eSignet Signup

Overview

This repository contains a signup UI and signup service to handle signup operations by the end user. This module can be used to fast-track the availability of any digital service to end users via eSignet. eSignet has built-in support for the integration with the signup module. The signup service is flexible to connect to any ID registry system via a well-defined plugin interface.

Currently, signup supports below features:

1. Register User
2. Reset password
3. Online video based identity verification workflow integration via plugin

Build (for developers)

The project requires JDK 11.

1. Build:

   $ mvn clean install -Dgpg.skip=true -Dmaven.gitcommitid.skip=true
   

Installing in k8s cluster using helm

signup-service is part of the esignet, but has a separate Helm chart to install and manage it in a completely independent namespace.

Pre-requisites

1. Set the kube config file of the Esignet k8 cluster having esignet services is set correctly in PC.
2. Below are the dependent services required for signup service integrated with Mock Identity System

   Chart	Chart version
   Keycloak	7.1.18
   Keycloak-init	12.0.1-B3
   Kafka	0.4.2

Setup pre-requisites for signup services

cd deploy
./prereq.sh

Install Signup service

• Install kubectl and helm utilities.
• Run install-signup.sh to deploy signup services.

  cd deploy
  ./install-signup.sh
  

Delete

• Run delete-signup.sh to remove signup services.

  cd deploy
  ./delete-signup.sh
  

Restart

• Run restart-signup.sh to restart signup services.

  cd deploy
  ./restart-signup.sh
  

Additional services required

NOTE : Additional services can be deployed on the same cluster, or if you already have an existing one, you can point it to that.

To complete the signup portal deployment below MOSIP kernel services are required to be deployed.

• otpmanager
• authmanager
• auditmanager
• notifier

If the required additional services are exposed via external domain

If otpmanager, authmanager, auditmanager, esignet and notifier are running in a different cluster, update the deployment.yaml of the signup-service.

• Add the below environment variables under the env: section of the signup-service deployment:

env:
- name: MOSIP_AUTHMANAGER_CLIENT_TOKEN_ENDPOINT
  value: "https://authmanager.example.com/v1/authmanager/authenticate/clientidsecretkey"
- name: MOSIP_SIGNUP_GENERATE_CHALLENGE_ENDPOINT
  value: "https://otp.example.com/v1/otpmanager/otp/generate"
- name: MOSIP_SIGNUP_SEND_NOTIFICATION_ENDPOINT
  value: "https://notifier.example.com/v1/notifier/sms/send"
- name: MOSIP_SIGNUP_AUDIT_ENDPOINT
  value: "https://audit.example.com/v1/auditmanager/audits"
- name: MOSIP_SIGNUP_OAUTH_TOKEN_URI
  value: "https://esignet.example.com/v1/esignet/oauth/v2/token"
- name: MOSIP_SIGNUP_OAUTH_USERINFO_URI
  value: "https://esignet.example.com/v1/esignet/oidc/userinfo"

These environment variables override the default internal service URLs and allow the signup-service to communicate with kernel services running outside its cluster.

Spring Boot automatically maps these environment variables to their corresponding properties:

• MOSIP_AUTHMANAGER_CLIENT_TOKEN_ENDPOINT → mosip.authmanager.client-token-endpoint

• MOSIP_SIGNUP_GENERATE_CHALLENGE_ENDPOINT → mosip.signup.generate-challenge.endpoint

• MOSIP_SIGNUP_SEND_NOTIFICATION_ENDPOINT → mosip.signup.send-notification.endpoint

• MOSIP_SIGNUP_AUDIT_ENDPOINT → mosip.signup.audit-endpoint

• MOSIP_SIGNUP_OAUTH_TOKEN_URI → mosip.signup.oauth.token-uri

• MOSIP_SIGNUP_OAUTH_USERINFO_URI → mosip.signup.oauth.userinfo-uri

• Initialize the db script to create mosip_kernel and mosip_audit databases make sure to update the existing db-common-secret in init_values.yaml if postgres-initialization already done

  • copy db-common-secret from existing postgres deployment secret if its already created
  • run the postgres-init.sh

    cd deploy
    ./postgres-init.sh
  

Prerequisites for MOSIP kernel services:

1. msg-gateway
2. config-server
3. artifactory
4. mock-smtp
5. kernel

  cd deploy (follow the above sequence and run the install.sh for each module installation)
  

Partner onboarding

• Partner onboarding for esignet Signup OIDC client with mock can be performed manually with below steps
• Download and import eSignet Signup.postman_collection.json and eSignet Signup.postman_environment.json postman collection from here

OIDC Client Management Instructions

1. Fetch the Authentication Token

   • Navigate to "Register Signup Oidc " → "Get Auth Token" to retrieve the authentication token.
     • Update the client_secret (retrieve it from the keycloak-client-secrets).
     • Update the iam_url (Keycloak URL) in the request body.
     • Retrieve the Keycloak URL from the config-map under keycloak-host → keycloak-external-url.

2. Navigate to "Register" → "Get CSRF token" → generate CSRF token → to fetch the CSRF token.

3. Execute create-signup-oidc-keystore.sh here to generate a keypair. If required consider changing the keystore password in the create-signup-oidc-keystore.sh script before execution. This script after successful execution creates 2 files in the project root directory: oidckeystore.p12 public_key.jwk

   • As esignet only supports confidential OIDC clients, we should generate a RSA keypair to onboard signup-service. RSA private key is stored in the oidckeystore.p12 file and the corresponding public key is written to public_key.jwk file.
   • Copy the public key in public_key.jwk file and update the same in the Register Signup OIDC/Create Signup OIDC client request body.
     • 

4. Run Register Signup OIDC/Create Signup OIDC client in postman before starting the identity verification flow.

   • Navigate to "Register Signup Oidc " -> "Create Signup OIDC client"

     • Update the Request Fields for OIDC Client Creation

     • Before executing the "Create Signup OIDC Client" request, update the following fields in the request body:

       • esignet_url
       • public-key
       • client-name
       • client-id
       • logo-uri
       • redirect-uri

     • Execute the request.

   • Make sure to update the signup-keystore-password in the keycloak secrets as updated while generating the p12 file.

5. Mount oidckeystore.p12 as a signup-keystore secret to the signup deployment.

TESTRIG

Overview

The steps here install Testrig components, which include SIGNUP-APITESTRIG . These components are used to test the working of SIGNUP modules.

1.SIGNUP-APITESTRIG Installation signup-apitestrig

APIs

API documentation is available here.

License

This project is licensed under the terms of Mozilla Public License 2.0.