This guide provides steps to integrate OpenG2P with e-Signet with MOSIP as the authentication provider.
MOSIP IDA is installed
The e-Signet server is installed and configured to connect to MOSIP IDA
MOSIP IDA APIs are accessible from the machine running the e-Signet server
Both Yes/No and KYC APIs are enabled on MOSIP IDA
e-Signet APIs are accessible from machines running OpenG2P
Biometric auth devices (already onboarded on MOSIP) are available for authentication
Email and SMS are enabled on MOSIP IDA for OTP authentication
MOSIP Partner Management Services (PMS) Portal or APIs must be accessible to both MOSIP Partner Admin and OpenG2P Admin
MOSIP Partner Specific User Token (PSUT) ID type is configured. See Configure ID Types.
Create an Auth Partner for OpenG2P on MOSIP.
Guide for MOSIP 1.2.0
Guide for MOSIP 1.1.5 (TBD)
Create a MISP Partner for OpenG2P on MOSIP.
Note down the following from the above steps:
Auth Partner ID
Auth Policy ID
Auth API Key
MISP License Key
Auth partner signed certificate
IDA Partner certificate (App id: IDA, Ref Id: PARTNER)
This method is applicable if MOSIP Partner Management APIs are available. These steps are executed by MOSIP Partner Admin
Create an e-Signet OIDC client using PMS OIDC API:
authParnterId: Partner ID in this step.
policyId : Policy ID in this step.
publicKey: Generate JWK.
logoUri: URL of your logo accessible publicly.
grantTypes = ["authorization_code"]
clientAuthMethods= ["private_key_jwt"]
redirectUris: URLs of the form https://<your web portal>/auth_oauth/signin
Note down the Client ID as an output of the above step.
This method is applicable if MOSIP Partner Management APIs are not available.
Create an e-Signet OIDC client using the following API:
clientId: Arbitrary string.
clientName: Arbitrary string.
relyingParnterId: Partner ID in this step.
publicKey: Generated JWK.
authContextRefs:
userClaims:
logoUri: URL of your logo accessible publicly.
grantTypes = ["authorization_code"]
clientAuthMethods= ["private_key_jwt"]
redirectUris: URLs of the form https://<your web portal>/auth_oauth/signin
These steps are executed by OpenG2P Admin on the OpenG2P Admin interface.
Go to Settings -> General Settings (Menu) -> General Settings (Panel) -> Integrations (Section) -> Oauth Providers
Create a new OIDC Provider with the following details:
| Parameter | Value | |
|---|---|---|
Client ID
The output of the previous section.
Auth Flow
OpenID Connect (authorization code flow)
Token map
sub:user_id
Client Authentication Method
Private Key JWT
Private Key Method
Private key used for JWK creation in the previous section.
Assertion Type
JWT Bearer
Authorization URL
e-Signet's authorize endpoint.
Userinfo URL
e-Signet's userinfo API
Token URL
e-Signet's token API
JWKS URL
e-Signet's JWKS API
Use G2P Reg ID
True
G2P Registrant ID Type
MOSIP PSUT ID Type
As configured in step 9 of Prerequisites.
Partner Creation Call Validate URL
True
Specifies whether to call the MOSIP e-KYC API to fetch data into OpenG2P
Partner Creation Validate Response
name:name email:email phone:phone_number birthdate:birthdate gender:gender address:address
Default Group User Creation
User types / Portal
Specifies all users signing up through this OIDC Provider (e-Signet) are only going to be portal users
Login Attribute Mapping On User Creation
email
To allow users to sign in with their email and password after initial signup with e-Signet.
OK
OK