id-authentication-default.properties

# Follow properites have their values assigned via 'overrides' environment variables of config server docker.
# DO NOT define these in any of the property files.  They must be passed as env variables.  Refer to config-server
# helm chart:
# db.dbuser.password 
# ida.websub.authtype.callback.secret
# ida.websub.credential.issue.callback.secret
# ida.websub.partner.service.callback.secret
# ida.websub.ca.certificate.callback.secret
# ida.websub.hotlist.callback.secret
# mosip.kernel.tokenid.uin.salt
# mpartner.default.auth.secret
# mosip.kernel.tokenid.partnercode.salt
# softhsm.ida.security.pin
# ida.websub.masterdata.templates.callback.secret
# ida.websub.masterdata.titles.callback.secret

## Client
# The Online Verification partner ID associated to the IDA instance.
# This is used to subscribe to the credential issuance event notification sent by credential service.
# for the particular Online Verification partner.
# This credential issueance notification is handled inside Internal Authentication module.
# The credentials issued to the partner will be as per the data-share policy associated to the partner.
# TO DO: Change the property key to online-verification-partner-id
ida-auth-partner-id=mpartner-default-auth
# Kernel auth client ID for IDA
#Note: since the Online verification Partner ID is used as client ID, for a different IDA instance, this needs to be changed accordingly
#and also to be added to the 'auth.server.admin.allowed.audience' property of all dependency modules.
mosip.ida.auth.clientId=${ida-auth-partner-id}
mosip.ida.auth.secretKey=${mpartner.default.auth.secret}
 
mosip.ida.auth.appId=ida

## Database
# Database hostname below is assuming postgres is running inside cluster in 'postgres' namespace
# If database is external to production, provide the DNS or ip of the host and port 
mosip.ida.database.hostname=postgres-postgresql.postgres
mosip.ida.database.port=5432
mosip.ida.database.user=idauser
mosip.ida.database.password=${db.dbuser.password}

javax.persistence.jdbc.driverClassName=org.postgresql.Driver
javax.persistence.jdbc.driver=org.postgresql.Driver
javax.persistence.jdbc.url=jdbc:postgresql://${mosip.ida.database.hostname}:${mosip.ida.database.port}/mosip_ida
javax.persistence.jdbc.user=${mosip.ida.database.user}
javax.persistence.jdbc.username=${mosip.ida.database.user}
javax.persistence.jdbc.password=${mosip.ida.database.password}
javax.persistence.jdbc.schema=ida
javax.persistence.jdbc.uinHashTable=uin_hash_salt
javax.persistence.jdbc.uinEncryptTable=uin_encrypt_salt

## Hibernate
hibernate.dialect=org.hibernate.dialect.PostgreSQL95Dialect
hibernate.jdbc.lob.non_contextual_creation=true
hibernate.hbm2ddl.auto=none
hibernate.format_sql=true
hibernate.connection.charSet=utf8
hibernate.cache.use_second_level_cache=false
hibernate.cache.use_query_cache=false
hibernate.cache.use_structured_entries=false
hibernate.generate_statistics=false
spring.datasource.initialization-mode=never
hibernate.temp.use_jdbc_metadata_defaults=false
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
log4j.logger.org.hibernate=warn
hibernate.show_sql=false

application.id=IDA
application.name=ID-Authentication

## Reference ID used for crypto manager in authentication (for request body)
partner.reference.id=PARTNER
## Reference ID used for crypto manager in internal authentication (for request body)
internal.reference.id=INTERNAL
## Reference ID used for crypto manager in authentication for biometrics
## TO DO: Value to be Changed to IDA-BIO
partner.biometric.reference.id=IDA-FIR
## Reference ID used for crypto manager in internal authentication for biometrics
internal.biometric.reference.id=INTERNAL

identity-cache.reference.id=IDENTITY_CACHE
mosip.sign.applicationid=${application.id}
mosip.sign.refid=SIGN

## Kernel Symmetric Key decryption bytes count for AAD 
ida.aad.lastbytes.num=16
## Kernel Symmetric Key decryption bytes count for Salt 
ida.salt.lastbytes.num=12

## Request timeout used across all REST API calls in IDA
mosip.ida.request.timeout.secs=10
## Common JSON media type used across all REST API calls in IDA
mosip.ida.request.mediaType=application/json

## IDA mapping
ida.mapping.json.filename=identity-mapping.json
mosip.ida.mapping.json-uri=${spring.cloud.config.uri}/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label}/${ida.mapping.json.filename} 
ida.mapping.property.source=url:${mosip.ida.mapping.json-uri}
	
idp.amr-acr.mapping.json.filename=amr-acr-mapping.json
mosip.idp.amr-acr.mapping.json-uri=${spring.cloud.config.uri}/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label}/${idp.amr-acr.mapping.json.filename} 
idp.amr-acr.ida.mapping.property.source=${mosip.idp.amr-acr.mapping.json-uri}

# The attribute name in the Mapping Json used to fetch Anonymous profile preferred language attribute
mosip.preferred.language.attribute.name=preferredLanguage
# The attribute name in the Mapping Json used to fetch Anonymous profile location attributes
mosip.location.profile.attribute.name=locationHierarchyForProfiling
# Used in Child Auth Filter
mosip.date-of-birth.attribute.name=dateOfBirth
# Used in DOB matching and Child Auth filter
mosip.date-of-birth.pattern=yyyy/MM/dd

# The separators for composite ID Attribute such as fullAddress. 
# By default the separator is space.
# Usage: ida.id.attribute.separator.<id_attribute>=<separator string>
# For Example, full address attributes are separated with comman (,).
ida.id.attribute.separator.fullAddress=,

## Biosdk
## Url below assumes the biosdk server is running inside cluster in `biosdk` namespace 
mosip.biosdk.default.service.url=${mosip.mock.biosdk.url}/biosdk-service
## For real biosdk
# This class will be loaded in runtime, the containing jar should be available in classpath
mosip.biometric.sdk.providers.finger.mosip-ref-impl-sdk-client.classname=io.mosip.biosdk.client.impl.spec_1_0.Client_V_1_0
# The version of the BIO SDK API implemeted for Finger modality
mosip.biometric.sdk.providers.finger.mosip-ref-impl-sdk-client.version=0.9
# The default URL will be taken if no format specified in the extraction or the incoming extraction format is not configured. 
# If the below default configuration is not configured, the one of the configured url will be used as the default URL. 
# If no URL is configured, the default URL will be taken from the environment variable 'mosip_biosdk_service'.
mosip.biometric.sdk.providers.finger.mosip-ref-impl-sdk-client.format.url.default=${mosip.biosdk.default.service.url}
# The fully qualified Class Name of the BIO SDK API implemented for Iris modality 
# This class will be loaded in runtime, the containing jar should be available in classpath
mosip.biometric.sdk.providers.iris.mosip-ref-impl-sdk-client.classname=io.mosip.biosdk.client.impl.spec_1_0.Client_V_1_0
# The version of the BIO SDK API implemeted for Iris modality
mosip.biometric.sdk.providers.iris.mosip-ref-impl-sdk-client.version=0.9
mosip.biometric.sdk.providers.iris.mosip-ref-impl-sdk-client.format.url.default=${mosip.biosdk.default.service.url}
# The fully qualified Class Name of the BIO SDK API implemented for Face modality 
# This class will be loaded in runtime, the containing jar should be available in classpath
mosip.biometric.sdk.providers.face.mosip-ref-impl-sdk-client.classname=io.mosip.biosdk.client.impl.spec_1_0.Client_V_1_0
# The version of the BIO SDK API implemeted for Face modality
mosip.biometric.sdk.providers.face.mosip-ref-impl-sdk-client.version=0.9
mosip.biometric.sdk.providers.face.mosip-ref-impl-sdk-client.format.url.default=${mosip.biosdk.default.service.url}

## Kernel-Audit
audit.rest.uri=${mosip.kernel.auditmanager.url}/v1/auditmanager/audits
audit.rest.httpMethod=POST
audit.rest.headers.mediaType=${mosip.ida.request.mediaType}
audit.rest.timeout=${mosip.ida.request.timeout.secs}

## Kernel OTP Validator
otp-validate.rest.uri=${mosip.kernel.otpmanager.url}/v1/otpmanager/otp/validate
otp-validate.rest.httpMethod=GET
otp-validate.rest.headers.mediaType=${mosip.ida.request.mediaType}
otp-validate.rest.timeout=${mosip.ida.request.timeout.secs}

## Kernel OTP Generator
otp-generate.rest.uri=${mosip.kernel.otpmanager.url}/v1/otpmanager/otp/generate
otp-generate.rest.httpMethod=POST
otp-generate.rest.headers.mediaType=${mosip.ida.request.mediaType}
otp-generate.rest.timeout=${mosip.ida.request.timeout.secs}

## Mail Notification
mail-notification.rest.uri=${mosip.kernel.notification.url}/v1/notifier/email/send
mail-notification.rest.httpMethod=POST
mail-notification.rest.headers.mediaType=multipart/form-data
mail-notification.rest.timeout=${mosip.ida.request.timeout.secs}

## SMS Notification
sms-notification.rest.uri=${mosip.kernel.notification.url}/v1/notifier/sms/send
sms-notification.rest.httpMethod=POST
sms-notification.rest.headers.mediaType=${mosip.ida.request.mediaType}
sms-notification.rest.timeout=${mosip.ida.request.timeout.secs}

## Get Identity Data for RID (with type specified as query param) - Used in Internal Auth based on User ID
rid-uin.rest.uri=${mosip.idrepo.identity.url}/idrepository/v1/identity/idvid/{rid}?type={type}
rid-uin.rest.httpMethod=GET
rid-uin.rest.headers.mediaType=${mosip.ida.request.mediaType}
rid-uin.rest.timeout=${mosip.ida.request.timeout.secs}

## Get Identity Data for RID (without type specified) - Used in Internal Auth based on User ID
rid-uin-auth.rest.uri=${mosip.idrepo.identity.url}/idrepository/v1/identity/idvid/{rid}
rid-uin-auth.rest.httpMethod=GET
rid-uin-auth.rest.headers.mediaType=${mosip.ida.request.mediaType}
rid-uin-auth.rest.timeout=${mosip.ida.request.timeout.secs}

## Partner service API to validate MISP Lisence Key - Partner ID - Partner API Key combination
id-pmp-service.rest.uri=${mosip.pms.partnermanager.url}/v1/partnermanager/partners/{partner_id}/apikey/{partner_api_key}/misp/{misp_license_key}/validate?needPartnerCert={need_partner_cert}
id-pmp-service.rest.httpMethod=GET
id-pmp-service.rest.headers.mediaType=${mosip.ida.request.mediaType}
id-pmp-service.rest.timeout=${mosip.ida.request.timeout.secs}

## Data Share API configurations - used to download data from data share URL provided in credential issueance event
data-share-get.rest.uri=dummy_url_to_be_replaced_in_runtime
data-share-get.rest.httpMethod=GET
data-share-get.rest.headers.mediaType=application/octet-stream
data-share-get.rest.timeout=10
data-share-get-decrypt-ref-id=${ida-auth-partner-id}

## Title Service rest api-GET
id-masterdata-title-service.rest.uri=${mosip.kernel.masterdata.url}/v1/masterdata/title
id-masterdata-title-service.rest.httpMethod=GET
id-masterdata-title-service.rest.headers.mediaType=${mosip.ida.request.mediaType}
id-masterdata-title-service.rest.timeout=${mosip.ida.request.timeout.secs}

## Master Data - Template Single Language
id-masterdata-template-service.rest.uri=${mosip.kernel.masterdata.url}/v1/masterdata/templates/{langcode}/{templatetypecode}
id-masterdata-template-service.rest.httpMethod=GET
id-masterdata-template-service.rest.headers.mediaType=${mosip.ida.request.mediaType}
id-masterdata-template-service.rest.timeout=${mosip.ida.request.timeout.secs}

## Master Data - Template Multi language
id-masterdata-template-service-multilang.rest.uri=${mosip.kernel.masterdata.url}/v1/masterdata/templates/templatetypecodes/{code}
id-masterdata-template-service-multilang.rest.httpMethod=GET
id-masterdata-template-service-multilang.rest.headers.mediaType=${mosip.ida.request.mediaType}
id-masterdata-template-service-multilang.rest.timeout=${mosip.ida.request.timeout.secs}

## Websub
ida-websub-authtype-callback-secret=${ida.websub.authtype.callback.secret}
ida-websub-credential-issue-callback-secret=${ida.websub.credential.issue.callback.secret}
ida-websub-partner-service-callback-secret=${ida.websub.partner.service.callback.secret}
ida-websub-hotlist-callback-secret=${ida.websub.hotlist.callback.secret}
ida-websub-masterdata-templates-callback-secret=${ida.websub.masterdata.templates.callback.secret}
ida-websub-masterdata-titles-callback-secret=${ida.websub.masterdata.titles.callback.secret}
ida-websub-credential-issue-callback-url=
## Callback url for MISP/Partner change notification events
ida-websub-partner-service-callback-url=${mosip.ida.internal.url}/${server.servlet.context-path}/callback/partnermanagement/{eventType}
ida-websub-partner-service-apikey-approved-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/apikey_approved
ida-websub-partner-service-partner-updated-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/partner_updated
ida-websub-partner-service-policy-updated-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/policy_updated
ida-websub-partner-service-partner-api-key-updated-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/partner_api_key_updated
ida-websub-partner-service-misp-license-generated-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/misp_license_generated
ida-websub-partner-service-misp-license-updated-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/misp_license_updated
ida-websub-partner-service-oidc-client-created-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/oidc_client_created
ida-websub-partner-service-oidc-client-updated-callback-relative-url=${server.servlet.context-path}/callback/partnermanagement/oidc_client_updated


#Delay (in milliseconds) for subscription on application startup to avoid failure during intent verification by hub.
subscriptions-delay-on-startup_millisecs=120000

# The time interval in seconds to schedule subscription of topics which is done as a
# work-around for the bug: MOSIP-9496. By default the
# this property value is set to 0 that disables this workaround.
# To enable the resubscrition scheduling, this property should be assigned with a positive
# number like 1 * 60 * 60 = 3600 for one hour
ida-websub-resubscription-delay-secs=43200

delay-to-pull-missing-credential-after-topic-subscription_millisecs=60000

## Websub even topics
ida-topic-auth-type-status-updated=${ida-auth-partner-id}/AUTH_TYPE_STATUS_UPDATE
## Topic for Credential Issueance Event (for UIN/VID create/update events)
ida-topic-credential-issued=${ida-auth-partner-id}/CREDENTIAL_ISSUED
## Topic for ID Remove Event (UIN blocked / VID revoked events)
ida-topic-remove-id=${ida-auth-partner-id}/REMOVE_ID
## Topic for ID Deactivate Event (UIN/VID deactivate events) 
ida-topic-deactivate-id=${ida-auth-partner-id}/DEACTIVATE_ID
## Topic for ID Activate Event (UIN/VID activate events) 
ida-topic-activate-id=${ida-auth-partner-id}/ACTIVATE_ID
ida-topic-pmp-partner-updated=PARTNER_UPDATED
ida-topic-pmp-partner-api-key-updated=APIKEY_UPDATED
ida-topic-pmp-policy-updated=POLICY_UPDATED
ida-topic-hotlist=MOSIP_HOTLIST
ida-topic-credential-status-update=CREDENTIAL_STATUS_UPDATE
ida-topic-auth-type-status-update-acknowledge=AUTH_TYPE_STATUS_UPDATE_ACK
ida-topic-auth-transaction-status=AUTHENTICATION_TRANSACTION_STATUS
ida-topic-masterdata-templates=MASTERDATA_IDAUTHENTICATION_TEMPLATES
ida-topic-masterdata-titles=MASTERDATA_TITLES
ida-topic-pmp-misp-license-generated=MISP_LICENSE_GENERATED
ida-topic-pmp-misp-license-updated=MISP_LICENSE_UPDATED
ida-topic-pmp-partner-api-key-approved=APIKEY_APPROVED
ida-topic-fraud-analysis=IDA_FRAUD_ANALYTICS
ida-topic-auth-anonymous-profile=ANONYMOUS_PROFILE
ida-topic-pmp-oidc-client-created=OIDC_CLIENT_CREATED
ida-topic-pmp-oidc-client-updated=OIDC_CLIENT_UPDATED
ida-topic-on-demand-template-extraction=AUTHENTICATION_ERRORS

# in minutes
mosip.iam.adapter.validate-expiry-check-rate=15
# in minutes
mosip.iam.adapter.renewal-before-expiry-interval=15
#this should be false if you don?t use the self token restTemplate from auth adapter true if you do (needed for websubclient).
mosip.iam.adapter.self-token-renewal-enable=true
mosip.auth.filter_disable=false

## IDA cache
## IDA cache Time to live in days - To clear cache scheduled based on the days provided.
## value <= 0 means cache clearing based on schedule is disabled.
ida-cache-ttl-in-days=1
## To disable cache, set value to NONE, otherwise SIMPLE to enable cache.
## Value is based on CacheType enum provided by Spring Boot
## spring.cache.type=SIMPLE
spring.cache.type=SIMPLE

## Function configs
#The modulo value to be calculated for a UIN/VID used to get salt value to be used in UIN/VID hashing
ida.uin.salt.modulo=1000

## ID demographic normalization
# This is used to define the seperator for normalizing regex(pattern) and the replacement word. Default is set to '='.
ida.norm.sep==
####### Demo Name/Address Normalization Regular Expressions and their replacement configurations
#Format:
# ida.demo.<name/address/common>.normalization.regex.<languageCode/any>[<sequential index starting from 0>]=<reqular expression>${ida.norm.sep}<replacement string>
# If replacement string is not specified that regular expression will be replaced with empty string 
# Note: The sequence should not break in the middle, otherwise all normalization properties will not be read for the particular type.
## For eng.
ida.demo.address.normalization.regex.eng[0]=[CcSsDdWwHh]/[Oo]
ida.demo.address.normalization.regex.eng[1]=(M|m|D|d)(rs?)(.)
ida.demo.address.normalization.regex.eng[2]=(N|n)(O|o)(\\.)?
ida.demo.address.normalization.regex.eng[3]=[aA][pP][aA][rR][tT][mM][eE][nN][tT]${ida.norm.sep}apt 
ida.demo.address.normalization.regex.eng[4]=[sS][tT][rR][eE][eE][tT]${ida.norm.sep}st 
ida.demo.address.normalization.regex.eng[5]=[rR][oO][aA][dD]${ida.norm.sep}rd 
ida.demo.address.normalization.regex.eng[6]=[mM][aA][iI][nN]${ida.norm.sep}mn 
ida.demo.address.normalization.regex.eng[7]=[cC][rR][oO][sS][sS]${ida.norm.sep}crs 
ida.demo.address.normalization.regex.eng[8]=[oO][pP][pP][oO][sS][iI][tT][eE]${ida.norm.sep}opp 
ida.demo.address.normalization.regex.eng[9]=[mM][aA][rR][kK][eE][tT]${ida.norm.sep}mkt 
ida.demo.address.normalization.regex.eng[10]=1[sS][tT]${ida.norm.sep}1 
ida.demo.address.normalization.regex.eng[11]=1[tT][hH]${ida.norm.sep}1 
ida.demo.address.normalization.regex.eng[12]=2[nN][dD]${ida.norm.sep}2 
ida.demo.address.normalization.regex.eng[13]=2[tT][hH]${ida.norm.sep}2 
ida.demo.address.normalization.regex.eng[14]=3[rR][dD]${ida.norm.sep}3 
ida.demo.address.normalization.regex.eng[15]=3[tT][hH]${ida.norm.sep}3 
ida.demo.address.normalization.regex.eng[16]=4[tT][hH]${ida.norm.sep}4 
ida.demo.address.normalization.regex.eng[17]=5[tT][hH]${ida.norm.sep}5 
ida.demo.address.normalization.regex.eng[18]=6[tT][hH]${ida.norm.sep}6 
ida.demo.address.normalization.regex.eng[19]=7[tT][hH]${ida.norm.sep}7 
ida.demo.address.normalization.regex.eng[20]=8[tT][hH]${ida.norm.sep}8 
ida.demo.address.normalization.regex.eng[21]=9[tT][hH]${ida.norm.sep}9 
ida.demo.address.normalization.regex.eng[22]=0[tT][hH]${ida.norm.sep}0 
# Note: the common normalization attributes will be replaced at the end.
# Special characters are removed : . , - * ( ) [ ] ` ' / \ # "
# Replace spcial char with space.Trailing space is removed from property. As a workaround first replacing with " ." then removing the "."
ida.demo.common.normalization.regex.any[0]=[\\.|,|\\-|\\*|\\(|\\)|\\[|\\]|`|\\'|/|\\|#|\"]${ida.norm.sep} .
# Trailing space is removed from property. As a workaround first replacing with " ." then removing the "."
ida.demo.common.normalization.regex.any[1]=\\s+${ida.norm.sep} .
ida.demo.common.normalization.regex.any[2]=\\.${ida.norm.sep}

# Language Code
ida.errormessages.default-lang=en

## OTP flooding
## Configure Time limit for OTP Flooding scenario (in minutes) 
otp.request.flooding.duration=1
otp.request.flooding.max-count=100
## OTP Freezing. When user attempts multiple times with invalid OTP consecutively, it will be allowed only for certain number of attempts as per the theshold. After that it will go to frozen state for the user for the given duration. During the frozen time the OTP Request and validation both will be throwing error. After that it will be unfrozen and both actions will be allowed. Default is 5 if unspecified.
mosip.ida.otp.validation.attempt.count.threshold=5
# The duration in minutes for which the OTP will be frozen for a user, after that it it will be unfrozen. Default is 30 mins if unspecified.
mosip.ida.otp.frozen.duration.minutes=30

## Notification templates
ida.auth.mail.content.template=auth-email-content
ida.auth.mail.subject.template=auth-email-subject
ida.otp.mail.content.template=ida-auth-otp-email-content-template
ida.otp.mail.subject.template=ida-auth-otp-email-subject-template
ida.auth.sms.template=auth-sms
ida.otp.sms.template=ida-auth-otp-sms-template

## UIN/VID/USERID Masking to be done on SMS/EMAIL notification
## Configure the no of digits to be masked while masking UIN/VID/USERID. 
## For example if UIN is 1234567890 and mask count is 6, masked UIN will be: XXXXXX7890
notification.uin.masking.charcount=8
notification.date.format=dd-MM-yyyy
notification.time.format=HH:mm:ss

## Allowed authentication types for Authentciation/E-KYC/Internal Authentication requests
## Accepted values otp-request, otp, demo, bio-Finger, bio-Iris, bio-Face
## Configure authentications permissable for a country
auth.types.allowed=demo,otp,bio-Finger,bio-Iris,bio-Face,pwd,kbt
## Configure authentications permissable for e-KYC for a country
ekyc.auth.types.allowed=demo,otp,bio-Finger,bio-Iris,bio-Face
## Configure authentication types permissable for internal authentication 
internal.auth.types.allowed=otp,bio-Finger,bio-Iris,bio-Face

## Allowed IdTypes for hotlisting 
mosip.ida.internal.hotlist.idtypes.allowed=UIN,VID,PARTNER_ID,DEVICE,DEVICE_PROVIDER

## Datetime
#Example allowed date time formats: "2020-10-23T12:21:38.660Z" , 2019-03-28T10:01:57.086+05:30
datetime.pattern=yyyy-MM-dd'T'HH:mm:ss.SSSXXX

# Request IDs used in IDA REST APIs
ida.api.id.auth=mosip.identity.auth
ida.api.id.kyc=mosip.identity.kyc
ida.api.id.otp=mosip.identity.otp
ida.api.id.staticpin=mosip.identity.staticpin
ida.api.id.vid=mosip.identity.vid
ida.api.id.internal=mosip.identity.auth.internal
ida.api.id.auth.transactions=mosip.identity.authtransactions.read
ida.api.id.otp.internal=mosip.identity.otp.internal
ida.api.id.kycauth=mosip.identity.kycauth
ida.api.id.kycexchange=mosip.identity.kycexchange

## Request versions
ida.api.version.auth=1.0
ida.api.version.kyc=1.0
ida.api.version.otp=1.0
ida.api.version.staticpin=1.0
ida.api.version.vid=1.0
ida.api.version.internal=1.0
ida.api.version.auth.transactions=1.0
ida.api.version.otp.internal=1.0
ida.api.version.kycauth=1.0
ida.api.version.kycexchange=1.0

## Auth response token config
## Preference to turn on/off of authentication response token for a Country
## A partner specific policy will govern how the response token is generated, whether it should be Random/Partner or Policy specific
## TO DO: Remane static.token.enable to auth.token.enable
static.token.enable=true

## Allowed ID Types (allowed values : UIN/VID/USERID) to be supported for Authentication/KYC/OTP Requests
request.idtypes.allowed=UIN,VID,HANDLE
## The ID types to be supported for Internal Authentication/OTP Requests
request.idtypes.allowed.internalauth=UIN,VID

## Cryptograpic/Signature verificate related configurations
mosip.ida.internal.thumbprint-validation-required=false
mosip.ida.internal.trust-validation-required=false

## Kernel retry
# The retry limit excluding the first attempt before attempting for retries. Default is set to 5.
kernel.retry.attempts.limit=5
## The initial interval to be used for exponential backoff in milli seconds. If the exponential backoff is disabled by setting 'kernel.retry.exponential.backoff.multiplier' value as 1, this initial interval will be used as the fixed backoff interval for every retries. Default value is 200 millisecs
kernel.retry.exponential.backoff.initial.interval.millisecs=100
## The multiplier for exponential backoff intreval. A double value greater than or equal to 1. Setting to 1 will make it to fixed backoff, more than 1 will apply exponential backoff. Default is 1.0 (fixed backoff). For exponential backoff the suggested value is 1.5 or 2. The next backoff interval is calculated with the formula: NextBackOffInterval = initialInterval * Math.pow(multiplier, retryCount)
kernel.retry.exponential.backoff.multiplier=1.5
kernel.retry.exponential.backoff.max.interval.millisecs=1000
## Whether to traverse to the root cause exception from the exception thrown and use the same root cause to decide whether to retry or not. Default is true.
kernel.retry.traverse.root.cause.enabled=false
## Comma separated List of fully qualified Exceptions which are retryable (inclusion list). Their subclasses will also be considered in the evaluation.
kernel.retry.retryable.exceptions=io.mosip.idrepository.core.exception.IdRepoRetryException,org.springframework.dao.DataIntegrityViolationException,org.hibernate.exception.ConstraintViolationException,org.springframework.orm.ObjectOptimisticLockingFailureExceptionf
## Comma separated List of fully qualified Exceptions which are not-retryable (exclusion list). Their subclasses will also be considered in the evaluation.
kernel.retry.nonretryable.exceptions=

## Credential Store batch and retry configurations
## To disable automatic job launch in startup, setting to false.
spring.batch.job.enabled=false
## Chunk size of items to be processed in spring batch. This value also assigned to the thread count, and hence all the items are processed in parellel asynchronusly.
ida.batch.credential.store.chunk.size=5
ida.batch.credential.store.job.delay=1000
## The retry limit excluding the first attempt before attempting for retries
ida.credential.store.retry.max.limit=10
ida.credential.store.retry.backoff.interval.millisecs=5000
## The multiplier for exponential backoff intreval. A double value greater than or equal to 1. Setting to 1 will make it to fixed backoff, more than 1 will apply exponential backoff. Default is 1.0 (fixed backoff). For exponential backoff the suggested value is 1.5 or 2. The next backoff interval is calculated with the formula: NextBackOffInterval = initialInterval * Math.pow(multiplier, retryCount)
ida.credential.store.retry.backoff.exponential.multiplier=1.5
ida.credential.store.retry.backoff.exponential.max.interval.millisecs=120000

## Configurations needed for dependent libraries
## Softhsm
mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io
mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
mosip.kernel.keymanager.hsm.keystore-type=PKCS11
mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.ida.security.pin}

## Security - used in Internal Authentication Services by default Kernel Auth Adapter
mosip.security.csrf-enable=false
mosip.security.cors-enable=false
mosip.security.origins=localhost:8080
mosip.security.secure-cookie=false

## Key-manager 
mosip.root.key.applicationid=ROOT
mosip.kernel.certificate.sign.algorithm=SHA256withRSA

## Default certificate params 
mosip.kernel.keymanager.certificate.default.organizational-unit=MOSIP-TECH-CENTER
mosip.kernel.keymanager.certificate.default.organization=IITB
mosip.kernel.keymanager.certificate.default.location=BANGALORE
mosip.kernel.keymanager.certificate.default.state=KA
mosip.kernel.keymanager.certificate.default.country=IN

## Zero Knowledge Master & Public Key identifier.
mosip.kernel.zkcrypto.masterkey.application.id=${application.id}
mosip.kernel.zkcrypto.masterkey.reference.id=${identity-cache.reference.id}
mosip.kernel.zkcrypto.publickey.application.id=${application.id}
mosip.kernel.zkcrypto.publickey.reference.id=CRED_SERVICE
mosip.kernel.zkcrypto.wrap.algorithm-name=AES/ECB/NoPadding
mosip.kernel.zkcrypto.derive.encrypt.algorithm-name=AES/ECB/PKCS5Padding

## Application Id for PMS master key.
mosip.kernel.partner.sign.masterkey.application.id=PMS

## Kernel salt generator
mosip.kernel.salt-generator.db.key-alias=javax.persistence.jdbc
mosip.kernel.salt-generator.schemaName=${javax.persistence.jdbc.schema}

## TokenId generator
mosip.kernel.tokenid.uin.salt=${mosip.kernel.uin.salt}
mosip.kernel.tokenid.partnercode.salt=${mosip.kernel.partnercode.salt}

## Partner Management Service allowed partner domains
mosip.kernel.partner.allowed.domains=AUTH,DEVICE,FTM,MISP

# IAM Adapter 
mosip.iam.adapter.clientid=${mosip.ida.auth.clientId}
mosip.iam.adapter.clientsecret=${mosip.ida.auth.secretKey}
mosip.iam.adapter.appid=${mosip.ida.auth.appId}
mosip.authmanager.client-token-endpoint=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey

## IDA key generator 
keymanager.persistence.jdbc.driver=org.postgresql.Driver
keymanager_database_url=jdbc:postgresql://${mosip.ida.database.hostname}:${mosip.ida.database.port}/mosip_ida
keymanager_database_username=${mosip.ida.database.user}
keymanager_database_password=${db.dbuser.password}
mosip.kernel.keymanager.autogen.appids.list=ROOT,${application.id},${mosip.sign.applicationid}:${mosip.sign.refid},${application.id}:${mosip.kernel.zkcrypto.masterkey.reference.id},IDA_KYC_EXCHANGE,IDA_KEY_BINDING,IDA_VCI_EXCHANGE
mosip.kernel.keymanager.autogen.basekeys.list=${application.id}:${internal.reference.id},${application.id}:${partner.reference.id},${application.id}:${partner.biometric.reference.id},${application.id}:${mosip.kernel.zkcrypto.publickey.reference.id},${application.id}:${ida-auth-partner-id}
zkcrypto.random.key.generate.count=0
keymanager.persistence.jdbc.schema=ida

## TODO: For testing. Revert in production
mosip.kernel.keymanager.keystore.keyreference.enable.cache=false

## Admin
# Configure N time period threshold for accepting auth/OTP/KYC request for a country
authrequest.received-time-allowed.seconds=30
# Configuration for +/- time period adjustment in minutes for the request time validation, so that 
# The requests originating from a system that is not in time-sync will be accepted for the time period
authrequest.received-time-adjustment.seconds=30
#Configuration for time period difference between each biometric segment and digital Id capture
authrequest.biometrics.allowed-segment-time-difference-in-seconds=120

# Credential Request API to get Request IDs for the given status, pageStart and page
cred-request-service-get-request-ids.pageSize=10
cred-request-service-get-request-ids.statusCode=ISSUED
ida-max-credential-pull-window-days=2
ida-max-websub-messages-pull-window-days=2
cred-request-service-get-request-ids.rest.uri=${mosip.idrepo.credrequest.generator.url}/v1/credentialrequest/getRequestIds?direction=ASC&orderBy=updateDateTime&pageNumber={pageNumber}&pageSize=${cred-request-service-get-request-ids.pageSize}&statusCode=${cred-request-service-get-request-ids.statusCode}&effectivedtimes={effectivedtimes}
cred-request-service-get-request-ids.rest.httpMethod=GET
cred-request-service-get-request-ids.rest.headers.mediaType=${mosip.ida.request.mediaType}
cred-request-service-get-request-ids.rest.timeout=${mosip.ida.request.timeout.secs}

# Credential Request API to get Request IDs for the given status, pageStart and page
cred-request-service-retrigger-cred-issuance.rest.uri=${mosip.idrepo.credrequest.generator.url}/v1/credentialrequest/retrigger/{requestId}
cred-request-service-retrigger-cred-issuance.rest.httpMethod=PUT
cred-request-service-retrigger-cred-issuance.rest.headers.mediaType=${mosip.ida.request.mediaType}
cred-request-service-retrigger-cred-issuance.rest.timeout=${mosip.ida.request.timeout.secs}

# Child Auth Filter configurations
ida.child-auth-filter.factors.denied=otp,bio
ida.child-auth-filter.child.max.age=5

# The chunk size of failed message items to be processed in spring batch. This value also assigned to the thread count, and hence all the items are processed in parellel asynchronusly.
ida.fetch.failed.websub.messages.chunk.size=10

## Auth filters
# Comma Seperated list of fully qualified classes of the auth filters in the order in which they have to be executed.
# If validation with one filter fails with an error, the rest of the filter in the sequence will be skipped 
# and error will be returned in the auth response.

#Auth Filters for external auth
ida.mosip.external.auth.filter.classes.in.execution.order=io.mosip.authentication.hotlistfilter.impl.PartnerIdHotlistFilterImpl,io.mosip.authentication.hotlistfilter.impl.IndividualIdHotlistFilterImpl,io.mosip.authentication.hotlistfilter.impl.DeviceProviderHotlistFilterImpl,io.mosip.authentication.hotlistfilter.impl.DeviceHotlistFilterImpl,io.mosip.authentication.childauthfilter.impl.ChildAuthFilterImpl,io.mosip.authentication.authtypelockfilter.impl.AuthTypeLockFilterImpl
#Auth Filters for kyc auth
ida.mosip.internal.auth.filter.classes.in.execution.order=io.mosip.authentication.hotlistfilter.impl.IndividualIdHotlistFilterImpl,io.mosip.authentication.childauthfilter.impl.ChildAuthFilterImpl

## Demo SDK integration
mosip.demographic.sdk.api.classname=io.mosip.demosdk.client.impl.spec_1_0.Client_V_1_0
mosip.normalizer.sdk.api.classname=io.mosip.demosdk.client.impl.spec_1_0.Normalizer_V_1_0

#This is the frontend url configured in the open-id system. This url should match the issuer attribute in JWT.
auth.server.admin.issuer.uri=${keycloak.external.url}/auth/realms/
auth.server.validate.url=${mosip.kernel.authmanager.url}/v1/authmanager/authorize/admin/validateToken

#This url should be reachable internally to issue token.
auth-token-generator.rest.issuerUrl=${keycloak.internal.url}/auth/realms/mosip

#Fixed delay in which cleanup will be done in Hours
mosip.hotlist.cleanup-schedule.fixed-delay-in-hours=24

# The target enviornment. This values should be comma separted.
#Ex.Staging,Developer
mosip.ida.allowed.enviromemnts=Staging,Developer,Pre-Production,Production
# Allowed domain Uris. This values should be comma separted.
#Ex. https://dev.mosip.net,https://qa2.mosip.net
mosip.ida.allowed.domain.uris=${mosip.api.internal.url},https://${mosip.esignet.host}

biometrics.datetime.pattern=yyyy-MM-dd'T'HH:mm:ssXXX

#The list of attributes in identity that are to be decrypted by default 
ida-default-identity-filter-attributes=phone,fullName,dateOfBirth,email,preferredLang

#------ Un-encrypted Credential Attributes list -----------
#The list of attributes in identity that not are Zero Knowledge encrpted while creating the credential in credential service as per the datashare policy. The same credential format is dumped in IDA DB (identity_cache table).
#These attributes will not be decrypted when fetching the records from IDA DB for Authentication/EKYC/OTP requests.
#By default all attributes are assumed to be Zero Knowledge encrypted.
#Specify the attributes here only if they are not encrypted as per the datashare policy.
ida-zero-knowledge-unencrypted-credential-attributes=preferredLang

#openapi properties to sort tags and operations in Id Authentication
springdoc.swagger-ui.tagsSorter=alpha
springdoc.swagger-ui.operationsSorter=alpha

# for Fraud management
mosip.ida.fraud-analysis-enabled=true

mosip.ida.active-async-thread-count=100

# Logging of thread queue done based on below value in ms. Logging is done only if queue value of any one thread group crosses below specified threshold.
mosip.ida.monitor-thread-queue-in-ms=600000
mosip.ida.max-thread-queue-threshold=100

## Roles
mosip.role.idauth.postotp=RESIDENT
mosip.role.idauth.postauth=REGISTRATION_PROCESSOR,REGISTRATION_ADMIN,REGISTRATION_OFFICER,REGISTRATION_SUPERVISOR,RESIDENT
mosip.role.idauth.postverifyidentity=REGISTRATION_PROCESSOR,REGISTRATION_ADMIN,REGISTRATION_OFFICER,REGISTRATION_SUPERVISOR,RESIDENT
mosip.role.idauth.getauthtransactionsindividualid=RESIDENT
mosip.role.keymanager.postencrypt=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_REQUEST
mosip.role.keymanager.postdecrypt=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_REQUEST
mosip.role.keymanager.postencryptwithpin=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postdecryptwithpin=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postencryptdt=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postdecryptdt=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postgeneratemasterkeyobjecttype=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.getgetcertificate=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,KEY_MAKER
mosip.role.keymanager.postgeneratecsr=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,KEY_MAKER
mosip.role.keymanager.postuploadcertificate=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,KEY_MAKER
mosip.role.keymanager.postuploadotherdomaincertificate=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,KEY_MAKER
mosip.role.keymanager.postgeneratesymmetrickey=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.putrevokekey=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postuploadcacertificate=PARTNER_ADMIN
mosip.role.keymanager.postuploadpartnercertificate=PARTNER_ADMIN,PARTNER
mosip.role.keymanager.getgetpartnercertificatepartnercertid=PARTNER_ADMIN,PARTNER
mosip.role.keymanager.postverifycertificatetrust=PARTNER_ADMIN,PARTNER
mosip.role.keymanager.postsign=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postvalidate=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postpdfsign=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postjwtsign=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
mosip.role.keymanager.postjwtverify=INDIVIDUAL,ID_AUTHENTICATION,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT

#logging.level.root=DEBUG

# Secret will be used during kyc token generation.
mosip.ida.kyc.token.secret=${mosip.ida.kyc.token.secret}
mosip.ida.kyc.token.expire.time.adjustment.seconds=3000
mosip.ida.kyc.exchange.default.lang=eng
mosip.ida.idp.consented.address.subset.attributes=street_address,locality,region,postal_code,country
mosip.kernel.keymgr.hsm.health.key.app-id=IDA

mosip.ida.config.server.file.storage.uri=${spring.cloud.config.uri}/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label}/
mosip.ida.vercred.context.url.map={"https://www.w3.org/ns/odrl.jsonld" : "odrl.jsonld", "https://www.w3.org/2018/credentials/v1" : "cred-v1.jsonld", "https://${mosip.api.public.host}/.well-known/mosip-ida-context.json" : "mosip-ida-context.json"}
mosip.ida.vercred.context.uri=vccontext-ida.jsonld
mosip.ida.vercred.id.url=https://${mosip.api.public.host}/credentials/
mosip.ida.vercred.issuer.url=https://${mosip.api.public.host}/.well-known/ida-controller.json
mosip.ida.vercred.proof.purpose=assertionMethod
mosip.ida.vercred.proof.type=RsaSignature2018
mosip.ida.vercred.proof.verificationmethod=https://${mosip.api.public.host}/.well-known/ida-public-key.json
mosip.ida.vci.supported.cred.types=VerifiableCredential,MOSIPVerifiableCredential

# Regex to validate handles with provided key as the postfix
# if the input handle is +855345353453@phone then the provided regex is used to validate the input.  
mosip.ida.handle-types.regex={ '@phone' : '^\\+91[1-9][0-9]{7,9}@phone$' }

# Partner Id for encryption used in ondemand template extraction
mosip.ida.ondemand.template.extraction.partner.id=mpartner-default-tempextraction

ida-topic-on-demand-template-extraction=AUTHENTICATION_ERRORS