Dears @ssvaidyanathan  and @AlexET ,

I appreciate your support.

I mean, I only use the Verify JWT to verify the JWT that is generated from the backend in the second call, and the Algorithm is RS256.

I only use the API key in the first call because the service used by the service provider allows users to use their services; in the second one (callback), the website will send a JWT, and I will only use it. To verify and extract the information, I can not use the API key because this is used by all users. I can not create Apikey for all users it is used by a huge number of users.

Yes, the callback exposed by Apigee and I will use JWT in the callback only once the user enters their info, then the backend will send the callback through Apigee that contains JWT only.

I hope my answer is clear. Looking for your kind support and response.

Thank you and regards 

@Amer-Hijazi not sure am following the entire picture. Can you probably draw a flow diagram and share that so that I can understand the flow between the various actors

Dear @ssvaidyanathan ,

Sorry for being late in responding, but I was preparing the diagram. As you can see below, the Apigee will be called in flow 1 and flow 3, and there will be a number or ID returned in the flow 1 response, and also will receive in the flow 3 request and I would like to charge the service providers if thire users use my service for SSO.

I hope it is clear; if not, please let me know

Thanks @Amer-Hijazi 

Getting a little bit more clarity now. The issue is connecting Flow 1 and Flow 3 as Flow 2 does not involve Apigee at all.

So - why dont we check these options:

1) Include Apigee in flow 2 as well? Meaning when the web page submits the form, make the call to Apigee, let Apigee forward it to NIC (will that be possible)?

2) Or if 1 is not possible, how about if you can share more info on what the JWT created contains? And in your last message you mentioned "depending on the *ID* return from the first call" - What id is this and who generates this id?

Am happy to jump on a call and discuss this with you as well. I am based in Pacific timezone

Hello @ssvaidyanathan ,

1- We can not include flow 2 inside Apigee because it requires the person's credentials, which the government service provider (NIC) does not allow.

2- JWT includes the user's national ID and their information, and it will be encrypted (JWE), and I will decrypt it inside Apigee.

And for the last part, we can not depend on the user ID because I will charge the service provider, use the API in flow 1 (Mean telecom company, etc), not charge the user itself. 

Also, in the first call, UUID will be returned in the response of flow 1, and the same UUID will be sent in the callback of the request in flow 3.

I am in the GMT+3 zone, and I will send a private message to discuss the call.

Best Regards

Dear @ssvaidyanathan ,

Thank you for being so supportive. I appreciate your time and effort.

Regards,