In these times of digital transformation, most services are moving online globally. Personalized access to online services is enabled through the use of a trusted digital identity. eSignet aims to offer a simple yet powerful mechanism for end users to identify themselves in order to avail of online services and also share their profile information.
eSignet supports multiple modes of identity verification to promote inclusion and increase access, thus narrowing potential digital divides. It also provides an elegant and easy way for an existing trusted identity database to make the identity digital and provision identity verification and service access.
There is a need to support more verification methods to be inclusive. Current approaches do not address privacy concerns comprehensively. We are constantly looking at ways to bridge the digital divide with better privacy. Here is a short introduction to identity verification methods. Also, do check out to understand modern approaches to identity using verifiable credentials for decentralized verification.
What can eSignet be used for?
eSignet can be a login provider for a relying party application to enable access to the service without creating yet another set of login credentials (username/password combination).
eSignet can be used for assured identity verification of an individual against an identity provider. The identity provider could be a national identity database/ driver's license system/ passport license system or any other trusted identity provider. The assurance level is based on the authentication factor used, with biometric authentication offering user presence assurance.
eSignet can be used for consented data sharing for profile creation or eKYC needs of relying parties. Authentication requests from a relying party can be accompanied by a request for a set of attributes suitable for profile creation or meeting eKYC process norms. The requested information is shared after the user provides consent as part of the eSignet login flow.
To know more about eSignet, its features, components, integrations etc., read through the eSignet documentation.
To know more about integrations with MOSIP, refer to the following documents:
eSignet is integrated with the MOSIP ID Authentication module as an authentication provider. The defined plugins interface has been implemented using the APIs available in the MOSIP ID Authentication module.
Here is a list of the APIs that have been integrated into the eSignet plugin interface implementation.
KYC Authentication API to perform authentication for an identity provider like eSignet
KYC Exchange API to share an encrypted KYC token to an identity provider
Key Binding API to authenticate a user to bind the ID and Wallet of an user
VC Exchange API to share the VC associate to a user who was authenticated earlier and has shared the associated KYC Token
MOSIP's partner management is used to create and manage OIDC clients. Hence, three new APIs have been introduced in partner management,
API to create an OIDC client
API to update an OIDC client
API to retrieve and OIDC client
There are also a few modifications in the policies in partner management for a partner opting for OIDC based authentication using eSignet.
Additional Authentication Types have been added for KYC authentication (kycauth), KYC Exchange (kycexchange) and Wallet Local Authentication (wla).
Below is a sample policy for a relying party who is interested in authentication using eSignet.
This document detail steps to configure eSignet for MOSIP.
Once, both MOSIP and eSignet are deployed, eSignet needs to be onboarded in MOSIP as a MISP partner and a new policy called the MISP policy needs to be mapped to the eSignet MISP partner.
Below is the policy that should be mapped to the eSignet MISP partner.
Once the MISP is created and mapped to the above policy, a license key for the eSignet should be created and it should be updated in the esignet-default.properties
against the property name : mosip.esignet.misp.license.key
.
This license key would be used when the MOSIP IDA APIs are called for eSignet based authentication or exchange.
During the initial setup, the default OIDC claims should to be mapped with the allowed KYC attributes in the relying party policy in the identity-mapping.json of MOSIP's configurations.
Below is sample how this mapping file is added to the default mapping file of MOSIP.
During the initial setup, the ACR and AMR values needs to be mapped to the MOSIP authentication types in the amr-acr-mapping.json.
The package and the implementation class names for the plugins needs to be configured in the esignet-default.properties file.
The below configurations related to MOSIP IDA integration should be updated in the esignet-default.properties for KYC authentication, exchange, key binding and VCI exchange.
Creates OIDCClient and return Client id
OK
Service to get OIDCClient details
OK
Service to update details of OIDCClient
^(ACTIVE)|(INACTIVE)$
OK
API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id and returns encrypted kyc to the caller. This API should be called from IdP service only.
IdP Service License Key. This LK is similar MISP-LK.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
OIDC client Id. Auto generated while creating OIDC client in PMS
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
IDA standard request ID. Eg: mosip.identity.kycexchange
Version of the API. Current supported version is '1.0'
Request created time.
Same transaction ID used in kyc-auth request.
UIN/VID of the individual.
kyc token received in kycAuth API response.
List of consents obtained from user.
user selected list of languages.
Response Type for the user claims. Currently defaulted to signed JWT.
OK
IDA standard response ID. Eg: mosip.identity.kycexchange
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the user kyc. KYC will be build based the consented user claims.
JWT Signed user consented claims.
In case of invalid kyc token, errors will be returned as an array. Each error object contains error code and error message. if kyc token is valid the errors object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
API to validate kycToken returned in kyc-auth call that the kycToken belongs to the provided oidc-client-id & issued to the same identity used in kyc-auth and returns verifiable credentials to the caller. This API should be called from eSignet service.
IdP Service License Key. This LK is similar MISP-LK.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
OIDC client Id. Auto generated while creating OIDC client in PMS
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
IDA standard request ID. Eg: mosip.identity.vciexchange
Version of the API. Current supported version is '1.0'
Request created time.
Tansaction ID used in kyc-auth request.
UIN/VID of the individual.
kyc token received in kycAuth API response.
JWK DID of the Identity. Eg: did:jwk:ewogICAgImt0eSI6ICJSU0EiLAogICAgImUiOiAiQVFBQiIsCiAgICAibiI6ICJtaFZOaERpaW1WdTQxV0xCRWJzYVpLWUZRTTJrZXBHREQwWDRZNHp2VW8zZEVET3lTbDd0bXhha3RfVnlodXRJdWp3ZlJQMmxTTTRIQ2lZS3BYSXdBNmljVHIyWThDSnc2VDU1bWVRWWJmRHZxLV9QRXNWMDRobEYzUS10cnU2ajhPbUpRdWwzTGtSR05mN3Z6VFNSRmstUU9rcmNuVDRPaC1YbGhCRjhFNFFHNFdTVFF2Qk1xOVdTQ05lZjZkVWFOQ3JXY0lDQ1Q2bi1peHFKLTJBREEzYk5TcWpqS0REQktTM1VPRy1jbUlfTTdKY19BYWJod1JLLTM2blphWGJWLUdQYjR5UjdTNVY5MUhtdTZhS3JJdVdRM1ByY0FlWkZvZ1VuYjlLMUpHS0dhOWJ2S3F0TWd5TjNLdS1aMFdDT3Z1dUtMNndNNzduSDJWdGtJRDZNNVEiCn0
Verifiable credential format needed in response object. Supported Format : ldp_vc
Credential Definition Object of the Identity.
List of optional claims to be added to the credential to be issued.
Issued credentials should have at least one type from the list of types.
list of Context URI to validate the credential subject.
list of locales to be included in the issued VC.
OK
IDA standard response ID. Eg: mosip.identity.kycexchange
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the issued VC. Different response object types will be returned based the requested format. Eg: for ldp_vc the returned response object is JsonLDObject
In case of invalid kyc token, errors will be returned as an array. Each error object contains error code and error message. if kyc token is valid the errors object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
API to perform the ID Authentication based on allowed auth policy. Does validation of provided path parameters before doing the actual authentication. Returns a new KYC token and partner specific user token. This API should be called from IdP service only.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
OIDC client Id. Auto generated while creating OIDC client in PMS
IdP Service License Key. This LK is similar MISP-LK.
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
Auth Request Body
IDA standard request ID. Eg: mosip.identity.kycauth
Version of the API. Current supported version is '1.0'
UIN/VID of the individual.
Parameter to indicate individual type. Type can be UIN/VID
any random alpha numberic string. Allowed max size is 10.
Request created time
IDA Specification version. Current Supported version is 1.0
Thumbprint of the certificate used for encrypting the auth request.
Domain uri of the server
Name of the environment
Authentication Request with one of the auth challenges. Supported Challenges are: OTP, DEMO and BIOMETRICS
This attributes is mandatory if OTP Authentication is performed.
This is not supported auth factor in current IDA version.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if BIOMETRICS Authentication is performed.
Data attribute contains captured encrypted biometric. Data object should be formed as per the SBI Spec. All inner objects and inner attributes are mandatory as per SBI Specifications.
This attributes is mandatory if Key Binded Token Authentication is performed.
Token type for which the key needs to be binded. Supported token type(s): WLA (Wallet Local Auth)
TOken created in JWT format with below list of mandatory claims.
In Which format the token needs to be generated. Current supported format is JWT.
User provided Consent either true or false
HMAC value generated of the whole request.
Session key used to encrypt the request.
Any additional attributes needs to be processedin authentication.
Allowed KYC Attributes List.
OK
IDA standard response ID. Eg: mosip.identity.kycauth
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the details whether auth is successful or not. If Auth successful kycToken will be included in the response otherwise kycToken will be null.
If Auth successful kycToken will be included in the response otherwise kycToken will be null.
Partner Specific User Token will be generated and returned. Both auth success/failed case PSU token will be included in the response.
Auth Status. True will be returned if auth is successful otherwise false.
In case of auth failed, respective all errors will be returned as an array. Each error object contains error code and error message. If auth success, error object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.
API to perform the ID Authentication based for the provided identity data and based on allowed auth policy. To identity the auth partner API will perform validation of provided path parameters before performing the actual authentication. Wallet will include a public key in the request to be binded for the input VID/UIN Returns a status of key binding, partner specific user token, certificate generated for the input public key (this certificate will be binded to the input VID/UIN). Certificate will be returned only when the authenticate is passed. This API should be called from eSignet service and from Inji Wallet.
Relying Party (RP) Partner ID. This ID will be provided during partner self registration process
IdP Service License Key. This LK is similar MISP-LK.
Digital Signature of the Auth Request. IdP key will be used to generate the signature.
Auth Request Body
IDA standard request ID. Eg: mosip.identity.keybinding
Version of the API. Current supported version is '1.0'
UIN/VID of the individual.
Parameter to indicate individual type. Type can be UIN/VID
any random alpha numberic string. Allowed max size is 10.
Request created time
IDA Specification version. Current Supported version is 1.0
Thumbprint of the certificate used for encrypting the auth request.
Domain uri of the server
Name of the environment
Authentication Request with one of the auth challenges. Supported Challenges are: OTP, DEMO and BIOMETRICS
This attributes is mandatory if OTP Authentication is performed.
This is not supported auth factor in current IDA version.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if Demographics Authentication is performed.
This attributes is mandatory if BIOMETRICS Authentication is performed.
Data attribute contains captured encrypted biometric. Data object should be formed as per the SBI Spec. All inner objects and inner attributes are mandatory as per SBI Specifications.
User provided Consent either true or false
HMAC value generated of the whole request.
Session key used to encrypt the request.
Any additional attributes needs to be processedin authentication.
Key details needs to be binded to the identity after successful authentication.
At least 1 key input needs to be provided. The input public key to be in JWK format. Multiple keys are allowed to be binded to the same identity. Supported key type: RSA
Public Key in JWK format. Eg: { "kty": "RSA", "e": "AQAB", "use": "sig", "alg": "RS256", "n": "p3Beq05VQmU_opZdrXtHLrJiXr7Yl4FnDt4UkvQEw8HGW-xY8UFfhF01zedrV1FHg38uqOlYbkLnYGRjyt_dgW2BZBEYpcB93sLWrdx59EquRyF4I6B_sq1gHijzBYXmOxFl8NBR6x2d7tyVgAV4YhJ3e070Ik2AUhZsHLDtiaPFKkxxo1cOjxsL5g5jBM-OOzonV6n61jjjexgWNNwYqop2viklmlQrrUE0VEnDOUwQowWtRqHbS4GDoUBb6ea9DONWxO1As6yDdKukb5KJ4O2z_okRmj9CN3u2ZanCW3xsI5_EBCHE7VpD1CWk5u_aFmCGJ7gIjI2uBfPmF-7qFw" }
Authe Factor Type for the binded key. Eg: WLA
OK
IDA standard response ID. Eg: mosip.identity.keybinding
Version of the API. Current supported version is '1.0'
Response Time of the request.
The Response Object contains the details whether auth is successful or not. If Auth successful kycToken will be included in the response otherwise kycToken will be null.
If Auth successful a certificate will be generated using IDA Key Binding and returned as identity certificate.
Partner Specific User Token will be generated and returned. Both auth success/failed case PSU token will be included in the response.
Binding Auth Status. True will be returned if auth is successful and key binding is completed otherwise false.
In case of auth failed, respective all errors will be returned as an array. Each error object contains error code and error message. If auth success, error object will be null.
Unique Error Code will be include if case of auth failure.
Error Code specific error message will be included in the error object.