Key Binder Plugin

The Key Binder plugin interface provides a method to bind an individual's ID with a public key. On successful binding, it returns a signed certificate called Wallet User ID which uniquely identifies the user and the wallet.

When a new binding request is received, it is expected that the key binder implementation takes care of overriding previously bound certificates with the newly generated signed certificate for a user.

The individual needs to be authenticated before binding the key. The interface is structured to accept any type of authentication challenge, namely OTP or biometrics.

The bound certificate will then be usable to do token-based authentication like WLA (Wallet Local Authentication) from any digital wallet app.

Below is the key binder interface.

public interface KeyBinder {

     * Delegate request to send out OTP to provided individual ID on the configured channel
     * during Key binding process.
     * @param individualId
     * @param otpChannels
     * @param requestHeaders
     * @return
     * @throws SendOtpException
    SendOtpResult sendBindingOtp(String individualId, List<String> otpChannels,
                                 Map<String, String> requestHeaders) throws SendOtpException;

     * Delegate request check the given challenge. Binds the key only if the given challenge is valid
     * returns back the new signed certificate and a partner specific user token.
     * @param individualId
     * @param challengeList
     * @param publicKeyJWK
     * @param requestHeaders
     * @return
     * @throws KeyBindingException
    KeyBindingResult doKeyBinding(String individualId, List<AuthChallenge> challengeList, Map<String, Object> publicKeyJWK,
                                  String bindAuthFactorType, Map<String, String> requestHeaders) throws KeyBindingException;
    List<String> getSupportedChallengeFormats(String authFactorType);

For the latest version of the interface please check our code base -

Who uses this interface?

The APIs exposed by this interface are used by Digital Wallets to perform wallet binding while it is implemented by Identity Systems.

How to implement this plugin?

The Key Binder implementation class must be annotated with ConditionalOnProperty with mosip.esignet.integration.key-binder property.

Below is an example of how our Mock Identity System has implemented the eSignet KeyBinder plugin.

@ConditionalOnProperty(value = "mosip.esignet.integration.key-binder", havingValue = "mock-keybinder-service")
public class MockKeyBindingWrapperService implements KeyBinder {
    //Implement keybinder methods

Appendix - Key Binding

The Key Binding functionality is depicted in the diagram below:

Here, the Binding Partner is nothing but the wallet backend service.

Last updated

Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.