Using Inji with Ory as an Authentication Server

Developer
1

I am trying to implement the Inji flow but using Ory as an authentication server. I’ve had some progress in the process, but I am stuck with this error right now:

"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). Claim 'jti' from 'client_assertion' must be set but is not."

I found this error in the mimoto logs.

I found this pull request [INJIWEB-1505]: Added jti field by kamlesh012 · Pull Request #681 · mosip/mimoto, which seems to be the change that I am missing, is this change in a production ready version? I am using a mimoto docker image which version is 0.15.0, does the version 0.17.1 sends the jti field that I am missing.

If updating Mimoto is the solution, is there a guide available for the update? Because I tried to use version 0.17.1, I got a new error when doing so. For example, one issue was that I was missing the credential_issuer_host, which was something I apparently didn’t need in the previous version.

Am I even looking at this issue in the right way? I’ll appreciate your help

2

Dear @TomasOGTIC ,

Thank you for reaching out, We are looking into your query and one of our experts will respond to it as soon as possible.

Best Regards
Team MOSIP

3

@TomasOGTIC So there are multiple things being asked here

  1. jti is missing while generating token request. It’s not production ready yet. It will be part of 0.18.0 release. For now you can make change in code as you are on older version 0.15.0.
    What to change in code can be referenced by the PR which you already found.

  2. Why credential_issuer_host is needed with 0.17.1 release. Earlier mimoto was relying on well-known endpoint configured in inji-config.
    We are working towards making app interoperable. For that we have introduced well-known discovery. To discover well-known, wallet just needs to know issuer host and then it constructs the well-known endpoint as credential_issuer_host/.well-known/openid-credential-issuer

Guidance on how to do in mimoto

  1. Make code change as per PR
  2. Build the docker image if we are deploying through docker-compose locally or docke r on env GitHub - mosip/mimoto
  3. If we are not using docker, then we can simply run the app as springboot app GitHub - mosip/mimoto

Let us know if you face any other issue or need any other support!!

Thanks & Regards
Swati Goel
Tech Lead - Inji Mobile

4

Thank you for the answer. It solved the issue! I started using Mimoto 0.17.1 and added the code just like you told me.

I am getting another error, and I am not sure how to tackle it.

The error in the Mimoto logs says:

nginx:80/v1/certify/issuance/credential⁠ 400 : "{"error":"invalid_proof","error_description":"invalid_proof","c_nonce":"2MRc9ojuwNJu9Vj3UQmv","c_nonce_expires_in":40}" {}


org.springframework.web.client.HttpClientErrorException$BadRequest: 400 : "{"error":"invalid_proof","error_description":"invalid_proof","c_nonce":"2MRc9ojuwNJu9Vj3UQmv","c_nonce_expires_in":40}"

And the error in certify logs is:

{"@timestamp":"2025-07-14T20:11:21.974Z","@version":"1","message":"Client Nonce not found / expired in the access token, generate new cNonce","logger_name":"io.mosip.certify.services.CertifyIssuanceServiceImpl","thread_name":"http-nio-8090-exec-10","level":"ERROR","level_value":40000,"appName":"certify","traceId":"68756467d1363e4371e4c12897572191","spanId":"d95d62570a4668ed"}

I am a little confused how the c_nonce code works. Like I can see a method in the certidy source code that generates the c_nonce but it looks like that code is only executed after the program can’t find one. Please, I would like to receive some guidance in how to tackle this. Is my auth server the one responsible to generate this code?

Thank you in advance

5

@TomasOGTIC c_nonce used in credential download is generated by auth server and returned in token response.
As your auth server is Ory, can you please check that c_nonce is being added in token response?
For Inji Mobile,
To get it work with Inji, we need to add c_nonce inside access token. We are using this library to take care of authorization and get token response GitHub - FormidableLabs/react-native-app-auth: React native bridge for AppAuth - an SDK for communicating with OAuth2 providers
This library doesn’t give the c_nonce available in parallel with access token. We have identified this recently and moved to custom logic to get token response. But to work with old code, we need to c_nonce inside access token

For Inji Web,
We can fix in mimoto and you can apply that patch locally.

Esignet reference for adding c_nonce in access token as well as at root level

Reference for token response OpenID for Verifiable Credential Issuance - draft 13

Thanks & Regards
Swati Goel
Tech Lead - Inji Mobile

6

hi, I use this thread to ask about “c_nonce”. This is a attr that the IdP (in my case, keycloak) has to add it in the access_token? Or it should be added by mimoto?

7

Hi @Andres_Bello

As per OpenId4VCI spec, c_nonce should be sent by IDP, not in access_token but an extra attribute. Once IDP provides this in token response, mimoto will parse and use it further.

Till mimoto 0.17.1, we were not parsing the c_nonce but 0.18.0 onwards we started parsing c_nonce in token response mimoto/src/main/java/io/mosip/mimoto/dto/idp/TokenResponseDTO.java at v0.18.0 · mosip/mimoto · GitHub

So simple steps

  1. Mimoto will request for token from IDP(keycloak in your case)
  2. IDP will provides access_token along with c_nonce
  3. Mimoto will parse the token response
  4. Mimoto will create credential download request and use this c_nonce while preparing proof jwt mimoto/src/main/java/io/mosip/mimoto/service/impl/CredentialServiceImpl.java at v0.18.0 · mosip/mimoto · GitHub mimoto/src/main/java/io/mosip/mimoto/util/JoseUtil.java at v0.18.0 · mosip/mimoto · GitHub

Thanks & Regards,
Swati Goel
Team MOSIP