esignet-default.properties

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.

# Follow properites have their values assigned via 'overrides' environment variables of config server docker.
# DO NOT define these in any of the property files.  They must be passed as env variables.  Refer to config-server
# helm chart:
# db.dbuser.password
# keycloak.external.url
# keycloak.internal.host
# keycloak.internal.url
# keycloak.admin.password
# mosip.auth.client.secret   (convention: <realm>.<keycloak client name>.secret)
# mosip.ida.client.secret
# mosip.admin.client.secret
# mosip.reg.client.secret
# mosip.prereg.client.secret
# softhsm.kernel.pin
# softhsm-security-pin
# email.smtp.host
# email.smtp.username
# email.smtp.secret
# mosip.kernel.tokenid.uin.salt
# mosip.kernel.tokenid.partnercode.salt
# mosip.api.internal.url
# mosip.api.public.url


## ------------------------------------------------- e-Signet ----------------------------------------------------------
mosip.esignet.misp.license.key=${mosip.esignet.misp.key}
mosip.esignet.amr-acr-mapping-file-url=${spring_config_url_env}/*/${active_profile_env}/${spring_config_label_env}/amr-acr-mapping.json
mosip.esignet.auth-txn-id-length=10
mosip.esignet.supported-id-regex=\\S*
# Generated ID and access tokens 'exp' depends on the below properties, default value is 1-hour
mosip.esignet.id-token-expire-seconds=3600
mosip.esignet.access-token-expire-seconds=3600
# By default, only 2 link codes can be active, and the time period it can be active is defined here, default value is 1 minute
mosip.esignet.link-code-expire-in-secs=60
# Number of link code allowed to be generated in a transaction, the default value is 10
mosip.esignet.generate-link-code.limit-per-transaction=10
# Time to complete consent after successful authentication, the default value is 120
mosip.esignet.authentication-expire-in-secs=120

# Auth challenge type & format mapping. Auth challenge length validations for each auth factor type.
mosip.esignet.auth-challenge.OTP.format=alpha-numeric
mosip.esignet.auth-challenge.OTP.min-length=6
mosip.esignet.auth-challenge.OTP.max-length=6

mosip.esignet.auth-challenge.PWD.format=alpha-numeric
mosip.esignet.auth-challenge.PWD.min-length=8
mosip.esignet.auth-challenge.PWD.max-length=30

mosip.esignet.auth-challenge.BIO.format=encoded-json
mosip.esignet.auth-challenge.BIO.min-length=5000
mosip.esignet.auth-challenge.BIO.max-length=300000

mosip.esignet.auth-challenge.WLA.format=jwt
mosip.esignet.auth-challenge.WLA.min-length=100
mosip.esignet.auth-challenge.WLA.max-length=1500

mosip.esignet.auth-challenge.KBA.format=base64url-encoded-json
mosip.esignet.auth-challenge.KBA.min-length=50
mosip.esignet.auth-challenge.KBA.max-length=500

mosip.esignet.auth-challenge.PIN.format=number
mosip.esignet.auth-challenge.PIN.min-length=4
mosip.esignet.auth-challenge.PIN.max-length=4


# Endpoints required to have oauth-details-hash and oauth-details-key HTTP header
mosip.esignet.header-filter.paths-to-validate={'${server.servlet.path}/authorization/send-otp', \
  '${server.servlet.path}/authorization/authenticate', \
  '${server.servlet.path}/authorization/v2/authenticate', \
  '${server.servlet.path}/authorization/v3/authenticate', \
  '${server.servlet.path}/authorization/auth-code'}

# List of auth factors which require captcha validation.
mosip.esignet.captcha.required.auth-factors={'PWD'}
mosip.esignet.send-otp.captcha-required=true
# The above two properties have been removed starting with 1.4.1, in favor of the following property.
mosip.esignet.captcha.required=send-otp,pwd

#Properties used to ratelimit the incoming requests
mosip.esignet.send-otp.attempts=3
mosip.esignet.authenticate.attempts=3

## ------------------------------------------ e-Signet binding ---------------------------------------------------------

mosip.esignet.binding.salt-length=16
mosip.esignet.binding.audience-id=esignet-binding
mosip.esignet.binding.key-expire-days=10
mosip.esignet.binding.encrypt-binding-id=false

## -------------------------------------- Authentication & Authorization -----------------------------------------------

mosip.esignet.security.auth.post-urls={'${server.servlet.path}/client-mgmt/**' : {'SCOPE_add_oidc_client','SCOPE_esignet_admin_access'}, \
  '${server.servlet.path}/system-info/**' : {'SCOPE_upload_certificate','SCOPE_esignet_admin_access'},\
  '${server.servlet.path}/binding/wallet-binding' : {'SCOPE_wallet_binding'}, \
  '${server.servlet.path}/binding/binding-otp' : {'SCOPE_send_binding_otp'}}
mosip.esignet.security.auth.put-urls={'${server.servlet.path}/client-mgmt/**' : {'SCOPE_update_oidc_client','SCOPE_esignet_admin_access'} }
mosip.esignet.security.auth.get-urls={'${server.servlet.path}/system-info/**' : {'SCOPE_get_certificate','SCOPE_esignet_admin_access'} }

mosip.esignet.security.ignore-csrf-urls=${server.servlet.path}/oidc/**,\
  ${server.servlet.path}/oauth/**,\
  ${server.servlet.path}/actuator/**,/favicon.ico,${server.servlet.path}/error,\
  ${server.servlet.path}/swagger-ui.html,${server.servlet.path}/swagger-ui/**,${server.servlet.path}/v3/api-docs/**,\
  ${server.servlet.path}/linked-authorization/link-transaction,\
  ${server.servlet.path}/linked-authorization/authenticate,\
  ${server.servlet.path}/linked-authorization/consent,\
  ${server.servlet.path}/linked-authorization/v2/link-transaction,\
  ${server.servlet.path}/linked-authorization/v2/authenticate,\
  ${server.servlet.path}/linked-authorization/v2/consent,\
  ${server.servlet.path}/binding/**,\
  ${server.servlet.path}/client-mgmt/**,\
  ${server.servlet.path}/vci/**,\
  ${server.servlet.path}/system-info/**

mosip.esignet.security.ignore-auth-urls=${server.servlet.path}/oidc/**,\
  ${server.servlet.path}/oauth/**,\
  ${server.servlet.path}/actuator/**,/favicon.ico,${server.servlet.path}/error,\
  ${server.servlet.path}/swagger-ui.html,${server.servlet.path}/swagger-ui/**,${server.servlet.path}/v3/api-docs/**,\
  ${server.servlet.path}/csrf/**,\
  ${server.servlet.path}/authorization/**,\
  ${server.servlet.path}/linked-authorization/**,\
  ${server.servlet.path}/binding/**,\
  ${server.servlet.path}/vci/**

spring.security.oauth2.resourceserver.jwt.issuer-uri=${keycloak.external.url}/realms/master
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${keycloak.external.url}/realms/master/protocol/openid-connect/certs

##------------------------------------------ Kafka configurations ------------------------------------------------------
spring.kafka.bootstrap-servers=kafka.${kafka.profile}:${kafka.port}
spring.kafka.consumer.group-id=esignet-consumer
spring.kafka.consumer.enable-auto-commit=true
#spring.kafka.listener.concurrency=1

mosip.esignet.kafka.linked-session.topic=esignet-linked
mosip.esignet.kafka.linked-auth-code.topic=esignet-consented

## ------------------------------------------- Integrations ------------------------------------------------------------

mosip.esignet.integration.scan-base-package=io.mosip.esignet.mock.integration,io.mosip.authentication.esignet.integration
mosip.esignet.integration.binding-validator=BindingValidatorServiceImpl
mosip.esignet.integration.authenticator=MockAuthenticationService
mosip.esignet.integration.key-binder=MockKeyBindingWrapperService
mosip.esignet.integration.audit-plugin=LoggerAuditService
mosip.esignet.integration.captcha-validator=GoogleRecaptchaValidatorService
mosip.esignet.integration.vci-plugin=MockVCIssuancePlugin

# captcha validator
mosip.esignet.captcha-validator.url=https://www.google.com/recaptcha/api/siteverify
mosip.esignet.captcha-validator.secret=${esignet.captcha.secret.key}
mosip.esignet.captcha-validator.site-key=${esignet.captcha.site.key}

# IDA integration props
mosip.esignet.authenticator.ida-auth-id=mosip.identity.kycauth
mosip.esignet.authenticator.ida-exchange-id=mosip.identity.kycexchange
mosip.esignet.authenticator.ida-send-otp-id=mosip.identity.otp
mosip.esignet.authenticator.ida-version=1.0
mosip.esignet.authenticator.ida-domainUri=https://${mosip.esignet.host}
mosip.esignet.authenticator.ida.cert-url=${mosip.file.server.url}/mosip-certs/ida-partner.cer
mosip.esignet.authenticator.ida.kyc-auth-url=${mosip.ida.auth.url}/idauthentication/v1/kyc-auth/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.kyc-exchange-url=${mosip.ida.auth.url}/idauthentication/v1/kyc-exchange/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.send-otp-url=${mosip.ida.otp.url}/idauthentication/v1/otp/${mosip.esignet.misp.license.key}/
mosip.esignet.binder.ida.key-binding-url=${mosip.ida.auth.url}/idauthentication/v1/identity-key-binding/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.get-certificates-url=${mosip.ida.internal.url}/idauthentication/v1/internal/getAllCertificates
mosip.esignet.authenticator.ida.auth-token-url=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey
mosip.esignet.authenticator.ida.audit-manager-url=${mosip.kernel.auditmanager.url}/v1/auditmanager/audits
mosip.esignet.authenticator.ida.client-id=mosip-ida-client
mosip.esignet.authenticator.ida.secret-key=${mosip.ida.client.secret}
mosip.esignet.authenticator.ida.app-id=ida
mosip.esignet.authenticator.ida-env=Developer
mosip.esignet.authenticator.ida.otp-channels=email,phone

mosip.esignet.ida.vci-user-info-cache=userinfo
mosip.esignet.ida.vci-exchange-id=mosip.identity.vciexchange
mosip.esignet.ida.vci-exchange-version=1.0
mosip.esignet.ida.vci-exchange-url=${mosip.ida.auth.url}/idauthentication/v1/vci-exchange/delegated/${mosip.esignet.misp.license.key}/

# Mock IDA integration props
mosip.mock.id.base-url=${mosip.api.public.url}
mosip.esignet.mock.authenticator.get-identity-url=${mosip.mock.id.base-url}/v1/mock-identity-system/identity
mosip.esignet.mock.authenticator.kyc-auth-url=${mosip.mock.id.base-url}/v1/mock-identity-system/kyc-auth
mosip.esignet.mock.authenticator.kyc-exchange-url=${mosip.mock.id.base-url}/v1/mock-identity-system/kyc-exchange
mosip.esignet.mock.authenticator.ida.otp-channels=${mosip.esignet.authenticator.ida.otp-channels}
mosip.esignet.mock.authenticator.send-otp=${mosip.mock.id.base-url}/v1/mock-identity-system/send-otp
mosip.esignet.mock.supported.bind-auth-factor-types={'WLA'}
mosip.esignet.mock.vciplugin.verification-method=${mosip.esignet.vci.authn.jwk-set-uri}
mosip.esignet.mock.vciplugin.vc-credential-contexts={'https://www.w3.org/2018/credentials/v1',\
  'https://schema.org/',\
  'https://api.collab.mosip.net/.well-known/mosip-context.json'}

## ------------------------------------------ oauth & openid supported values ------------------------------------------

## supported scopes
mosip.esignet.supported.authorize.scopes={'Manage-Identity-Data','Manage-VID','Manage-Authentication','Manage-Service-Requests','Manage-Credentials'}
mosip.esignet.supported.openid.scopes={'profile','email','phone'}
mosip.esignet.openid.scope.claims={'profile' : {'name','address','gender','birthdate','picture','email','phone_number'},'email' : {'email'}, 'phone' : {'phone_number'}}
mosip.esignet.supported.credential.scopes={'mock_identity_vc_ldp',\
  'mosip_identity_vc_ldp',\
  'sunbird_rc_insurance_vc_ldp',\
  'openg2p_beneficiary_1_vc_ldp',\
  'openg2p_beneficiary_2_vc_ldp',\
  'openg2p_registry_vc_ldp'}
# TODO: Understand and modify the following OpenG2P resource mapping.
mosip.esignet.credential.scope-resource-mapping={'mock_identity_vc_ldp' : '${mosip.esignet.api.base-url}/vci/credential',\
  'mosip_identity_vc_ldp': '${mosip.esignet.api.base-url}/vci/credential',\
  'sunbird_rc_insurance_vc_ldp': '${mosip.esignet.api.base-url}/vci/credential',\
  'openg2p_beneficiary_1_vc_ldp' : '${mosip.esignet.domain.url}/vci/credential',\
  'openg2p_beneficiary_2_vc_ldp' : '${mosip.esignet.domain.url}/vci/credential',\
  'openg2p_registry_vc_ldp' : '${mosip.esignet.domain.url}/vci/credential'}

## supported authorization processing flow to be used, Currently only supports Authorization Code Flow.
mosip.esignet.supported.response.types={'code'}

## Form of Authorization Grant presented to token endpoint
mosip.esignet.supported.grant.types={'authorization_code'}

## specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User
# page-The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
# popup-The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
# touch-The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
# wap-The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
mosip.esignet.supported.ui.displays={'page','popup','touch','wap'}

## specifies whether the Authorization Server prompts the End-User for reauthentication and consent
# none-The Authorization Server MUST NOT display any authentication or consent user interface pages.
# An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent
# for the requested Claims or does not fulfill other conditions for processing the request.
# The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6.
# This can be used as a method to check for existing authentication and/or consent.
# login-The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, \
#  it MUST return an error, typically login_required.
# consent-The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client.
# If it cannot obtain consent, it MUST return an error, typically consent_required.
# select_account-The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User
# who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current
# sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error,
# typically account_selection_required.
mosip.esignet.supported.ui.prompts={'none','login','consent','select_account'}

## Type of the client assertion
mosip.esignet.supported.client.assertion.types={'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'}

## Type of the client authentication methods for token endpoint
mosip.esignet.supported.client.auth.methods={'private_key_jwt'}

## Only S256 method supported
mosip.esignet.supported-pkce-methods={'S256'}

## ---------------------------------------- Cache configuration --------------------------------------------------------

mosip.esignet.cache.secure.individual-id=true
mosip.esignet.cache.store.individual-id=true
mosip.esignet.cache.security.secretkey.reference-id=TRANSACTION_CACHE
mosip.esignet.cache.security.algorithm-name=AES/ECB/PKCS5Padding

mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,vcissuance,apiRateLimit,blocked

spring.cache.type=redis
spring.cache.cache-names=${mosip.esignet.cache.names}
spring.redis.host=redis-master.redis
spring.redis.port=6379
spring.redis.password=${redis.password}
management.health.redis.enabled=true

# 'simple' cache type is only applicable only for Non-Production setup
# spring.cache.type=simple
mosip.esignet.cache.key.hash.algorithm=SHA3-256

# Cache size setup is applicable only for 'simple' cache type.
# Cache size configuration will not be considered with 'Redis' cache type
mosip.esignet.cache.size={'clientdetails' : 200, \
  'preauth': 300, \
  'authenticated': 200, \
  'authcodegenerated': 60, \
  'userinfo': 200, \
  'linkcodegenerated' : 500, \
  'linked': 120 , \
  'linkedcode': 200, \
  'linkedauth' : 200 , \
  'consented' :60, \
  'authtokens': 2, \
  'bindingtransaction': 200, \
  'vcissuance' : 200, \
  'apiRateLimit' : 500, \
  'blocked': 500 }

# Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type
mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, \
  'preauth': 300,\
  'authenticated': ${mosip.esignet.authentication-expire-in-secs}, \
  'authcodegenerated': 60, \
  'userinfo': ${mosip.esignet.access-token-expire-seconds}, \
  'linkcodegenerated' : ${mosip.esignet.link-code-expire-in-secs}, \
  'linked': 120, \
  'linkedcode': ${mosip.esignet.link-code-expire-in-secs}, \
  'linkedauth' : ${mosip.esignet.authentication-expire-in-secs}, \
  'consented': 600, \
  'authtokens': 18000, \
  'bindingtransaction': 600, \
  'vcissuance': ${mosip.esignet.access-token-expire-seconds}, \
  'apiRateLimit' : 300, \
  'blocked': 300  }

## ------------------------------------------ Discovery openid-configuration -------------------------------------------

mosip.esignet.domain.url=https://${mosip.esignet.host}
mosip.esignet.discovery.issuer-id=${mosip.esignet.domain.url}
mosip.esignet.api.base-url=${mosip.esignet.domain.url}${server.servlet.path}

# This property holds ./wellknown/jwks.json URL,
# for local deployments without esignet-ui nginx change the value to ${mosip.esignet.api.base-url}/oauth/.well-known/jwks.json
mosip.esignet.jwks-uri=${mosip.esignet.domain.url}/.well-known/jwks.json

mosip.esignet.token.endpoint=${mosip.esignet.api.base-url}/oauth/v2/token

mosip.esignet.oauth.key-values={'issuer': '${mosip.esignet.domain.url}' ,\
  \ 'authorization_endpoint': '${mosip.esignet.domain.url}/authorize' , \
  \ 'token_endpoint': '${mosip.esignet.token.endpoint}' , \
  \ 'jwks_uri' : '${mosip.esignet.jwks-uri}' , \
  \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \
  \ 'token_endpoint_auth_signing_alg_values_supported' : {'RS256'},\
  \ 'scopes_supported' : ${mosip.esignet.supported.openid.scopes}, \
  \ 'response_modes_supported' : { 'query' }, \
  \ 'grant_types_supported' : ${mosip.esignet.supported.grant.types},\
  \ 'response_types_supported' : ${mosip.esignet.supported.response.types}}

mosip.esignet.discovery.key-values={'issuer': '${mosip.esignet.domain.url}' ,\
  \ 'authorization_endpoint': '${mosip.esignet.domain.url}/authorize' , \
  \ 'token_endpoint': '${mosip.esignet.token.endpoint}' ,\
  \ 'userinfo_endpoint' : '${mosip.esignet.api.base-url}/oidc/userinfo' ,\
  \ 'jwks_uri' : '${mosip.esignet.jwks-uri}' , \
  \ 'scopes_supported' : ${mosip.esignet.supported.openid.scopes}, \
  \ 'response_types_supported' : ${mosip.esignet.supported.response.types}, \
  \ 'response_modes_supported' : { 'query' }, \
  \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \
  \ 'token_endpoint_auth_signing_alg_values_supported' : {'RS256'}, \
  \ 'userinfo_signing_alg_values_supported' : {'RS256'}, \
  \ 'userinfo_encryption_alg_values_supported' : {'RSAXXXXX'},\
  \ 'userinfo_encryption_enc_values_supported' : {'A128GCM'}, \
  \ 'id_token_signing_alg_values_supported' : {'RS256'}, \
  \ 'claim_types_supported': {'normal'}, \
  \ 'claims_parameter_supported' : true, \
  \ 'display_values_supported' : ${mosip.esignet.supported.ui.displays}, \
  \ 'subject_types_supported' : { 'pairwise' }, \
  \ 'claims_supported' : {'name','address','gender','birthdate','picture','email','phone_number','individual_id'}, \
  \ 'acr_values_supported' : {'mosip:idp:acr:static-code', 'mosip:idp:acr:generated-code', 'mosip:idp:acr:linked-wallet', 'mosip:idp:acr:biometrics', 'mosip:idp:acr:knowledge'},\
  \ 'request_parameter_supported' : false, \
  \ 'claims_locales_supported' : {'en'}, \
  \ 'ui_locales_supported' : {'en'} }

##----------------------------------------- Database properties --------------------------------------------------------

mosip.esignet.database.hostname=postgres-postgresql.postgres
mosip.esignet.database.port=5432
spring.datasource.url=jdbc:postgresql://${mosip.esignet.database.hostname}:${mosip.esignet.database.port}/mosip_esignet?currentSchema=esignet
spring.datasource.username=esignetuser
spring.datasource.password=${db.dbuser.password}

spring.jpa.database-platform=org.hibernate.dialect.PostgreSQL95Dialect
spring.jpa.show-sql=false
spring.jpa.hibernate.ddl-auto=none
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true

#------------------------------------ Key-manager specific properties --------------------------------------------------
#Crypto asymmetric algorithm name
mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
#Crypto symmetric algorithm name
mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding
#Keygenerator asymmetric algorithm name
mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA
#Keygenerator symmetric algorithm name
mosip.kernel.keygenerator.symmetric-algorithm-name=AES
#Asymmetric algorithm key length
mosip.kernel.keygenerator.asymmetric-key-length=2048
#Symmetric algorithm key length
mosip.kernel.keygenerator.symmetric-key-length=256
#Encrypted data and encrypted symmetric key separator
mosip.kernel.data-key-splitter=#KEY_SPLITTER#
#GCM tag length
mosip.kernel.crypto.gcm-tag-length=128
#Hash algo name
mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512
#Symmtric key length used in hash
mosip.kernel.crypto.hash-symmetric-key-length=256
#No of iterations in hash
mosip.kernel.crypto.hash-iteration=100000
#Sign algo name
mosip.kernel.crypto.sign-algorithm-name=RS256
#Certificate Sign algo name
mosip.kernel.certificate.sign.algorithm=SHA256withRSA

#mosip.kernel.keymanager.hsm.config-path=local.p12
#mosip.kernel.keymanager.hsm.keystore-type=PKCS12
#mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.idp.pin}

#Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE
mosip.kernel.keymanager.hsm.keystore-type=PKCS11
# For PKCS11 provide Path of config file.
# For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only file path & file name.
# For Offline & JCE property can be left blank, specified value will be ignored.
mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
# Passkey of keystore for PKCS11, PKCS12
# For Offline & JCE proer can be left blank. JCE password use other JCE specific properties.
mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.esignet.security.pin}


mosip.kernel.keymanager.certificate.default.common-name=www.openg2p.org
mosip.kernel.keymanager.certificate.default.organizational-unit=OPENG2P
mosip.kernel.keymanager.certificate.default.organization=IITB
mosip.kernel.keymanager.certificate.default.location=BANGALORE
mosip.kernel.keymanager.certificate.default.state=KA
mosip.kernel.keymanager.certificate.default.country=IN

mosip.kernel.keymanager.softhsm.certificate.common-name=www.openg2p.org
mosip.kernel.keymanager.softhsm.certificate.organizational-unit=OPENG2P
mosip.kernel.keymanager.softhsm.certificate.organization=IITB
mosip.kernel.keymanager.softhsm.certificate.country=IN

# Application Id for PMS master key.
mosip.kernel.partner.sign.masterkey.application.id=PMS
mosip.kernel.partner.allowed.domains=DEVICE

mosip.kernel.keymanager-service-validate-url=https://${mosip.hostname}/keymanager/validate
mosip.kernel.keymanager.jwtsign.validate.json=false
mosip.keymanager.dao.enabled=false
crypto.PrependThumbprint.enable=true

mosip.kernel.keymgr.hsm.health.check.enabled=true
mosip.kernel.keymgr.hsm.health.key.app-id=OIDC_SERVICE
mosip.kernel.keymgr.hsm.healthkey.ref-id=TRANSACTION_CACHE
mosip.kernel.keymgr.hsm.health.check.encrypt=true

## -------------------------------------------- IDP-UI config ----------------------------------------------------------
# NOTE:
# 1. linked-transaction-expire-in-secs value should be a sum of 'mosip.esignet.authentication-expire-in-secs' and 'linked' cache expire in seconds under mosip.esignet.cache.expire-in-seconds property
# 2. A new Qrcode will be autogenerated before the expiry of current qr-code, and the time difference in seconds for the same is defined in wallet.qr-code-buffer-in-secs property
# 3. If esignet is deployed with MOSIP IDA, then 'resend.otp.delay.secs' must be the same as 'mosip.kernel.otp.expiry-time'

mosip.esignet.ui.wallet.config={{'wallet.name': 'walletName', 'wallet.logo-url': '/images/qr_code.png', 'wallet.download-uri': '#', \
 'wallet.deep-link-uri': 'inji://landing-page-name?linkCode=LINK_CODE&linkExpireDateTime=LINK_EXPIRE_DT' }}

mosip.esignet.ui.signup.config={'signup.banner': true, 'signup.url': 'https://${mosip.signup.host}/signup'}

mosip.esignet.ui.forgot-password.config={'forgot-password': true, 'forgot-password.url': 'https://${mosip.signup.host}/reset-password'}

## Configuration required to display KBI form.
# individual-id-field is set with field id which should be considered as an individual ID in the authenticate request.
# form-details holds the list of field details like below:
# id -> unique field Id, type -> holds datatype, format -> only supported for date fields, regex -> pattern to validate the input value, maxLength -> number of allowed characters
# Example: mosip.esignet.authenticator.default.auth-factor.kba.field-details={{'id': '${mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field}', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^\\s*[+-]?(\\d+|\\d*\\.\\d+|\\d+\\.\\d*)([Ee][+-]?\\d*)?\\s*$'},{'id':'fullName', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^[A-Za-z\\s]{1,}[\\.]{0,1}[A-Za-z\\s]{0,}$'},{'id':'dob', 'type':'date', 'format':'dd/mm/yyyy'}}
mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field=
mosip.esignet.authenticator.default.auth-factor.kba.field-details={}

## Configuration Map input to UI at the start of every transaction.
mosip.esignet.ui.config.key-values={'sbi.env': 'Developer', 'sbi.timeout.DISC': 30, \
  'sbi.timeout.DINFO': 30, 'sbi.timeout.CAPTURE': 30, 'sbi.capture.count.face': 1, 'sbi.capture.count.finger': 1, \
  'sbi.capture.count.iris': 1, 'sbi.capture.score.face': 70, 'sbi.capture.score.finger':70, 'sbi.capture.score.iris':70, \
  'resend.otp.delay.secs': ${mosip.kernel.otp.expiry-time}, 'send.otp.channels' : '${mosip.esignet.authenticator.ida.otp-channels}', \
  'captcha.sitekey' : '${mosip.esignet.captcha-validator.site-key}', 'captcha.enable' : '${mosip.esignet.captcha.required}', \
  'auth.txnid.length' : '${mosip.esignet.auth-txn-id-length}', 'consent.screen.timeout-in-secs':${mosip.esignet.authentication-expire-in-secs}, \
  'consent.screen.timeout-buffer-in-secs': 5, 'linked-transaction-expire-in-secs': 240, 'sbi.port.range': '4501-4600', \
  'sbi.bio.subtypes.iris': 'UNKNOWN', 'sbi.bio.subtypes.finger': 'UNKNOWN', 'wallet.qr-code-buffer-in-secs': 10, 'otp.length': ${mosip.esignet.auth-challenge.OTP.max-length}, \
  'password.regex': '^.{8,20}$', \
  'password.max-length': ${mosip.esignet.auth-challenge.PWD.max-length}, \
  'username.regex': '^[0-9]{10,30}$',\
  'username.prefix': '', \
  'username.postfix': '', \
  'username.max-length': 16, \
  'username.input-type': 'number', 'wallet.config': ${mosip.esignet.ui.wallet.config}, \'signup.config': ${mosip.esignet.ui.signup.config}, \
  'forgot-password.config': ${mosip.esignet.ui.forgot-password.config}, \
  'error.banner.close-timer': 10,\
  'auth.factor.kba.individual-id-field' : '${mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field}',\
  'auth.factor.kba.field-details': ${mosip.esignet.authenticator.default.auth-factor.kba.field-details} }

##  ---------------------------------------------- VCI ------------------------------------------------------------------
# Used to verify audience in the PoP JWT
mosip.esignet.vci.identifier=${mosip.esignet.domain.url}
mosip.esignet.vci.authn.filter-urls={ '${server.servlet.path}/vci/credential' }
# Change this if the VCI is used with different OAUTH2.0 server
mosip.esignet.vci.authn.issuer-uri=${mosip.esignet.domain.url}
mosip.esignet.vci.authn.jwk-set-uri=${mosip.esignet.jwks-uri}

mosip.esignet.vci.authn.allowed-audiences={ '${mosip.esignet.api.base-url}/vci/credential' }

mosip.esignet.cnonce-expire-seconds=40
mosip.esignet.vci.supported.jwt-proof-alg={'RS256','PS256'}
mosip.esignet.vci.key-values={\
      'v11': {\
          'credential_issuer': '${mosip.esignet.vci.identifier}',\
          'credential_endpoint': '${mosip.esignet.api.base-url}/vci/credential',\
          'credentials_supported': {\
              {\
                  'format': 'ldp_vc',\
                  'id': 'MOSIPVerifiableCredential',\
                  'scope' : 'mock_identity_vc_ldp',\
                  'cryptographic_binding_methods_supported': {'did:jwk'},\
                  'cryptographic_suites_supported': {'RsaSignature2018'},\
                  'proof_types_supported': {'jwt'},\
                  'credential_definition': {\
                      'type': {'VerifiableCredential','MOSIPVerifiableCredential'},\
                      'credentialSubject': {\
                          'name': { 'display': {{'name': 'Given Name', 'locale': 'en' }}}, \
                          'fullName': { 'display': {{'name': 'Full Name', 'locale': 'en' }}},\
                          'dateOfBirth': { 'display': {{'name': 'DOB', 'locale': 'en' }}},\
                          'age': { 'display': {{ 'name': 'Age', 'locale': 'en'}}},\
                          'gender': { 'display': {{'name': 'Gender', 'locale': 'en' }}},\
                          'email': { 'display': {{'name': 'Email Id', 'locale': 'en' }}},\
                          'phone': { 'display': {{'name': 'Phone Number', 'locale': 'en' }}},\
                          'addressLine1': { 'display': {{'name': 'Address Line 1', 'locale': 'en' }}},\
                          'city': { 'display': {{'name': 'City', 'locale': 'en' }}},\
                          'province': { 'display': {{'name': 'Province', 'locale': 'en' }}},\
                          'region': { 'display': {{'name': 'Region', 'locale': 'en' }}},\
                          'postalCode': { 'display': {{'name': 'Postal Code', 'locale': 'en' }}},\
                          'residenceStatus': { 'display': {{'name': 'Residence Status', 'locale': 'en' }}}\
                      }\
                  },\
                  'display': {\
                      {\
                          'name': 'National ID Verifiable Credential',\
                          'locale': 'en',\
                          'logo': {'url': '${mosip.esignet.domain.url}/logo.png', 'alt_text': 'esignet-logo'},\
                          'background_color': '#12107c',\
                          'text_color': '#FFFFFF'\
                      }\
                  }\
              }\
          }\
      },\
      'latest': {\
          'credential_issuer': '${mosip.esignet.vci.identifier}',\
          'credential_endpoint': '${mosip.esignet.api.base-url}/vci/credential',\
          'display': {{'name': 'National ID', 'locale': 'en'}},\
          'credentials_supported': {\
              'MOSIPVerifiableCredential': {\
                  'format': 'ldp_vc',\
                  'scope' : 'mock_identity_vc_ldp',\
                  'cryptographic_binding_methods_supported': {'did:jwk'},\
                  'cryptographic_suites_supported': {'RsaSignature2018'},\
                  'proof_types_supported': {'jwt'},\
                  'credential_definition': {\
                      'type': {'VerifiableCredential','MOSIPVerifiableCredential'},\
                      'credentialSubject': {\
                          'name': { 'display': {{'name': 'Given Name', 'locale': 'en' }}}, \
                          'fullName': { 'display': {{'name': 'Full Name', 'locale': 'en' }}},\
                          'dateOfBirth': { 'display': {{'name': 'DOB', 'locale': 'en' }}},\
                          'age': { 'display': {{ 'name': 'Age', 'locale': 'en'}}},\
                          'gender': { 'display': {{'name': 'Gender', 'locale': 'en' }}},\
                          'email': { 'display': {{'name': 'Email Id', 'locale': 'en' }}},\
                          'phone': { 'display': {{'name': 'Phone Number', 'locale': 'en' }}},\
                          'addressLine1': { 'display': {{'name': 'Address Line 1', 'locale': 'en' }}},\
                          'city': { 'display': {{'name': 'City', 'locale': 'en' }}},\
                          'province': { 'display': {{'name': 'Province', 'locale': 'en' }}},\
                          'region': { 'display': {{'name': 'Region', 'locale': 'en' }}},\
                          'postalCode': { 'display': {{'name': 'Postal Code', 'locale': 'en' }}},\
                          'residenceStatus': { 'display': {{'name': 'Residence Status', 'locale': 'en' }}}\
                      }\
                  },\
                  'display': {\
                      {\
                          'name': 'National ID Verifiable Credential',\
                          'locale': 'en',\
                          'logo': {'url': '${mosip.esignet.domain.url}/logo.png', 'alt_text': 'eignet-logo'},\
                          'background_color': '#12107c',\
                          'text_color': '#FFFFFF'\
                      }\
                  }\
              }\
          }\
      }\
  }
## -------------------------------------------- Others ----------------------------------------------------------

#logging.level.org.springframework.web.client.RestTemplate=DEBUG
#logging.level.io.mosip.esignet=INFO

##---------------------------------Sunbird-RC Plugin Configurations------------------------------------------------------

mosip.esignet.authenticator.sunbird-rc.auth-factor.kba.individual-id-field=policyNumber
mosip.esignet.authenticator.sunbird-rc.auth-factor.kba.field-details={{"id":"policyNumber", "type":"text", "format":""},{"id":"fullName", "type":"text", "format":""},{"id":"dob", "type":"date", "format":"dd/mm/yyyy"}}
mosip.esignet.authenticator.sunbird-rc.auth-factor.kba.registry-search-url=http://10.3.148.107/registry/api/v1/Insurance/search
mosip.esignet.authenticator.sunbird-rc.kba.entity-id-field=osid

mosip.esignet.vciplugin.sunbird-rc.enable-psut-based-registry-search=false
mosip.esignet.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-search-url=http://10.3.148.107/registry/api/v1/Insurance/search
mosip.esignet.vciplugin.sunbird-rc.issue-credential-url=http://10.3.148.107/credential/credentials/issue
mosip.esignet.vciplugin.sunbird-rc.supported-credential-types=LifeInsuranceCredential,InsuranceCredential
mosip.esignet.vciplugin.sunbird-rc.credential-type.InsuranceCredential.static-value-map.issuerId=did:web:holashchand.github.io:test_project:32b08ca7-9979-4f42-aacc-1d73f3ac5322
mosip.esignet.vciplugin.sunbird-rc.credential-type.InsuranceCredential.template-url=${spring_config_url_env}/*/${active_profile_env}/${spring_config_label_env}/insurance-credential.json
mosip.esignet.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-get-url=http://10.3.148.107/registry/api/v1/Insurance/
mosip.esignet.vciplugin.sunbird-rc.credential-type.InsuranceCredential.cred-schema-id=did:schema:0d10a2cf-94de-4ffc-b32c-4f1a61ee05ba
mosip.esignet.vciplugin.sunbird-rc.credential-type.InsuranceCredential.cred-schema-version=1.0.0

mosip.esignet.vciplugin.sunbird-rc.credential-type.LifeInsuranceCredential.static-value-map.issuerId=did:web:holashchand.github.io:test_project:32b08ca7-9979-4f42-aacc-1d73f3ac5322
mosip.esignet.vciplugin.sunbird-rc.credential-type.LifeInsuranceCredential.template-url=${spring_config_url_env}/*/${active_profile_env}/${spring_config_label_env}/life-insurance-credential.json
mosip.esignet.vciplugin.sunbird-rc.credential-type.LifeInsuranceCredential.registry-get-url=http://10.3.148.107/registry/api/v1/Insurance/
mosip.esignet.vciplugin.sunbird-rc.credential-type.LifeInsuranceCredential.cred-schema-id=did:schema:0d10a2cf-94de-4ffc-b32c-4f1a61ee05ba
mosip.esignet.vciplugin.sunbird-rc.credential-type.LifeInsuranceCredential.cred-schema-version=1.0.0
mosip.esignet.vciplugin.sunbird-rc.credential-type.LifeInsuranceCredential.registry-search-url=http://10.3.148.107/registry/api/v1/Insurance/search