Client management with PMS

e-Signet is onboarded as MISP partner in MOSIP system with the below policy:

 {
 "allowAuthRequestDelegation": true,
 "allowKycRequestDelegation": true,
 "trustBindedAuthVerificationToken": true,
 "allowKeyBindingDelegation": true
 }

License key of the MISP partner must be updated in the esignet-default.properties. Property name : mosip.esignet.misp.license.key
Create and Update of OIDC clients are managed via PMS.\

Service to create OIDCClient

post

Creates OIDCClient and return Client id

Body

idstringOptional

versionstringOptional

requesttimestring · date-timeOptional

metadataobjectOptional

Responses

200

*/*

post

/oidc/client

POST /v1/partnermanager/oidc/client HTTP/1.1
Host: localhost
Content-Type: application/json
Accept: */*
Content-Length: 287

{
  "id": "text",
  "version": "text",
  "requesttime": "2026-01-17T01:47:53.819Z",
  "metadata": {},
  "request": {
    "name": "text",
    "policyId": "text",
    "publicKey": {
      "ANY_ADDITIONAL_PROPERTY": {}
    },
    "authPartnerId": "text",
    "logoUri": "text",
    "redirectUris": [
      "text"
    ],
    "grantTypes": [
      "text"
    ],
    "clientAuthMethods": [
      "text"
    ]
  }
}

200

{
  "id": "text",
  "version": "text",
  "responsetime": "2026-01-17T01:47:53.819Z",
  "metadata": {},
  "response": {
    "clientId": "text",
    "status": "text"
  },
  "errors": [
    {
      "errorCode": "text",
      "message": "text"
    }
  ]
}

Service to update details of OIDCClient

put

Service to update details of OIDCClient

Path parameters

client_idstringRequired

Body

idstringOptional

versionstringOptional

requesttimestring · date-timeOptional

metadataobjectOptional

Responses

200

*/*

put

/oidc/client/{client_id}

PUT /v1/partnermanager/oidc/client/{client_id} HTTP/1.1
Host: localhost
Content-Type: application/json
Accept: */*
Content-Length: 225

{
  "id": "text",
  "version": "text",
  "requesttime": "2026-01-17T01:47:53.819Z",
  "metadata": {},
  "request": {
    "logoUri": "text",
    "redirectUris": [
      "text"
    ],
    "status": "text",
    "grantTypes": [
      "text"
    ],
    "clientName": "text",
    "clientAuthMethods": [
      "text"
    ]
  }
}

200

{
  "id": "text",
  "version": "text",
  "responsetime": "2026-01-17T01:47:53.819Z",
  "metadata": {},
  "response": {
    "clientId": "text",
    "status": "text"
  },
  "errors": [
    {
      "errorCode": "text",
      "message": "text"
    }
  ]
}

Relying party is onboarded as an Auth partner. Auth partner is required to have the below allowed auth-types in the policy.

{ "allowedAuthTypes" : [
                        {"authSubType":"","authType":"kycauth","mandatory":false},
                        {"authSubType":"","authType":"kycexchange","mandatory":false},
                        {"authSubType":"","authType":"otp-request","mandatory":false},
                       ]
}

An auth-partner may have one or more OIDC clients.
SHA-256 hash of the OIDC client public key is considered as clientID.
Authentication Context References (ACR) and user claims are derived based on the policy of the auth partner.
a. allowedKycAttributes are used to derive user claims using the identity_mapping.json
b. allowedAuthTypes are used to derive ACR values using the amr-acr-mapping.json
Client management endpoints of e-Signet oidc-service is invoked from PMS with the derived values, clientID and the provided public-key.
Also, the client-details with policy and partner details are sent as an event to MOSIP IDA system.

Configurations

To get the mapping of OIDC claims with MOSIP KYC-attributes.
To get the mapping of auth types in policy with ACR values.
The claims supported by e-Signet should be present in identity-mapping.json file.

Sample auth-policy of a relying party

{"authTokenType":"policy",
  "allowedKycAttributes":[{"attributeName":"fullName"},
    {"attributeName":"gender"},
    {"attributeName":"phone"},
    {"attributeName":"email"},
    {"attributeName":"dateOfBirth"},
    {"attributeName":"city"},
    {"attributeName":"face"},
    {"attributeName":"addressLine1"}],
  "allowedAuthTypes":[{"authSubType":"IRIS","authType":"bio","mandatory":false},
    {"authSubType":"FINGER","authType":"bio","mandatory":false},
    {"authSubType":"","authType":"otp","mandatory":false},
    {"authSubType":"FACE","authType":"bio","mandatory":false},
    {"authSubType":"","authType":"otp-request","mandatory":false},
    {"authSubType":"","authType":"kycauth","mandatory":false},
    {"authSubType":"","authType":"kycexchange","mandatory":false},
    {"authSubType":"","authType":"wla","mandatory":false}]
}

PreviousIDA as authentication system NextCommunity

Last updated 2 years ago

hashtagService to create OIDCClient

hashtagService to update details of OIDCClient

hashtagConfigurations

hashtagSample auth-policy of a relying party

Service to create OIDCClient

Service to update details of OIDCClient

Configurations

Sample auth-policy of a relying party