When abdm is calling the registered callbacks, is there any way to authenticate wether abdm is making that call?

Phaneendhar123 · December 13, 2023, 11:40am

@IntegrationSupport, When abdm is calling the registered callbacks, is there any way to authenticate wether abdm is making that call??

is there any way that abdm sends the api-key or the token that we can authenticate ???

can you help us here ???

ayadav · December 15, 2023, 6:17am

This should help

Phaneendhar123 · December 15, 2023, 9:41am

@ayadav
i’m asking about the callbacks that ABDM calls to our service
ex: let’s taken example from the HIP initiated linking

v0.5/users/auth/on-fetch-modes
/v0.5/users/auth/on-init
/v0.5/users/auth/on-confirm
/v0.5/links/link/on-add-contexts

these are the callbacks that abdm calls, so in order to verify wether abdm is calling these callbacks or someone else is calling these, how do i know ??

ayadav · December 15, 2023, 10:38am

@Phaneendhar123
Yes, the link I sent is for the same.You should verify the JWT auth token sent by ABDM in header against the gateway certs.
You could see this reference in python.

github.com

dimagi/abdm-python-integrator/blob/main/abdm_integrator/utils.py#L206




def gateway_jwks_cert():
    jwks_cert = ABDMCache.get('JWKS_CERT')
    if not jwks_cert:
        jwks_cert = fetch_gateway_jwks_cert()
        ABDMCache.set('JWKS_CERT', jwks_cert, timeout=60 * 180)
    return jwks_cert


def validate_jwt_access_token(authorisation_token):
    jwks_cert = gateway_jwks_cert()
    jwks_keys = jwt.api_jwk.PyJWKSet(jwks_cert['keys'])
    kid = jwt.get_unverified_header(authorisation_token)['kid']
    algorithms = [key['alg'] for key in jwks_cert['keys'] if key['kid'] == kid]
    return jwt.decode(authorisation_token, key=jwks_keys[kid].key, algorithms=algorithms,
                      options={'verify_aud': False})


class ABDMGatewayUser(AnonymousUser):
    """Dummy user used for ABDM Gateway JWKS authentication"""