Workflow 2: eSignet OAuth2-Based Authentication & Consent

This workflow leverages eSignet (MOSIP’s OAuth2-compliant authentication gateway) to allow individuals to authenticate and consent to share their information with openIMIS.

This use case describes the process through which a citizen or resident (hereafter referred to as "user") is enrolled in a national health insurance program via OpenIMIS, through an assisted, agent-driven workflow. A designated agent facilitates onboarding by verifying identity using eSignet, entering data, and submitting the application on the user's behalf.

Standards Compliance

• Uses OAuth 2.0 Authorization Code Flow

• OpenID Connect (OIDC) for user authentication

• Data sharing aligned with DCI privacy principles

Workflow Steps

1. Trigger eSignet Flow (openIMIS)

   • During enrolment, the officer sends a dedicated eSignet link (via SMS, email, or QR code) to the individual.

   • The link redirects the insuree to MOSIP’s eSignet portal.

2. User Authentication (MOSIP)

   • The individual logs into eSignet using their MOSIP credentials (PIN/password, biometric, or OTP).

3. Consent for Data Sharing

   • eSignet displays a consent page listing the requested data fields (name, date of birth, UIN, etc.).

   • The user reviews and authorizes data sharing with openIMIS.

4. Token Exchange and Data Retrieval

   • eSignet returns an authorization code to openIMIS.

   • openIMIS exchanges the code for an access token and retrieves the consented user information from MOSIP.

5. Data Capture and Storage (openIMIS)

   • openIMIS pre-fills the enrolment form with the retrieved data.

   • The enrolment officer verifies the data with the individual (with no possibility to update data sent from MOSIP) and completes enrolment.

UC 1.2: Beneficiary Enrollment in Health Insurance Schemes (Assisted Mode)

Step 1:
An enrollment agent initiates the beneficiary onboarding process by accessing the national health insurance registration form through OpenIMIS.

Step 2:
The agent collects the beneficiary’s National ID or any trusted ID and initiates registration via the assisted interface. (Existing portal or new portal to be created by OpenIMIS?)

Step 3:
To verify the beneficiary's identity, on click of “Login with National ID”, OpenIMIS triggers a secure authentication flow by redirecting to eSignet, which leverages the OpenID Connect (OIDC) protocol. (akin to a "Sign in with LinkedIn/Google" experience).

Step 4:
The agent facilitates eSignet-based authentication, where the beneficiary is prompted to provide their National ID & a biometric (such as FP, iris, or face photo) or OTP.

Step 5:
Upon successful authentication, the agent is redirected to a confirmation page within OpenIMIS. This page displays verified details from the National ID and prompts the agent to confirm beneficiary consent.

Step 6:
The agent completes the registration form on behalf of the beneficiary, obtains explicit consent, gathers information auto-filled in the form based on data consented & fetched from the National ID system, and submits the application.

Step 7:
The system confirms that the insurance enrollment request has been submitted.
OpenIMIS provides an internal interface for authorized government officials to review and approve the application.

Step 8: Upon approval, the user can download their health insurance card encoded with a QR code (built on the Claim 169 verifiable credential standard).
Note: This card can optionally be stored in a digital wallet, although wallet integration is out of scope for this specific use case.

Advantages

• Online, real-time verification of identity

• Full user control over data sharing

• Strong audit trail and compliance with data protection laws

Open

Source Code :

(link to permanent text in https://www.websequencediagrams.com/)