Alias

SignIdentitiesList

Description

Provides a list of signing identities that meet certain conditions. If the access token presented by the application requesting the operation was obtained in a client credentials grant flow, the conditions are those specified in the parameters of the operation. If the access token was obtained in an authorization code grant flow, in addition to the conditions specified by the parameters, the condition that the user who authorized the query is the owner of the signing identities included in the list will be imposed.

So there are two ways to use this operation:

An application authorized by a user (authorization code grant) queries the signing identities the user owns, optionally specifying the labels.
And administratively authorized application (client credentials grant) queries the user's signing identities by specifying an identifier of the user or the device.

Request

GET /trustedx-resources/esigp/v1/sign_identities

Parameters

Name	Type	Usage	Description
`labels`	query	Optional	Filter for restricting the query to the signing identities of the user to those that contain the specified labels. The value of the parameter is a list of labels separated by comma: label1,label2, ...,labelN
`device_id`	query	Required if the access token was obtained in a client credentials grant OAuth 2.0 flow, and the `user_id` parameter was not used. Otherwise, optional.	Filter for restricting the query to user signing identities whose associated keys are in a particular mobile device.
`user_id`	query	This parameter must not be used if the access token was obtained in an authorization code grant OAuth 2.0 flow. It is required if the access token was obtained in a client credentials grant OAuth 2.0 flow, and the `device_id` parameter was not used. In any other case, it is optional.	Filter for restricting the query to the signing identities of the user identified by the `user_id`.
`domain`	query	This parameter must not be used if the access token was obtained in an authorization code grant OAuth 2.0 flow. It is required if the access token was obtained in a client credentials grant OAuth 2.0 flow, it was generated by an authorization server not associated to any domain and the `user_id` parameter was used. In any other case, it is optional.	Filter for restricting the query to the signing identities of a particular identity domain.

Authorization

The request must contain a bearer access token generated by a trusted authorization server of the service requested to obtain the signing identities and that is associated to the domain to which the identities belong. This token must be used as explained in RFC 6750. It must have the urn:safelayer:eidas:sign:identity:profile or the urn:safelayer:eidas:sign:identity:manage scope or any registration scope of the schemas registered in the TRIDENT (e.g. urn:safelayer:eidas:sign:identity:register). Basically, the token must be included in an HTTP Authorization header as follows:

Authorization: Bearer <token>

The access token can be obtained via an authorization code grant or client credentials grant OAuth 2.0 flow.

Example

GET /trustedx-resources/esigp/v1/sign_identities?labels=commitment HTTP/1.1
Authorization: Bearer mF_9.B5f-4.1JqM

Response

Status-Line

If the signing identities are obtained successfully, the HTTP response will contain the following Status-Line (see HTTP Response Status for all the possible cases):

HTTP/1.1 200 OK

Content-Type Header

Content-Type: application/json;charset=UTF-8

Body

List of signing identities that meet the conditions specified in the request.

Example

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
 
{
    "sign_identities" : [ {
        "id": "12345678",
        "self": "https://www.example.org/sign_identities/12345678",
        "description" : "Personal signing identity"
        "labels": ["commitment"],
        "type": "pki:x509",
        "device_id": "urn:safelayer:mobileId:v1",
        "domain: "main",
        "access": [{"user_id" : "john"}],
        "status": {"value" : "enabled"}
    }, {
        "id": "12345679",
        "self": "https://www.example.org/sign_identities/12345679",
        "description": "Corporate signing identity",
        "labels": ["commitment"],
        "type": "pki:x509",
        "domain: "main",
        "access": [{ "user_id" : "john"}],
        "links":  {
            "Signatures.create.server.raw" : {
                "auth" : {
                    "oauth2": {"scopes": [ "urn:safelayer:eidas:sign:identity:use:server" ] }
                }
            }
        },
        "status": {"value" : "enabled"}
    }]
}