Client management with PMS

• e-Signet is onboarded as MISP partner in MOSIP system with the below policy:

   {
   "allowAuthRequestDelegation": true,
   "allowKycRequestDelegation": true,
   "trustBindedAuthVerificationToken": true,
   "allowKeyBindingDelegation": true
   }

• License key of the MISP partner must be updated in the esignet-default.properties. Property name : mosip.esignet.misp.license.key

• Create and Update of OIDC clients are managed via PMS.\

Service to create OIDCClient

Creates OIDCClient and return Client id

POSThttps://localhost/v1/partnermanager/oidc/client

Body

application/json

idstring

versionstring

requesttimestring (date-time)

metadataobject

request*object

Response

200

OK

Body

*/*

idstring

versionstring

responsetimestring (date-time)

metadataobject

response*object

errorsarray of object

Request

JavaScriptCurlPythonHTTP

const response = await fetch('https://localhost/v1/partnermanager/oidc/client', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "request": {
        "name": "text",
        "policyId": "text",
        "authPartnerId": "text",
        "logoUri": "text",
        "redirectUris": [
          "text"
        ],
        "grantTypes": [
          "text"
        ],
        "clientAuthMethods": [
          "text"
        ]
      }
    }),
});
const data = await response.json();

Response

200

{
  "id": "text",
  "version": "text",
  "responsetime": "2025-01-30T22:38:12.547Z",
  "response": {
    "clientId": "text",
    "status": "text"
  },
  "errors": [
    {
      "errorCode": "text",
      "message": "text"
    }
  ]
}

Service to update details of OIDCClient

Service to update details of OIDCClient

PUThttps://localhost/v1/partnermanager/oidc/client/{client_id}

Path parameters

client_id*string

Body

application/json

idstring

versionstring

requesttimestring (date-time)

metadataobject

request*object

Response

200

OK

Body

*/*

idstring

versionstring

responsetimestring (date-time)

metadataobject

response*object

errorsarray of object

Request

JavaScriptCurlPythonHTTP

const response = await fetch('https://localhost/v1/partnermanager/oidc/client/{client_id}', {
    method: 'PUT',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "request": {
        "logoUri": "text",
        "redirectUris": [
          "text"
        ],
        "status": "text",
        "grantTypes": [
          "text"
        ],
        "clientName": "text",
        "clientAuthMethods": [
          "text"
        ]
      }
    }),
});
const data = await response.json();

Response

200

{
  "id": "text",
  "version": "text",
  "responsetime": "2025-01-30T22:38:12.547Z",
  "response": {
    "clientId": "text",
    "status": "text"
  },
  "errors": [
    {
      "errorCode": "text",
      "message": "text"
    }
  ]
}

• Relying party is onboarded as an Auth partner. Auth partner is required to have the below allowed auth-types in the policy.

{ "allowedAuthTypes" : [
                        {"authSubType":"","authType":"kycauth","mandatory":false},
                        {"authSubType":"","authType":"kycexchange","mandatory":false},
                        {"authSubType":"","authType":"otp-request","mandatory":false},
                       ]
}

• An auth-partner may have one or more OIDC clients.

• SHA-256 hash of the OIDC client public key is considered as clientID.

• Authentication Context References (ACR) and user claims are derived based on the policy of the auth partner.

  a. allowedKycAttributes are used to derive user claims using the identity_mapping.json

  b. allowedAuthTypes are used to derive ACR values using the amr-acr-mapping.json

• Client management endpoints of e-Signet oidc-service is invoked from PMS with the derived values, clientID and the provided public-key.

• Also, the client-details with policy and partner details are sent as an event to MOSIP IDA system.

Configurations

1. To get the mapping of OIDC claims with MOSIP KYC-attributes.

2. To get the mapping of auth types in policy with ACR values.

3. The claims supported by e-Signet should be present in identity-mapping.json file.

Sample auth-policy of a relying party

{"authTokenType":"policy",
  "allowedKycAttributes":[{"attributeName":"fullName"},
    {"attributeName":"gender"},
    {"attributeName":"phone"},
    {"attributeName":"email"},
    {"attributeName":"dateOfBirth"},
    {"attributeName":"city"},
    {"attributeName":"face"},
    {"attributeName":"addressLine1"}],
  "allowedAuthTypes":[{"authSubType":"IRIS","authType":"bio","mandatory":false},
    {"authSubType":"FINGER","authType":"bio","mandatory":false},
    {"authSubType":"","authType":"otp","mandatory":false},
    {"authSubType":"FACE","authType":"bio","mandatory":false},
    {"authSubType":"","authType":"otp-request","mandatory":false},
    {"authSubType":"","authType":"kycauth","mandatory":false},
    {"authSubType":"","authType":"kycexchange","mandatory":false},
    {"authSubType":"","authType":"wla","mandatory":false}]
}