Get a PKI challenge for use on /login, with an associated challenge to the server to prove its identity

The server will generate some random data and encrypt it using the public key of the user identity (with RSA/ECB/OAEPWithSHA-1AndMGF1Padding) and base64 encode the result and return it. The client then has until the expiry time to call the /login endpoint and provide a valid SHA256 hash of the challenge data and for RSA_ECB_OAEPWithSHA_1AndMGF1Padding: SHA256 hash of the decrypted result and for RSA_PKCS1_SHA_256_Signature: The signed result. The decryption/signing should be done using the corresponding private key which only the tenant would have. If clientChallenge is provided then the server will base64 decode it and decrypt it using the Eclipse private key and return the SHA256 of the result in field base64EncodedClientChallengeResponse for the client to know the server is legitimate.

Click Try It! to start a request and see the response here!