I am setting up a sandbox instance of eSignet with MOSIP in a private network without public IP. Within this environment there is an internal CA (part of our IT infrastructure) which all hosts in the network trust. This implies using the internal CA’s TLD for all our host names.
For both, MOSIP and eSignet the ingress instances use certificates signed by that internal CA, and consequently, the host names from the global configmap all use the internal CA’s TLD.
With some configuration and post-renderer scripts I have been able to get the MOSIP and eSignet services to trust the internal CA, so that the services seem to be running correctly.
Now, in order to use eSignet with the resident services, I understand I need run an onboarding for the resident services.
Now I have encountered a dead end. eSignet uses the Apache UrlValidator for validating URLs both for onboarding and redirects (later, when somebody logs into the resident portal).
This validator checks several things, like the syntactic correctness, but also whether an URL’s TLD is in a whitelist of accepted TLDs. This last bit has come to bite me, as our infrastructure’s internal TLD is (of course) not in that list. Hence onboarding fails and (if I onboard a known domain and later change it in the database) redirecting from eSignet to a partner (like the resident portal) fails.
I believe that both MOSIP and eSignet should not exclude the use of such internal TLDs. There are good and legitimate reasons for using them.
While so far pretty much everything could be fixed by tweaking the helm charts, this here is an issue that can only be solved in the source code.
I don’t belive that the checking of TLDs against a white list as Apache’s UrlValidator does is even what the eSignet developers were interested in when choosing it for their implementation.
Unfortunately the UrlValidator’s interface for changing this behaviour is rather awkward, as one has to provide a RegexValidator for validating the hostname/IP/port part of a URL rather than just switching the TLD validation off (and several issues filed to their developers have been rejected).
I have filed an issue (#1883) and a PR (#1894) on github for this issue. Is this something the eSignet developers would be willing to consider?