Provisioning the Trust Anchor (Auth)

Objective: To select an Auth Provider and delegate it as the “User Authority” for the application.

Prerequisites

A valid AppID (from Application Registration).

The Protocol Workflow

Service Selection: The developer chooses an OMI-compliant Auth Provider from the Service Registry.
Provisioning Request: The developer sends a signed payload directly to the Auth Service:

{
  "version": "1.0",
  "data": {
    "app_id": "org.omiappreg.alice_studio.business_app.7f8a9d",
    "admin_email": "alice@example.com",
    "billing_ref": "stripe_cust_123",
    "timestamp": 1705412400,
    "nonce": "k9b2m1p0",
  },
  "signature": "e7f8g9h0i1j2k3l4m5n6..."
}

The “Identity Pulse” Check:
- The Auth Service parses the AppID to find the registry (omiappreg.org).
- It queries omiappreg.org for the Master Public Key associated with alice_studio.
- It uses that key to verify the provisioning request signature.
Resource Generation: The Auth Service creates the database and generates a dedicated Service Key-Pair for signing user tokens (JWTs).
The Return (Handshake Part 1): The Auth Service returns its Public Service Key to the developer.
Authority Delegation (Handshake Part 2): The developer signs an “Auth Announcement” payload:

{
  "version": "1.0",
  "data": {
    "action": "DELEGATE_AUTHORITY",
    "app_id": "org.omiappreg.alice.business_app.7f8a9d",
    "auth_public_key": "AuthService_Key_XYZ...",
    "auth_provider_url": "https://auth.provider.com",
    "timestamp": 1705412500,
    "nonce": "x7v9n2q5",
  },
  "signature": "a1b2c3d4e5f6g7h8i9j0..."
}

Registry Update: This signed announcement is sent to the App Registry. The Registry stores Service_Key_XYZ as the official “User Validator” for this app.

Application Registration Provisioning Domain Services (The Swarm)