:01.565Z",
"dataShareUri": "http://datashare.datashare/v1/datashare/get/mpolicy-default-euin/mpartner-default-print/mpartner-default-printmpolicy-default-euin20230504132101mDBLJnCc",
"data": {
"registrationId": "10013100370000520230504123911",
"ExpiryTimestamp": "9999-12-31T23:59:59.100",
"TransactionLimit": null,
"proof": {
"signature": "eyJ4NWMiOlsiTUlJRHRUQ0NBcDJnQXdJQkFnSUlFTDN2UzV5VHVGRXdEUVlKS29aSWh2Y05BUUVMQlFBd2NERUxNQWtHQTFVRUJoTUNTVTR4Q3pBS_yPau0n049iZ81r0QV1MrKppldeGyklbH8jAdtIvoVI6COkW6QSzeimHI9EB1L9g"
},
"credentialType": "vercred",
"protectionKey": "959920"
}
}
}
Once the request is received by the Print Service, it immediately sends back the CredentialStatusEvent
"RECEIVED" to WebSub indicating that it has received the credential URL.
Sample status update request:
{
"publisher": "PRINT_SERVICE",
"topic": "CREDENTIAL_STATUS_UPDATE",
"publishedOn": "2023-03-30T06:51:48.177Z",
"event": {
"id": "1389e511-914e-4696-b1db-6ce8723d7212",
"requestId": "8b388343-ab91-4ade-b68f-5f248060f0bd",
"timestamp": "2023-03-30 06:51:48.177843",
"status": "RECEIVED",
"url": "https://api-internal.mosip.net/v1/datashare/get/mpolicy-default-resident/mpartner-default-resident/{mosip.datashare.partner.id}mpolicy-default-resident20230324065147HVeiufGl"
}
}
Download the encrypted credential using the dataShareURL.
Upon successfully downloading the credential, publish the CredentialStatusEvent
as "DOWNLOADED" to WebSub to update the status.
Decrypt the credential using partner printing system’s private key.
Sample Decrypted Response: Please refer the Verifiable Credential section below.
Validate the credential using the credential’s JWS signature inside the credential proof section
Publish the CredentialStatusEvent
"VALIDATED" to WebSub to update the status.
Consume the validated credential and process it for further printing. The processing of the credential is left to the implementation of the partner printing system. For example, the partner printing system may parse and format the credential and store it in a database or a Message Queue as per the design and implementation of the partner printing system.
After successfully printing, publish the CredentialStatusEvent "PRINTED" to WebSub to update the status.
If any error is observed during the above process, publish the CredentialStatusEvent
"ERROR" to WebSub to update the status.
A sample response for error would be:
{
"publisher": "PRINT_SERVICE",
"topic": "CREDENTIAL_STATUS_UPDATE",
"publishedOn": "2023-03-30T06:51:48.177Z",
"event": {
"id": "1389e511-914e-4696-b1db-6ce8723d7212",
"requestId": "8b388343-ab91-4ade-b68f-5f248060f0bd",
"timestamp": "2023-03-30 06:51:48.177843",
"status": "ERROR",
"msg": "Unable to decrypt credential data"
"url": "https://api-internal.mosip.net/v1/datashare/get/mpolicy-default-resident/mpartner-default-resident/{mosip.datashare.partner.id}mpolicy-default-resident20230324065147HVeiufGl"
}
}
Note: The “ERROR” status and the messages next to it.
The following are standard error messages that should be returned to MOSIP:
“Unable to decrypt credential data”
“Unable to download credential”
“Unable to validate credential”
“Error receiving credential event”
“Unable to print”
Print partners may trigger credential issuance through either of the below channels which would eventually consume the Print Service:
Registration process through Registration Client
Resident Services feature to send the printed UIN to a resident inturn triggers a request to the print partner.
Below is a simple diagram illustrating the flow.
The Print service within the Partner Printing System has to be implemented by the vendor. The team at MOSIP can work with the vendor during the implementation and testing stage of the printing integration process.
MOSIP can interface with any printing system irrespective of it's implementation technology.
MOSIP integrates with an external partner using the MOSIP Partner Management System using which the printing partner is onboarded.
The design of the ID Card is left to the implementation of the printing partner.
The country has to decide the procedure to cleanup the data stored at the location of the print partner after the printing process.
eSignet is integrated with the MOSIP ID Authentication module as an authentication provider. The defined plugins interface has been implemented using the APIs available in the MOSIP ID Authentication module.
Here is a list of the APIs that have been integrated into the eSignet plugin interface implementation.
KYC Authentication API to perform authentication for an identity provider like eSignet
KYC Exchange API to share an encrypted KYC token to an identity provider
Key Binding API to authenticate a user to bind the ID and Wallet of an user
VC Exchange API to share the VC associate to a user who was authenticated earlier and has shared the associated KYC Token
MOSIP's partner management is used to create and manage OIDC clients. Hence, three new APIs have been introduced in partner management,
API to create an OIDC client
API to update an OIDC client
API to retrieve and OIDC client
In order to create a OIDC client,
The relying party, needs to get onboarded into MOSIP using the partner management portal as a authentication partner
The relying party needs to be mapped to a policy in MOSIP
When the relying party is mapped to the policy, using the new , a client can be created for the relying party.
Notes:
A relying party can have multiple clients created against a approved mapped policy.
When a eSignet client is created using partner management APIs, then the client ID is set as the SHA256 hash of the public key provided in the request.
There are also a few modifications in the policies in partner management for a partner opting for OIDC based authentication using eSignet.
Additional Authentication Types have been added for KYC authentication (kycauth), KYC Exchange (kycexchange) and Wallet Local Authentication (wla).
Below is a sample policy for a relying party who is interested in authentication using eSignet.
This document detail steps to configure eSignet for MOSIP.
Once, both MOSIP and eSignet are deployed, eSignet needs to be onboarded in MOSIP as a MISP partner and a new policy called the MISP policy needs to be mapped to the eSignet MISP partner.
Below is the policy that should be mapped to the eSignet MISP partner.
Once the MISP is created and mapped to the above policy, a license key for the eSignet should be created and it should be updated in the esignet-default.properties
against the property name : mosip.esignet.misp.license.key
.
This license key would be used when the are called for eSignet based authentication or exchange.
During the initial setup, the default OIDC claims should to be mapped with the allowed KYC attributes in the relying party policy in the of MOSIP's configurations.
Below is sample how this mapping file is added to the default mapping file of MOSIP.
Verifiable credentials (VCs) are digital credentials that are tamper-proof and are cryptographically secure. They conform to W3C standard. VCs are standard ways to represent a digital credentials on the internet which can be verified programmatically. MOSIP issues a VC to a print partner, that means a print partner can simply verify the credentials using standard techniques.
A sample VC that is created by MOSIP is given below:
Note : The QR code is currently is not part of the VC. This is a work in progress item.
Some of the important attributes of the VC that must be considered are:
issuer : Represents the issuer of the credential. Must be either a URI or an object containing an id property. For example, in the case of a MOSIP server, the URI https://api.mec.mosip.net/.well-known/controller.json resolves to something like below:
where the public-key.json
contains the issuer’s public key.
issuanceDate : Contains the Verifiable Credentials creation date and time in ISO Format. This can be used to print the date of issue on the ID card.
credentialSubject : Contains the demographic and Biometric data for the resident.
Demographic Fields: such as Name, gender, date of birth, Phone number etc as per the the policy of what is shareable to the print partner.
Biometrics: The face photograph of the resident in CBEFF format.
proof : One of more cryptographic proofs that can be used to detect the tampering and verify the authorship of a credential. One of the methods to verify the authenticity of the VC is to ascertain via the signature of the credential using the JWS signature.
type : Indicates that it is a Verifiable Credential.
During the initial setup, the ACR and AMR values needs to be mapped to the MOSIP authentication types in the .
The package and the implementation class names for the plugins needs to be configured in the file.
The below configurations related to MOSIP IDA integration should be updated in the for KYC authentication, exchange, key binding and VCI exchange.
{
"issuanceDate": "2023-04-03T10:22:28.460Z",
"credentialSubject": {
"gender": [
{
"language": "eng",
"value": "Male"
}
],
"city": [
{
"language": "eng",
"value": "Bengaluru"
}
],
"postalCode": "123",
"locality": [
{
"language": "eng",
"value": "Electronics City"
}
],
"fullName": [
{
"language": "eng",
"value": "NambiHosur"
}
],
"dateOfBirth": "1998/01/01",
"VID": "5429581983246107",
"biometrics": "",
"phone": "6379586446",
"addressLine1": [
{
"language": "eng",
"value": "Vakil, Hosur Address"
}
],
"id": "http://credential.idrepo/credentials/5429581983246107",
"vcVer": "VC-V1",
"UIN": "2178026904",
"state": [
{
"language": "eng",
"value": "Karnataka"
}
],
"email": "mail2nambi@gmail.com"
},
"id": "http://credential.idrepo/credentials/8ff3e808-52da-4816-b9c5-9d3252ad06f1",
"proof": {
"type": "RsaSignature2018",
"created": "2023-04-03T10:22:28Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "https://api.mec.mosip.net/.well-known/public-key.json",
"jws": "eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJraWQiOiJRajZxVEZtRkhQVlVSekFrVGdqZTEyd0NmVXFKVVNyeHFKeEhLNUpKZXFRIiwiYWxnIjoiUFMyNTYifQ..alAgC0RIl1zpc_YMo3Ouuif5hFnhNzCJn4aOkMYLpV84woftpPCi3K59GgorgFcI8Fwj8OSTuR1kJUiPEZCWYDC_FSuxQdlJ01CxcBMlqABqNv9afr_IzT_b5rWfOxfeVD303PxogcQfrDtIsRw2VMP8_6pH_dFVBxd0aDOFrBH5LLBW7q29n_i27szWt6ZkuuLea-ZkeIwm0nN9keiptAOpapRnFaunWlQKmR-JBu_-PVsASqh_7tCeXn-kQajQ3SZ0e9BTh8SauxYcNO8VuA8J6QkoneCt1zhHxqR5ID-j-UoGTkjUW2nb8M2-Yz-XgMJDDV_qZe_nBMcfx9k5Ww"
},
"type": [
"VerifiableCredential",
"MOSIPVerifiableCredential"
],
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://api.mec.mosip.net/.well-known/mosip-context.json",
{
"sec": "https://w3id.org/security#"
}
],
"issuer": "https://api.mec.mosip.net/.well-known/controller.json"
}
{
"@context": "https://w3id.org/security/v2",
"id": "https://api.mec.mosip.net/.well-known/controller.json",
"assertionMethod": [
"https://api.mec.mosip.net/.well-known/public-key.json"
]
}
{
"authTokenType":"policy",
"allowedKycAttributes":[
{
"attributeName":"fullName"
},
{
"attributeName":"gender"
},
{
"attributeName":"phone"
},
{
"attributeName":"email"
},
{
"attributeName":"dateOfBirth"
},
{
"attributeName":"city"
},
{
"attributeName":"face"
},
{
"attributeName":"addressLine1"
}
],
"allowedAuthTypes":[
{
"authSubType":"IRIS",
"authType":"bio",
"mandatory":false
},
{
"authSubType":"FINGER",
"authType":"bio",
"mandatory":false
},
{
"authSubType":"",
"authType":"otp",
"mandatory":false
},
{
"authSubType":"FACE",
"authType":"bio",
"mandatory":false
},
{
"authSubType":"",
"authType":"otp-request",
"mandatory":false
},
{
"authSubType":"",
"authType":"kycauth",
"mandatory":false
},
{
"authSubType":"",
"authType":"kycexchange",
"mandatory":false
},
{
"authSubType":"",
"authType":"wla",
"mandatory":false
}
]
}
{
"allowAuthRequestDelegation":true,
"allowKycRequestDelegation":true,
"trustBindedAuthVerificationToken":true,
"allowKeyBindingDelegation":true
}
{
"identity":{
"name":{
"value":"fullName"
},
"gender":{
"value":"gender"
},
"birthdate":{
"value":"dateOfBirth"
},
"picture":{
"value":"face"
},
"individual_id":{
"value":"individual_id"
},
"street_address":{
"value":"addressLine1,addressLine2,addressLine3"
},
"locality":{
"value":"city"
},
"region":{
"value":"region"
},
"postal_code":{
"value":"postalCode"
},
"country":{
"value":"province"
}
}
}
{
"amr" : {
"PWD" : [{ "type": "PWD" }],
"PIN" : [{ "type": "PIN" }],
"OTP" : [{ "type": "OTP" }],
"Wallet" : [{ "type": "WLA" }],
"L1-bio-device" : [{ "type": "BIO", "count": 1 }]
},
"acr_amr" : {
"mosip:idp:acr:password" : ["PWD"],
"mosip:idp:acr:static-code" : ["PIN"],
"mosip:idp:acr:generated-code" : ["OTP"],
"mosip:idp:acr:linked-wallet" : [ "Wallet" ],
"mosip:idp:acr:biometrics" : [ "L1-bio-device" ]
}
}
mosip.esignet.integration.scan-base-package=io.mosip.authentication.esignet.integration
mosip.esignet.integration.binding-validator=BindingValidatorServiceImpl
mosip.esignet.integration.authenticator=IdaAuthenticatorImpl
mosip.esignet.integration.key-binder=IdaKeyBinderImpl
mosip.esignet.integration.audit-plugin=IdaAuditPluginImpl
mosip.esignet.integration.vci-plugin=IdaVCIssuancePluginImpl
mosip.esignet.authenticator.ida-auth-id=mosip.identity.kycauth
mosip.esignet.authenticator.ida-exchange-id=mosip.identity.kycexchange
mosip.esignet.authenticator.ida-send-otp-id=mosip.identity.otp
mosip.esignet.authenticator.ida-version=1.0
mosip.esignet.authenticator.ida-domainUri=https://${mosip.esignet.host}
mosip.esignet.authenticator.ida.cert-url=https://${mosip.api.public.host}/mosip-certs/ida-partner.cer
mosip.esignet.authenticator.ida.kyc-auth-url=https://${mosip.api.internal.host}/idauthentication/v1/kyc-auth/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.kyc-exchange-url=https://${mosip.api.internal.host}/idauthentication/v1/kyc-exchange/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.send-otp-url=https://${mosip.api.internal.host}/idauthentication/v1/otp/${mosip.esignet.misp.license.key}/
mosip.esignet.binder.ida.key-binding-url=https://${mosip.api.internal.host}/idauthentication/v1/identity-key-binding/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.get-certificates-url=https://${mosip.api.internal.host}/idauthentication/v1/internal/getAllCertificates
mosip.esignet.authenticator.ida.auth-token-url=https://${mosip.api.internal.host}/v1/authmanager/authenticate/clientidsecretkey
mosip.esignet.authenticator.ida.audit-manager-url=https://${mosip.api.internal.host}/v1/auditmanager/audits
mosip.esignet.authenticator.ida.client-id=mosip-ida-client
mosip.esignet.authenticator.ida.secret-key=${mosip.ida.client.secret}
mosip.esignet.authenticator.ida.app-id=ida
mosip.esignet.authenticator.ida-env=Developer
mosip.esignet.authenticator.ida.otp-channels=email,phone
mosip.esignet.ida.vci-user-info-cache=userinfo
mosip.esignet.ida.vci-exchange-id=mosip.identity.vciexchange
mosip.esignet.ida.vci-exchange-version=1.0
mosip.esignet.ida.vci-exchange-url=https://${mosip.api.internal.host}/idauthentication/v1/vci-exchange/delegated/${mosip.esignet.misp.license.key}/
API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id and returns encrypted kyc to the caller. This API should be called from IdP service only.
IdP Service License Key. This LK is similar MISP-LK.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
OIDC client Id. Auto generated while creating OIDC client in PMS
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
IDA standard request ID. Eg: mosip.identity.kycexchange
Version of the API. Current supported version is '1.0'
Request created time.
Same transaction ID used in kyc-auth request.
UIN/VID of the individual.
kyc token received in kycAuth API response.
List of consents obtained from user.
user selected list of languages.
Response Type for the user claims. Currently defaulted to signed JWT.
OK
IDA standard response ID. Eg: mosip.identity.kycexchange
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the user kyc. KYC will be build based the consented user claims.
JWT Signed user consented claims.
In case of invalid kyc token, errors will be returned as an array. Each error object contains error code and error message. if kyc token is valid the errors object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id & issued to the same identity used in kyc-auth and returns verifiable credentials to the caller. This API should be called from eSignet service.
IdP Service License Key. This LK is similar MISP-LK.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
OIDC client Id. Auto generated while creating OIDC client in PMS
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
IDA standard request ID. Eg: mosip.identity.vciexchange
Version of the API. Current supported version is '1.0'
Request created time.
Tansaction ID used in kyc-auth request.
UIN/VID of the individual.
kyc token received in kycAuth API response.
JWK DID of the Identity. Eg: did:jwk:ewogICAgImt0eSI6ICJSU0EiLAogICAgImUiOiAiQVFBQiIsCiAgICAibiI6ICJtaFZOaERpaW1WdTQxV0xCRWJzYVpLWUZRTTJrZXBHREQwWDRZNHp2VW8zZEVET3lTbDd0bXhha3RfVnlodXRJdWp3ZlJQMmxTTTRIQ2lZS3BYSXdBNmljVHIyWThDSnc2VDU1bWVRWWJmRHZxLV9QRXNWMDRobEYzUS10cnU2ajhPbUpRdWwzTGtSR05mN3Z6VFNSRmstUU9rcmNuVDRPaC1YbGhCRjhFNFFHNFdTVFF2Qk1xOVdTQ05lZjZkVWFOQ3JXY0lDQ1Q2bi1peHFKLTJBREEzYk5TcWpqS0REQktTM1VPRy1jbUlfTTdKY19BYWJod1JLLTM2blphWGJWLUdQYjR5UjdTNVY5MUhtdTZhS3JJdVdRM1ByY0FlWkZvZ1VuYjlLMUpHS0dhOWJ2S3F0TWd5TjNLdS1aMFdDT3Z1dUtMNndNNzduSDJWdGtJRDZNNVEiCn0
Verifiable credential format needed in response object. Supported Format : ldp_vc
Credential Definition Object of the Identity.
List of optional claims to be added to the credential to be issued.
Issued credentials should have at least one type from the list of types.
list of Context URI to validate the credential subject.
list of locales to be included in the issued VC.
OK
IDA standard response ID. Eg: mosip.identity.kycexchange
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the issued VC. Different response object types will be returned based the requested format. Eg: for ldp_vc the returned response object is JsonLDObject
In case of invalid kyc token, errors will be returned as an array. Each error object contains error code and error message. if kyc token is valid the errors object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
API to perform the ID Authentication based on allowed auth policy. Does validation of provided path parameters before doing the actual authentication. Returns a new KYC token and partner specific user token. This API should be called from IdP service only.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
OIDC client Id. Auto generated while creating OIDC client in PMS
IdP Service License Key. This LK is similar MISP-LK.
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
Auth Request Body
IDA standard request ID. Eg: mosip.identity.kycauth
Version of the API. Current supported version is '1.0'
UIN/VID of the individual.
Parameter to indicate individual type. Type can be UIN/VID
any random alpha numberic string. Allowed max size is 10.
Request created time
IDA Specification version. Current Supported version is 1.0
Thumbprint of the certificate used for encrypting the auth request.
Domain uri of the server
Name of the environment
Authentication Request with one of the auth challenges. Supported Challenges are: OTP, DEMO and BIOMETRICS
This attributes is mandatory if OTP Authentication is performed.
This is not supported auth factor in current IDA version.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if BIOMETRICS Authentication is performed.
Data attribute contains captured encrypted biometric. Data object should be formed as per the SBI Spec. All inner objects and inner attributes are mandatory as per SBI Specifications.
This attributes is mandatory if Key Binded Token Authentication is performed.
Token type for which the key needs to be binded. Supported token type(s): WLA (Wallet Local Auth)
TOken created in JWT format with below list of mandatory claims.
In Which format the token needs to be generated. Current supported format is JWT.
User provided Consent either true or false
HMAC value generated of the whole request.
Session key used to encrypt the request.
Any additional attributes needs to be processedin authentication.
Allowed KYC Attributes List.
OK
IDA standard response ID. Eg: mosip.identity.kycauth
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the details whether auth is successful or not. If Auth successful kycToken will be included in the response otherwise kycToken will be null.
If Auth successful kycToken will be included in the response otherwise kycToken will be null.
Partner Specific User Token will be generated and returned. Both auth success/failed case PSU token will be included in the response.
Auth Status. True will be returned if auth is successful otherwise false.
In case of auth failed, respective all errors will be returned as an array. Each error object contains error code and error message. If auth success, error object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
API to perform the ID Authentication based for the provided identity data and based on allowed auth policy. To identity the auth partner API will perform validation of provided path parameters before performing the actual authentication. Wallet will include a public key in the request to be binded for the input VID/UIN Returns a status of key binding, partner specific user token, certificate generated for the input public key (this certificate will be binded to the input VID/UIN). Certificate will be returned only when the authenticate is passed. This API should be called from eSignet service and from Inji Wallet.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
IdP Service License Key. This LK is similar MISP-LK.
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
Auth Request Body
IDA standard request ID. Eg: mosip.identity.keybinding
Version of the API. Current supported version is '1.0'
UIN/VID of the individual.
Parameter to indicate individual type. Type can be UIN/VID
any random alpha numberic string. Allowed max size is 10.
Request created time
IDA Specification version. Current Supported version is 1.0
Thumbprint of the certificate used for encrypting the auth request.
Domain uri of the server
Name of the environment
Authentication Request with one of the auth challenges. Supported Challenges are: OTP, DEMO and BIOMETRICS
This attributes is mandatory if OTP Authentication is performed.
This is not supported auth factor in current IDA version.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if BIOMETRICS Authentication is performed.
Data attribute contains captured encrypted biometric. Data object should be formed as per the SBI Spec. All inner objects and inner attributes are mandatory as per SBI Specifications.
User provided Consent either true or false
HMAC value generated of the whole request.
Session key used to encrypt the request.
Any additional attributes needs to be processedin authentication.
Key details needs to be binded to the identity after successful authentication.
At least 1 key input needs to be provided. The input public key to be in JWK format. Multiple keys are allowed to be binded to the same identity. Supported key type: RSA
Public Key in JWK format. Eg: { "kty": "RSA", "e": "AQAB", "use": "sig", "alg": "RS256", "n": "p3Beq05VQmU_opZdrXtHLrJiXr7Yl4FnDt4UkvQEw8HGW-xY8UFfhF01zedrV1FHg38uqOlYbkLnYGRjyt_dgW2BZBEYpcB93sLWrdx59EquRyF4I6B_sq1gHijzBYXmOxFl8NBR6x2d7tyVgAV4YhJ3e070Ik2AUhZsHLDtiaPFKkxxo1cOjxsL5g5jBM-OOzonV6n61jjjexgWNNwYqop2viklmlQrrUE0VEnDOUwQowWtRqHbS4GDoUBb6ea9DONWxO1As6yDdKukb5KJ4O2z_okRmj9CN3u2ZanCW3xsI5_EBCHE7VpD1CWk5u_aFmCGJ7gIjI2uBfPmF-7qFw" }
Authe Factor Type for the binded key. Eg: WLA
OK
IDA standard response ID. Eg: mosip.identity.keybinding
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the details whether auth is successful or not. If Auth successful kycToken will be included in the response otherwise kycToken will be null.
If Auth successful a certificate will be generated using IDA Key Binding and returned as identity certificate.
Partner Specific User Token will be generated and returned. Both auth success/failed case PSU token will be included in the response.
Binding Auth Status. True will be returned if auth is successful and key binding is completed otherwise false.
In case of auth failed, respective all errors will be returned as an array. Each error object contains error code and error message. If auth success, error object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/kyc-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}', {
method: 'POST',
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"id": "text",
"version": "text",
"requesttime": "text",
"transactionID": "text",
"individualId": "text",
"kycToken": "text",
"consentObtained": [
"text"
]
}),
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responseTime": "text",
"response": {
"encryptedKyc": "text"
},
"errors": [
{
"errorCode": "text",
"errorMessage": "text"
}
]
}
const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/vci-exchange/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}', {
method: 'POST',
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"id": "text",
"version": "text",
"requesttime": "text",
"transactionID": "text",
"individualId": "text",
"vcAuthToken": "text",
"credSubjectId": "text",
"vcFormat": "text",
"credentialsDefinition": {
"type": [
"text"
]
}
}),
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responseTime": "text",
"errors": [
{
"errorCode": "text",
"errorMessage": "text"
}
]
}
const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/key-auth/delegated/{IdP-LK}/{Auth-Partner-ID}/{oidc-client-id}', {
method: 'POST',
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"id": "text",
"version": "text",
"individualId": "text",
"transactionID": "text",
"requestTime": "text",
"specVersion": "text",
"thumbprint": "text",
"domainUri": "text",
"env": "text",
"request": {
"otp": "text",
"timestamp": "text",
"demographics": {},
"biometrics": [
{
"data": {}
}
],
"keyBindedTokens": {}
},
"consentObtained": false,
"requestHMAC": "text",
"requestSessionKey": "text"
}),
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responseTime": "text",
"response": {
"kycToken": "text",
"authToken": "text",
"kycStatus": false
},
"errors": [
{
"errorCode": "text",
"errorMessage": "text"
}
]
}
const response = await fetch('https://api-internal.collab.mosip.net/idauthentication/v1/identity-key-binding/delegated/{IdP-LK}/{Auth-Partner-ID}/{OIDC-Client-Id}', {
method: 'POST',
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"id": "text",
"version": "text",
"individualId": "text",
"transactionID": "text",
"requestTime": "text",
"specVersion": "text",
"thumbprint": "text",
"domainUri": "text",
"env": "text",
"request": {
"otp": "text",
"timestamp": "text",
"demographics": {},
"biometrics": [
{
"data": {}
}
]
},
"consentObtained": false,
"requestHMAC": "text",
"requestSessionKey": "text",
"identityKeyBinding": {
"publicKeyJWK": {},
"authFactorType": "text"
}
}),
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responseTime": "text",
"response": {
"identityCertificate": "text",
"authToken": "text",
"bindingAuthStatus": false
},
"errors": [
{
"errorCode": "text",
"errorMessage": "text"
}
]
}
Service to get OIDCClient details
OK
const response = await fetch('https://localhost/v1/partnermanager/oidc/client/{client_id}?client_id=text', {
method: 'GET',
headers: {},
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responsetime": "2025-01-28T23:03:53.078Z",
"response": {
"id": "text",
"name": "text",
"policyId": "text",
"policyName": "text",
"relyingPartyId": "text",
"logoUri": "text",
"redirectUris": [
"text"
],
"publicKey": "text",
"claims": [
"text"
],
"acrValues": [
"text"
],
"status": "text",
"grantTypes": [
"text"
],
"clientAuthMethods": [
"text"
]
},
"errors": [
{
"errorCode": "text",
"message": "text"
}
]
}
Creates OIDCClient and return Client id
OK
const response = await fetch('https://localhost/v1/partnermanager/oidc/client', {
method: 'POST',
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"request": {
"name": "text",
"policyId": "text",
"authPartnerId": "text",
"logoUri": "text",
"redirectUris": [
"text"
],
"grantTypes": [
"text"
],
"clientAuthMethods": [
"text"
]
}
}),
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responsetime": "2025-01-28T23:03:53.078Z",
"response": {
"clientId": "text",
"status": "text"
},
"errors": [
{
"errorCode": "text",
"message": "text"
}
]
}
Service to update details of OIDCClient
^(ACTIVE)|(INACTIVE)$
OK
const response = await fetch('https://localhost/v1/partnermanager/oidc/client/{client_id}', {
method: 'PUT',
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"request": {
"logoUri": "text",
"redirectUris": [
"text"
],
"status": "text",
"grantTypes": [
"text"
],
"clientName": "text",
"clientAuthMethods": [
"text"
]
}
}),
});
const data = await response.json();
{
"id": "text",
"version": "text",
"responsetime": "2025-01-28T23:03:53.078Z",
"response": {
"clientId": "text",
"status": "text"
},
"errors": [
{
"errorCode": "text",
"message": "text"
}
]
}