Hi MOSIP Community,
I am deploying MOSIP v3 on-prem without DNS in my own data center for a demo / POC environment.
Most of the core flow is working now:
-
Backend services are running.
-
Registration Client flow is working.
-
UIN is getting generated successfully in the backend.
-
Pre-registration and registration-related flow is working.
-
Resident Portal UI is opening.
However, I am stuck at the Resident Portal login / profile flow.
When I open the Resident Portal and click on “Get My UIN”, the page remains stuck on a loading screen.
In the browser console, I see these errors:
GET https://api.sandbox.xyz.net/resident/v1/profile?languageCode=eng 401 (Unauthorized)
GET https://resident.sandbox.xyz.net/null 404 (Not Found)
Current Understanding
From our debugging, it looks like the Resident Portal is not completing the intended eSignet login flow because the Resident OIDC / OAuth client is not getting created successfully in PMS / eSignet.
We verified that Resident is intended to redirect to eSignet in this setup.
Resident service has the following configuration:
mosip.iam.module.clientID=mosip-resident-client
mosip.iam.base.url=https://esignet.sandbox.xyz.net/v1/esignet
mosip.iam.authorization_endpoint=https://esignet.sandbox.xyz.net/authorize
So the expected design seems to be:
Resident Portal → eSignet login → token/session → Resident profile API
But currently, Resident Portal is calling:
https://api.sandbox.xyz.net/resident/v1/profile?languageCode=eng
and receiving:
401 Unauthorized
Then the UI also tries to access:
https://resident.sandbox.xyz.net/null
which returns:
404 Not Found
What We Have Verified
1. PMS OAuth client API path
We found that the correct PMS endpoint for OAuth client creation is:
POST /v1/partnermanager/oauth/client
The older /oidc/client endpoint appears to be deprecated / not used in this flow.
2. PMS authentication behavior
In our setup, PMS did not accept the token when passed as a normal Bearer token header.
This failed:
Authorization: Bearer <jwt>
PMS log:
2026-06-30T13:38:40.281Z
Exception : Authorization token not present > http://pms-partner/v1/partnermanager/oauth/client
logger: io.mosip.kernel.auth.defaultadapter.filter.AuthFilter
But passing the token as a cookie worked:
Cookie: Authorization=<jwt>
After using cookie-based auth, PMS accepted the request and returned PMS roles such as:
AUTH_PARTNER
PARTNER_ADMIN
So PMS authentication seems to work only through the cookie format in our current setup.
3. OAuth client creation reaches PMS business logic but fails during publish
When calling:
POST /v1/partnermanager/oauth/client
PMS enters the OAuth client creation flow, but fails while publishing client data because it tries to fetch the partner certificate from Keymanager.
PMS response:
{
"id": "mosip.partnermanagement",
"version": "1.0",
"errors": [
{
"errorCode": "PMS_KKS_001",
"message": "Error while accessing the API.Please check the logs."
}
]
}
Relevant PMS server-side log:
2026-06-30T13:45:55.383Z
Error occurred while calling http://keymanager.keymanager/v1/keymanager/getPartnerCertificate/
logger: io.mosip.pms.common.util.RestUtil
org.springframework.web.client.HttpClientErrorException: 404 Not Found
at io.mosip.pms.oauth.client.service.impl.ClientManagementServiceImpl.getPartnerCertificate(ClientManagementServiceImpl.java:480)
at io.mosip.pms.oauth.client.service.impl.ClientManagementServiceImpl.publishClientData(ClientManagementServiceImpl.java:470)
at io.mosip.pms.oauth.client.service.impl.ClientManagementServiceImpl.createOAuthClient(ClientManagementServiceImpl.java:174)
Current Resident Auth Partner State
The configured Resident Auth Partner is:
partnerId = mpart-res-oidc-auth
partner_type_code = Auth_Partner
Database query:
select id, name, certificate_alias, approval_status, is_active, upd_dtimes
from pms.partner
where id='mpart-res-oidc-auth';
Result:
id = mpart-res-oidc-auth
name = Resident OIDC Auth Partner
certificate_alias = NULL
approval_status = approved
is_active = true
Extended DB state:
id = mpart-res-oidc-auth
name = Resident OIDC Auth Partner
partner_type_code = Auth_Partner
certificate_alias = NULL
approval_status = approved
is_active = true
policy_group_id = mpolicygroup-default-auth
So the Resident Auth Partner is approved and active, but it does not have a certificate alias.
Our understanding is that PMS fails during OAuth client creation because partner.certificate_alias is empty for this Auth Partner, so PMS / Keymanager cannot retrieve the partner certificate while publishing the OAuth client.
Certificate Upload Attempts
We tried the intended PMS certificate onboarding flow.
AUTH CA upload
We uploaded AUTH root CA using:
/v1/partnermanager/partners/certificate/ca/upload
Response:
{
"response": {
"status": "Upload Success."
},
"errors": []
}
AUTH sub-CA upload
We uploaded AUTH sub-CA using the same API.
Response:
{
"response": {
"status": "Upload Success."
},
"errors": []
}
Partner certificate upload
However, uploading the partner certificate still fails with:
{
"errors": [
{
"errorCode": "KER-PCM-006",
"message": "Root CA/Intermediate CA Certificates not found."
}
]
}
This happens even after uploading the AUTH root CA and AUTH sub-CA.
So it looks like the partner certificate we are trying to upload is not chaining to the AUTH CA chain recognized by PMS / Keymanager.
Attempt to register existing self-signed AUTH partner certificate as CA
We also tried to register the existing self-signed AUTH partner certificate as CA, but that failed with:
{
"errors": [
{
"errorCode": "KER-PCM-005",
"message": "Root CA Certificate not found."
}
]
}
Existing AUTH-domain Certificate Found in Keymanager
We found one existing AUTH-domain certificate in Keymanager:
cert_id = fedfbac5-981c-4617-955b-1b82afb1dd9a
partner_domain = AUTH
organization_name = mpartner-default-abis
cert_subject = CN=mpartner-default-abis,...
cert_issuer = CN=mpartner-default-abis,...
This certificate belongs to:
partner_id = mpartner-default-abis
partner_type_code = ABIS_Partner
certificate_alias = fedfbac5-981c-4617-955b-1b82afb1dd9a
So the only existing AUTH-domain certificate we found is tied to an ABIS_Partner, not the Resident Auth Partner.
Actual Issue
The Resident Portal is stuck on the loading page after clicking Get My UIN.
Browser console errors:
GET https://api.sandbox.xyz.net/resident/v1/profile?languageCode=eng 401 (Unauthorized)
GET https://resident.sandbox.xyz.net/null 404 (Not Found)
From backend debugging, the likely root cause is:
Resident OAuth/OIDC client is not created successfully in PMS/eSignet because the backing Auth_Partner mpart-res-oidc-auth does not have a valid partner certificate / certificate_alias.
PMS OAuth client creation fails in:
ClientManagementServiceImpl.publishClientData()
while trying to retrieve the partner certificate from Keymanager:
http://keymanager.keymanager/v1/keymanager/getPartnerCertificate/
Questions
- For Resident Portal with eSignet, when creating the Resident OAuth client through:
POST /v1/partnermanager/oauth/client
does the backing Auth_Partner always need a partner certificate uploaded first through PMS?
- What is the exact intended onboarding sequence for Resident / eSignet OAuth client setup in a sandbox deployment?
Is it supposed to be:
1. Create Auth_Partner
2. Upload AUTH root CA
3. Upload AUTH intermediate/sub-CA
4. Upload Auth Partner certificate
5. Create OAuth client through /v1/partnermanager/oauth/client
6. Resident Portal uses this client ID for eSignet login
- For the Resident Auth Partner:
partnerId = mpart-res-oidc-auth
partner_type_code = Auth_Partner
certificate_alias = NULL
what certificate should be uploaded and linked?
-
Is there any standard sandbox/sample certificate material for the Resident/Auth Partner flow?
-
Why would partner certificate upload still return this error even after AUTH root CA and AUTH sub-CA upload succeeded?
KER-PCM-006: Root CA/Intermediate CA Certificates not found.
- Is the browser-side issue:
GET /resident/v1/profile 401 Unauthorized
GET /null 404 Not Found
expected when the Resident OIDC/eSignet client is missing or not properly created?
Any guidance on the correct Resident Portal + eSignet + PMS OAuth client onboarding flow would be very helpful.
Thanks.