This document assumes that Aadhaar KYC can be done in one of the following ways
- Digilocker Login - Digilocker allows for Aadhaar based login and the APIs are provided through Meripehchan. Can be forced to use only Aadhaar or PAN using the
acr
parameter (page 5 here). Either the user will login through digilocker using aadhaar or a second API call to get the user profile and verify if eadhaar is linked to the DL account (page 9 here)j. This option is self validation and hence can be done for free. - Through AUA - AUAs are generally available in all states and provider wrapper APIs over Aadhaar eKYC APIs. This is a paid API. APIs follow this spec
The recommended strategy would be to have both these strategies to cover all users but push to point 1.
Here Auth Server is the MeriPehchan Server and Resource Server is DL Server.
To get the Digilocker Meripehchaan SSO login button in the login page (of say keycloak or your own custom login page), you would need to use the keycloak theme instead of the custom theme provided by default. The instructions would remain the same even if you are not using keycloak with a custom backend that just takes the refresh_token
and stores it in a backend and re generate the access_token
as and when those expire.
- Digilocker partner account (https://partners.digitallocker.gov.in/)
- Generate client secrets in (https://apisetu.gov.in/org/consumer/auth_partners)
- Set the redirect url to
<domain>/auth/realms/master/broker/oidc/endpoint
(if using keycloak) or whereever you would want the tokens to be stored.
Read more about the digilocker APIs here, page 4 onwards.
- Goto keycloak admin page
<domain>/auth/
- Login with admin credentials
- Goto
Identity Providers
- Click on
Add provider
- Select
OpenID Connect v1.0
- Enter the display name to be showed on the login page, Ex:
Login with Digilocker Meripehchaan
- Set the Authorization URL to `https://digilocker.meripehchaan.gov.in/public/oauth2/1/authorize`
- Set the Token URL to `https://digilocker.meripehchaan.gov.in/public/oauth2/2/token`
- Turn on
Disable User Info
button - Select
Client secret sent as post
fromClient Authentication`
options - Set
Client Id
that was generated in Digilocker partner portal - Set
Client Secret
that was generated in Digilocker partner portal - Select
consent
fromPrompt
options - Enable
Use PKCE
option - Select
S256
fromPKCE Method
options
- Goto keycloak admin page
<domain>/auth/
- Login with admin credentials
- Goto
clients -> registry-frontend
- Select
keycloak
fromLogin Theme
options - Save the changes
https://www.figma.com/file/IWAndiHyJ15GZD6EP1c2A6/Digilocker?type=design&node-id=101%3A2&mode=design&t=YCokyK7yFKGZOlHs-1