esignet-default.properties

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.

# Follow properites have their values assigned via 'overrides' environment variables of config server docker.
# DO NOT define these in any of the property files.  They must be passed as env variables.  Refer to config-server
# helm chart:
# db.dbuser.password
# keycloak.external.url
# keycloak.internal.host
# keycloak.internal.url
# keycloak.admin.password
# mosip.auth.client.secret   (convention: <realm>.<keycloak client name>.secret)
# mosip.ida.client.secret
# mosip.admin.client.secret
# mosip.reg.client.secret
# mosip.prereg.client.secret
# softhsm.kernel.pin
# softhsm-security-pin
# email.smtp.host
# email.smtp.username
# email.smtp.secret
# mosip.kernel.tokenid.uin.salt
# mosip.kernel.tokenid.partnercode.salt
# mosip.api.internal.url
# mosip.api.public.url


## ------------------------------------------------- e-Signet ----------------------------------------------------------
mosip.esignet.misp.license.key=${mosip.esignet.misp.key}
mosip.esignet.amr-acr-mapping-file-url=${spring_config_url_env}/*/${active_profile_env}/${spring_config_label_env}/amr-acr-mapping.json
mosip.esignet.auth-txn-id-length=10
mosip.esignet.supported-id-regex=\\S*
# Generated ID and access tokens 'exp' depends on the below properties, default value is 1-hour
mosip.esignet.id-token-expire-seconds=3600
mosip.esignet.access-token-expire-seconds=3600
# By default, only 2 link codes can be active, and the time period it can be active is defined here, default value is 1 minute
mosip.esignet.link-code-expire-in-secs=60
# Number of link code allowed to be generated in a transaction, the default value is 10
mosip.esignet.generate-link-code.limit-per-transaction=10
# Time to complete consent after successful authentication, the default value is 120
mosip.esignet.authentication-expire-in-secs=120

# Auth challenge type & format mapping. Auth challenge length validations for each auth factor type.
mosip.esignet.auth-challenge.OTP.format=alpha-numeric
mosip.esignet.auth-challenge.OTP.min-length=6
mosip.esignet.auth-challenge.OTP.max-length=6

mosip.esignet.auth-challenge.PWD.format=alpha-numeric
mosip.esignet.auth-challenge.PWD.min-length=8
mosip.esignet.auth-challenge.PWD.max-length=30

mosip.esignet.auth-challenge.BIO.format=encoded-json
mosip.esignet.auth-challenge.BIO.min-length=5000
mosip.esignet.auth-challenge.BIO.max-length=300000

mosip.esignet.auth-challenge.WLA.format=jwt
mosip.esignet.auth-challenge.WLA.min-length=100
mosip.esignet.auth-challenge.WLA.max-length=1500

mosip.esignet.auth-challenge.KBA.format=base64url-encoded-json
mosip.esignet.auth-challenge.KBA.min-length=50
mosip.esignet.auth-challenge.KBA.max-length=500

mosip.esignet.auth-challenge.PIN.format=number
mosip.esignet.auth-challenge.PIN.min-length=4
mosip.esignet.auth-challenge.PIN.max-length=4


# Endpoints required to have oauth-details-hash and oauth-details-key HTTP header
mosip.esignet.header-filter.paths-to-validate={'${server.servlet.path}/authorization/send-otp', \
  '${server.servlet.path}/authorization/authenticate', \
  '${server.servlet.path}/authorization/v2/authenticate', \
  '${server.servlet.path}/authorization/v3/authenticate', \
  '${server.servlet.path}/authorization/auth-code'}

#This property is used for captcha validation and allowed values are send-otp, pwd and kba.
#captcha validation is enabled for send-otp, pwd and kba.
mosip.esignet.captcha.required=send-otp,pwd
mosip.esignet.captcha.required.auth-factors={}

#Properties used to ratelimit the incoming requests
mosip.esignet.send-otp.attempts=3
mosip.esignet.authenticate.attempts=3

## ------------------------------------------ e-Signet binding ---------------------------------------------------------

mosip.esignet.binding.salt-length=16
mosip.esignet.binding.audience-id=esignet-binding
mosip.esignet.binding.key-expire-days=10
mosip.esignet.binding.encrypt-binding-id=false

## -------------------------------------- Authentication & Authorization -----------------------------------------------

mosip.esignet.security.auth.post-urls={'${server.servlet.path}/client-mgmt/**' : {'SCOPE_add_oidc_client'} , \
  \ '${server.servlet.path}/system-info/**' : { 'SCOPE_upload_certificate'},\
  \ '${server.servlet.path}/binding/wallet-binding' : { 'SCOPE_wallet_binding'}, \
  \ '${server.servlet.path}/binding/binding-otp' : { 'SCOPE_send_binding_otp'}}
mosip.esignet.security.auth.put-urls={'${server.servlet.path}/client-mgmt/**' : { 'SCOPE_update_oidc_client'} }
mosip.esignet.security.auth.get-urls={'${server.servlet.path}/system-info/**' : { 'SCOPE_get_certificate'} }

mosip.esignet.security.ignore-csrf-urls=${server.servlet.path}/oidc/**,${server.servlet.path}/oauth/**,\
  ${server.servlet.path}/actuator/**,/favicon.ico,${server.servlet.path}/error,\
  ${server.servlet.path}/swagger-ui/**,${server.servlet.path}/v3/api-docs/**,\
  ${server.servlet.path}/linked-authorization/link-transaction,${server.servlet.path}/linked-authorization/authenticate,\
  ${server.servlet.path}/linked-authorization/consent,${server.servlet.path}/binding/**,${server.servlet.path}/client-mgmt/**,\
  ${server.servlet.path}/vci/**,${server.servlet.path}/system-info/**,${server.servlet.path}/linked-authorization/v2/link-transaction,\
  ${server.servlet.path}/linked-authorization/v2/authenticate,${server.servlet.path}/linked-authorization/v2/consent

mosip.esignet.security.ignore-auth-urls=${server.servlet.path}/csrf/**,${server.servlet.path}/authorization/**,\
  ${server.servlet.path}/linked-authorization/**,${server.servlet.path}/oidc/**,${server.servlet.path}/oauth/**,\
  ${server.servlet.path}/actuator/**,/favicon.ico,${server.servlet.path}/error,${server.servlet.path}/swagger-ui/**,\
  ${server.servlet.path}/v3/api-docs/**,${server.servlet.path}/binding/**,${server.servlet.path}/vci/**

spring.security.oauth2.resourceserver.jwt.issuer-uri=${keycloak.external.url}/auth/realms/mosip
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${keycloak.external.url}/auth/realms/mosip/protocol/openid-connect/certs

##------------------------------------------ Kafka configurations ------------------------------------------------------
spring.kafka.bootstrap-servers=kafka-0.kafka-headless.${kafka.profile}:${kafka.port},kafka-1.kafka-headless.${kafka.profile}:${kafka.port},kafka-2.kafka-headless.${kafka.profile}:${kafka.port}
spring.kafka.consumer.group-id=esignet-consumer
spring.kafka.consumer.enable-auto-commit=true
#spring.kafka.listener.concurrency=1

mosip.esignet.kafka.linked-session.topic=esignet-linked
mosip.esignet.kafka.linked-auth-code.topic=esignet-consented

## ------------------------------------------- Integrations ------------------------------------------------------------

mosip.esignet.integration.scan-base-package=io.mosip.authentication.esignet.integration,io.mosip.esignet.mock.integration
mosip.esignet.integration.binding-validator=BindingValidatorServiceImpl
mosip.esignet.integration.authenticator=IdaAuthenticatorImpl
mosip.esignet.integration.key-binder=IdaKeyBinderImpl
mosip.esignet.integration.audit-plugin=IdaAuditPluginImpl
mosip.esignet.integration.captcha-validator=GoogleRecaptchaValidatorService
mosip.esignet.integration.vci-plugin=IdaVCIssuancePluginImpl

# captcha validator
mosip.esignet.captcha-validator.url=https://www.google.com/recaptcha/api/siteverify
mosip.esignet.captcha-validator.secret=${esignet.captcha.secret.key}
mosip.esignet.captcha-validator.site-key=${esignet.captcha.site.key}

# IDA integration props
mosip.esignet.authenticator.ida-auth-id=mosip.identity.kycauth
mosip.esignet.authenticator.ida-exchange-id=mosip.identity.kycexchange
mosip.esignet.authenticator.ida-send-otp-id=mosip.identity.otp
mosip.esignet.authenticator.ida-version=1.0
mosip.esignet.authenticator.ida-domainUri=https://${mosip.esignet.host}
mosip.esignet.authenticator.ida.cert-url=${mosip.file.server.url}/mosip-certs/ida-partner.cer
mosip.esignet.authenticator.ida.kyc-auth-url=${mosip.ida.auth.url}/idauthentication/v1/kyc-auth/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.kyc-exchange-url=${mosip.ida.auth.url}/idauthentication/v1/kyc-exchange/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.send-otp-url=${mosip.ida.otp.url}/idauthentication/v1/otp/${mosip.esignet.misp.license.key}/
mosip.esignet.binder.ida.key-binding-url=${mosip.ida.auth.url}/idauthentication/v1/identity-key-binding/delegated/${mosip.esignet.misp.license.key}/
mosip.esignet.authenticator.ida.get-certificates-url=${mosip.ida.internal.url}/idauthentication/v1/internal/getAllCertificates
mosip.esignet.authenticator.ida.auth-token-url=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey
mosip.esignet.authenticator.ida.audit-manager-url=${mosip.kernel.auditmanager.url}/v1/auditmanager/audits
mosip.esignet.authenticator.ida.client-id=mosip-ida-client
mosip.esignet.authenticator.ida.secret-key=${mosip.ida.client.secret}
mosip.esignet.authenticator.ida.app-id=ida
mosip.esignet.authenticator.ida-env=Developer
mosip.esignet.authenticator.ida.otp-channels=email,phone

mosip.esignet.ida.vci-user-info-cache=userinfo
mosip.esignet.ida.vci-exchange-id=mosip.identity.vciexchange
mosip.esignet.ida.vci-exchange-version=1.0
mosip.esignet.ida.vci-exchange-url=https://${mosip.api.internal.host}/idauthentication/v1/vci-exchange/delegated/${mosip.esignet.misp.license.key}/

# Mock IDA integration props
mosip.esignet.mock.authenticator.get-identity-url=https://${mosip.api.public.host}/v1/mock-identity-system/identity
mosip.esignet.mock.authenticator.kyc-auth-url=https://${mosip.api.public.host}/v1/mock-identity-system/kyc-auth
mosip.esignet.mock.authenticator.kyc-exchange-url=https://${mosip.api.public.host}/v1/mock-identity-system/kyc-exchange
mosip.esignet.mock.authenticator.ida.otp-channels=${mosip.esignet.authenticator.ida.otp-channels}
mosip.esignet.mock.authenticator.send-otp=https://${mosip.api.public.host}/v1/mock-identity-system/send-otp
mosip.esignet.mock.supported.bind-auth-factor-types={'WLA'}
mosip.esignet.mock.vciplugin.verification-method=${mosip.esignet.vci.authn.jwk-set-uri}

## ------------------------------------------ oauth & openid supported values ------------------------------------------

## supported scopes
mosip.esignet.supported.authorize.scopes={'Manage-Identity-Data','Manage-VID','Manage-Authentication','Manage-Service-Requests','Manage-Credentials'}
mosip.esignet.supported.openid.scopes={'profile','email','phone'}
mosip.esignet.openid.scope.claims={'profile' : {'name','address','gender','birthdate','picture','email','phone_number'},'email' : {'email'}, 'phone' : {'phone_number'}}
mosip.esignet.supported.credential.scopes={'mock_identity_vc_ldp', 'mosip_identity_vc_ldp'}
mosip.esignet.credential.scope-resource-mapping={'mock_identity_vc_ldp' : '${mosip.esignet.domain.url}${server.servlet.path}/vci/credential', 'mosip_identity_vc_ldp': '${mosip.esignet.domain.url}${server.servlet.path}/vci/credential'}

## supported authorization processing flow to be used, Currently only supports Authorization Code Flow.
mosip.esignet.supported.response.types={'code'}

## Form of Authorization Grant presented to token endpoint
mosip.esignet.supported.grant.types={'authorization_code'}

## specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User
# page-The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
# popup-The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
# touch-The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
# wap-The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
mosip.esignet.supported.ui.displays={'page','popup','touch','wap'}

## specifies whether the Authorization Server prompts the End-User for reauthentication and consent
# none-The Authorization Server MUST NOT display any authentication or consent user interface pages.
# An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent
# for the requested Claims or does not fulfill other conditions for processing the request.
# The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6.
# This can be used as a method to check for existing authentication and/or consent.
# login-The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, \
#  it MUST return an error, typically login_required.
# consent-The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client.
# If it cannot obtain consent, it MUST return an error, typically consent_required.
# select_account-The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User
# who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current
# sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error,
# typically account_selection_required.
mosip.esignet.supported.ui.prompts={'none','login','consent','select_account'}

## Type of the client assertion
mosip.esignet.supported.client.assertion.types={'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'}

## Type of the client authentication methods for token endpoint
mosip.esignet.supported.client.auth.methods={'private_key_jwt'}

## Only S256 method supported
mosip.esignet.supported-pkce-methods={'S256'}

## ---------------------------------------- Cache configuration --------------------------------------------------------

mosip.esignet.cache.secure.individual-id=true
mosip.esignet.cache.store.individual-id=true
mosip.esignet.cache.security.secretkey.reference-id=TRANSACTION_CACHE
mosip.esignet.cache.security.algorithm-name=AES/ECB/PKCS5Padding

mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,vcissuance,apiRateLimit,blocked

#spring.cache.type=redis
#spring.cache.cache-names=${mosip.esignet.cache.names}
#spring.redis.host=localhost
#spring.redis.port=6379
management.health.redis.enabled=false

# 'simple' cache type is only applicable only for Non-Production setup
spring.cache.type=simple
mosip.esignet.cache.key.hash.algorithm=SHA3-256

# Cache size setup is applicable only for 'simple' cache type.
# Cache size configuration will not be considered with 'Redis' cache type
mosip.esignet.cache.size={'clientdetails' : 200, \
'preauth': 200, \
'authenticated': 200, \
'authcodegenerated': 200, \
'userinfo': 200, \
'linkcodegenerated' : 500, \
'linked': 200 , \
'linkedcode': 200, \
'linkedauth' : 200 , \
'consented' :200, \
'authtokens': 2, \
'bindingtransaction': 200, \
'vcissuance' : 200, \
'apiRateLimit' : 500, \
'blocked': 500 }

# Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type
mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, \
'preauth': 300,\
'authenticated': ${mosip.esignet.authentication-expire-in-secs}, \
'authcodegenerated': 60, \
'userinfo': ${mosip.esignet.access-token-expire-seconds}, \
'linkcodegenerated' : ${mosip.esignet.link-code-expire-in-secs}, \
'linked': 120, \
'linkedcode': ${mosip.esignet.link-code-expire-in-secs}, \
'linkedauth' : ${mosip.esignet.authentication-expire-in-secs}, \
'consented': 60, \
'authtokens': 86400, \
'bindingtransaction': 600, \
'vcissuance': ${mosip.esignet.access-token-expire-seconds}, \
'apiRateLimit' : 180, \
'blocked': 300  }

## ------------------------------------------ Discovery openid-configuration -------------------------------------------

mosip.esignet.domain.url=https://${mosip.esignet.host}
mosip.esignet.discovery.issuer-id=${mosip.esignet.domain.url}${server.servlet.path}

# This property holds ./wellknown/jwks.json URL,
# for local deployments without esignet-ui nginx change the value to ${mosip.esignet.domain.url}${server.servlet.path}/oauth/.well-known/jwks.json
mosip.esignet.jwks-uri=${mosip.esignet.domain.url}/.well-known/jwks.json

mosip.esignet.token.endpoint=${mosip.esignet.domain.url}${server.servlet.path}/oauth/v2/token

mosip.esignet.oauth.key-values={'issuer': '${mosip.esignet.domain.url}' ,\
  \ 'authorization_endpoint': '${mosip.esignet.domain.url}/authorize' , \
  \ 'token_endpoint': '${mosip.esignet.token.endpoint}' , \
  \ 'jwks_uri' : '${mosip.esignet.jwks-uri}' , \
  \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \
  \ 'token_endpoint_auth_signing_alg_values_supported' : {'RS256'},\
  \ 'scopes_supported' : ${mosip.esignet.supported.openid.scopes}, \
  \ 'response_modes_supported' : { 'query' }, \
  \ 'grant_types_supported' : ${mosip.esignet.supported.grant.types},\
  \ 'response_types_supported' : ${mosip.esignet.supported.response.types}}

mosip.esignet.discovery.key-values={'issuer': '${mosip.esignet.domain.url}' ,\
  \ 'authorization_endpoint': '${mosip.esignet.domain.url}/authorize' , \
  \ 'token_endpoint': '${mosip.esignet.token.endpoint}' ,\
  \ 'userinfo_endpoint' : '${mosip.esignet.domain.url}${server.servlet.path}/oidc/userinfo' ,\
  \ 'jwks_uri' : '${mosip.esignet.jwks-uri}' , \
  \ 'scopes_supported' : ${mosip.esignet.supported.openid.scopes}, \
  \ 'response_types_supported' : ${mosip.esignet.supported.response.types}, \
  \ 'response_modes_supported' : { 'query' }, \
  \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \
  \ 'token_endpoint_auth_signing_alg_values_supported' : {'RS256'}, \
  \ 'userinfo_signing_alg_values_supported' : {'RS256'}, \
  \ 'userinfo_encryption_alg_values_supported' : {'RSAXXXXX'},\
  \ 'userinfo_encryption_enc_values_supported' : {'A128GCM'}, \
  \ 'id_token_signing_alg_values_supported' : {'RS256'}, \
  \ 'claim_types_supported': {'normal'}, \
  \ 'claims_parameter_supported' : true, \
  \ 'display_values_supported' : ${mosip.esignet.supported.ui.displays}, \
  \ 'subject_types_supported' : { 'pairwise' }, \
  \ 'claims_supported' : {'name','address','gender','birthdate','picture','email','phone_number','individual_id'}, \
  \ 'acr_values_supported' : {'mosip:idp:acr:static-code', 'mosip:idp:acr:generated-code', 'mosip:idp:acr:linked-wallet', 'mosip:idp:acr:biometrics', 'mosip:idp:acr:knowledge'},\
  \ 'request_parameter_supported' : false, \
  \ 'claims_locales_supported' : {'en'}, \
  \ 'ui_locales_supported' : {'en'} }

##----------------------------------------- Database properties --------------------------------------------------------

mosip.esignet.database.hostname=postgres-postgresql.postgres
mosip.esignet.database.port=5432
spring.datasource.url=jdbc:postgresql://${mosip.esignet.database.hostname}:${mosip.esignet.database.port}/mosip_esignet?currentSchema=esignet
spring.datasource.username=esignetuser
spring.datasource.password=${db.dbuser.password}

spring.jpa.database-platform=org.hibernate.dialect.PostgreSQL95Dialect
spring.jpa.show-sql=false
spring.jpa.hibernate.ddl-auto=none
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true

#------------------------------------ Key-manager specific properties --------------------------------------------------
#Crypto asymmetric algorithm name
mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
#Crypto symmetric algorithm name
mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding
#Keygenerator asymmetric algorithm name
mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA
#Keygenerator symmetric algorithm name
mosip.kernel.keygenerator.symmetric-algorithm-name=AES
#Asymmetric algorithm key length
mosip.kernel.keygenerator.asymmetric-key-length=2048
#Symmetric algorithm key length
mosip.kernel.keygenerator.symmetric-key-length=256
#Encrypted data and encrypted symmetric key separator
mosip.kernel.data-key-splitter=#KEY_SPLITTER#
#GCM tag length
mosip.kernel.crypto.gcm-tag-length=128
#Hash algo name
mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512
#Symmtric key length used in hash
mosip.kernel.crypto.hash-symmetric-key-length=256
#No of iterations in hash
mosip.kernel.crypto.hash-iteration=100000
#Sign algo name
mosip.kernel.crypto.sign-algorithm-name=RS256
#Certificate Sign algo name
mosip.kernel.certificate.sign.algorithm=SHA256withRSA

#mosip.kernel.keymanager.hsm.config-path=local.p12
#mosip.kernel.keymanager.hsm.keystore-type=PKCS12
#mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.idp.pin}

#Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE
mosip.kernel.keymanager.hsm.keystore-type=PKCS11
# For PKCS11 provide Path of config file.
# For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only file path & file name.
# For Offline & JCE property can be left blank, specified value will be ignored.
mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
# Passkey of keystore for PKCS11, PKCS12
# For Offline & JCE proer can be left blank. JCE password use other JCE specific properties.
mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.esignet.security.pin}


mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io
mosip.kernel.keymanager.certificate.default.organizational-unit=MOSIP-TECH-CENTER
mosip.kernel.keymanager.certificate.default.organization=IITB
mosip.kernel.keymanager.certificate.default.location=BANGALORE
mosip.kernel.keymanager.certificate.default.state=KA
mosip.kernel.keymanager.certificate.default.country=IN

mosip.kernel.keymanager.softhsm.certificate.common-name=www.mosip.io
mosip.kernel.keymanager.softhsm.certificate.organizational-unit=MOSIP
mosip.kernel.keymanager.softhsm.certificate.organization=IITB
mosip.kernel.keymanager.softhsm.certificate.country=IN

# Application Id for PMS master key.
mosip.kernel.partner.sign.masterkey.application.id=PMS
mosip.kernel.partner.allowed.domains=DEVICE

mosip.kernel.keymanager-service-validate-url=https://${mosip.hostname}/keymanager/validate
mosip.kernel.keymanager.jwtsign.validate.json=false
mosip.keymanager.dao.enabled=false
crypto.PrependThumbprint.enable=true

mosip.kernel.keymgr.hsm.health.check.enabled=true	
mosip.kernel.keymgr.hsm.health.key.app-id=OIDC_SERVICE	
mosip.kernel.keymgr.hsm.healthkey.ref-id=TRANSACTION_CACHE
mosip.kernel.keymgr.hsm.health.check.encrypt=true

## -------------------------------------------- IDP-UI config ----------------------------------------------------------
# NOTE:
# 1. linked-transaction-expire-in-secs value should be a sum of 'mosip.esignet.authentication-expire-in-secs' and 'linked' cache expire in seconds under mosip.esignet.cache.expire-in-seconds property
# 2. A new Qrcode will be autogenerated before the expiry of current qr-code, and the time difference in seconds for the same is defined in wallet.qr-code-buffer-in-secs property
# 3. If esignet is deployed with MOSIP IDA, then 'resend.otp.delay.secs' must be the same as 'mosip.kernel.otp.expiry-time'

mosip.esignet.ui.wallet.config={{'wallet.name': 'walletName', 'wallet.logo-url': '/images/qr_code.png', 'wallet.download-uri': '#', \
 'wallet.deep-link-uri': 'inji://landing-page-name?linkCode=LINK_CODE&linkExpireDateTime=LINK_EXPIRE_DT' }}

mosip.esignet.ui.signup.config={'signup.banner': true, 'signup.url': 'https://${mosip.signup.host}/signup'}

mosip.esignet.ui.forgot-password.config={'forgot-password': true, 'forgot-password.url': 'https://${mosip.signup.host}/reset-password'}

## Configuration required to display KBI form.
# individual-id-field is set with field id which should be considered as an individual ID in the authenticate request.
# form-details holds the list of field details like below:
# id -> unique field Id, type -> holds datatype, format -> only supported for date fields, regex -> pattern to validate the input value, maxLength -> number of allowed characters
# Example: mosip.esignet.authenticator.default.auth-factor.kba.field-details={{'id': '${mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field}', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^\\s*[+-]?(\\d+|\\d*\\.\\d+|\\d+\\.\\d*)([Ee][+-]?\\d*)?\\s*$'},{'id':'fullName', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^[A-Za-z\\s]{1,}[\\.]{0,1}[A-Za-z\\s]{0,}$'},{'id':'dob', 'type':'date', 'format':'dd/mm/yyyy'}}
mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field=
mosip.esignet.authenticator.default.auth-factor.kba.field-details={}

## Configuration Map input to UI at the start of every transaction.
mosip.esignet.ui.config.key-values={'sbi.env': 'Developer', 'sbi.timeout.DISC': 30, \
  'sbi.timeout.DINFO': 30, 'sbi.timeout.CAPTURE': 30, 'sbi.capture.count.face': 1, 'sbi.capture.count.finger': 1, \
  'sbi.capture.count.iris': 1, 'sbi.capture.score.face': 70, 'sbi.capture.score.finger':70, 'sbi.capture.score.iris':70, \
  'resend.otp.delay.secs': ${mosip.kernel.otp.expiry-time}, 'send.otp.channels' : '${mosip.esignet.authenticator.ida.otp-channels}', \
  'captcha.sitekey' : '${mosip.esignet.captcha-validator.site-key}', 'captcha.enable' : '${mosip.esignet.captcha.required}', \
  'auth.txnid.length' : '${mosip.esignet.auth-txn-id-length}', 'consent.screen.timeout-in-secs':${mosip.esignet.authentication-expire-in-secs}, \
  'consent.screen.timeout-buffer-in-secs': 5, 'linked-transaction-expire-in-secs': 240, 'sbi.port.range': '4501-4600', \
  'sbi.bio.subtypes.iris': 'UNKNOWN', 'sbi.bio.subtypes.finger': 'UNKNOWN', 'wallet.qr-code-buffer-in-secs': 10, 'otp.length': ${mosip.esignet.auth-challenge.OTP.max-length}, \
  'password.regex': '^.{8,20}$', \
  'password.max-length': ${mosip.esignet.auth-challenge.PWD.max-length}, \
  'username.regex': '^[0-9]{10,30}$',\
  'username.prefix': '', \
  'username.postfix': '', \
  'username.max-length': 16, \
  'username.input-type': 'number', 'wallet.config': ${mosip.esignet.ui.wallet.config}, \'signup.config': ${mosip.esignet.ui.signup.config}, \
  'forgot-password.config': ${mosip.esignet.ui.forgot-password.config}, \
  'error.banner.close-timer': 10,\
  'auth.factor.kba.individual-id-field' : '${mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field}',\
  'auth.factor.kba.field-details': ${mosip.esignet.authenticator.default.auth-factor.kba.field-details} }

##  ---------------------------------------------- VCI ------------------------------------------------------------------
# Used to verify audience in the PoP JWT
mosip.esignet.vci.identifier=${mosip.esignet.domain.url}
mosip.esignet.vci.authn.filter-urls={ '${server.servlet.path}/vci/credential' }
# Change this if the VCI is used with different OAUTH2.0 server
mosip.esignet.vci.authn.issuer-uri=${mosip.esignet.discovery.issuer-id}
mosip.esignet.vci.authn.jwk-set-uri=${mosip.esignet.jwks-uri}

mosip.esignet.vci.authn.allowed-audiences={ '${mosip.esignet.domain.url}${server.servlet.path}/vci/credential' }

mosip.esignet.cnonce-expire-seconds=40
mosip.esignet.vci.supported.jwt-proof-alg={'RS256','PS256'}
mosip.esignet.vci.key-values={\
  'v11' : { \
              'credential_issuer': '${mosip.esignet.vci.identifier}', 	\
              'credential_endpoint': '${mosipbox.public.url}${server.servlet.path}/vci/credential', \
              'credentials_supported': {\
                    {\
                      'format': 'ldp_vc',\
                      'id': 'MockVerifiableCredential_ldp', \
                      'scope' : 'mock_identity_vc_ldp',\
                      'cryptographic_binding_methods_supported': {'did:jwk'},\
                      'cryptographic_suites_supported': {'RsaSignature2018'},\
                      'proof_types_supported': {'jwt'},\
                      'credential_definition': {\
                        'type': {'VerifiableCredential','MockVerifiableCredential'},\
                        'credentialSubject': {\
                          'name': { 'display': {{'name': 'Given Name', 'locale': 'en' }}}, \
                          'age': { 'display': {{ 'name': 'Age', 'locale': 'en'}}}\
                         }\
                        },\
                        'display': {{'name': 'Mock Verifiable Credential by e-Signet', \
                                    'locale': 'en', \
                                    'logo': {'url': '${mosipbox.public.url}/logo.png', 'alt_text': 'a square logo of a MOSIP'},\
                                    'background_color': '#12107c',\
                                    'text_color': '#FFFFFF'}}\
                      },\
                      {\
                          'format': 'ldp_vc',\
                          'id': 'MOSIPVerifiableCredential', \
                          'scope' : 'mosip_identity_vc_ldp',\
                          'cryptographic_binding_methods_supported': {'did:jwk'},\
                          'cryptographic_suites_supported': {'RsaSignature2018'},\
                          'proof_types_supported': {'jwt'},\
                          'credential_definition': {\
                              'type': {'VerifiableCredential','MOSIPVerifiableCredential'},\
                              'credentialSubject': {\
                                  'fullName': { 'display': {{'name': 'Full Name', 'locale': 'en' }}},\
                                  'phone': { 'display': {{'name': 'Phone Number', 'locale': 'en' }}},\
                                  'dateOfBirth': { 'display': {{'name': 'DOB', 'locale': 'en' }}},\
                                  'gender': { 'display': {{'name': 'Gender', 'locale': 'en' }}},\
                                  'residenceStatus': { 'display': {{'name': 'Residence Status', 'locale': 'en' }}},\
                                  'email': { 'display': {{'name': 'Email Id', 'locale': 'en' }}},\
                                  'region': { 'display': {{'name': 'Region', 'locale': 'en' }}},\
                                  'province': { 'display': {{'name': 'Province', 'locale': 'en' }}},\
                                  'city': { 'display': {{'name': 'City', 'locale': 'en' }}},\
                                  'postalCode': { 'display': {{'name': 'Postal Code', 'locale': 'en' }}}\
                               }\
                          },\
                          'display': {{'name': 'MOSIP Verifiable Credential by e-Signet', \
                                  'locale': 'en', \
                                  'logo': {'url': '${mosipbox.public.url}/logo.png','alt_text': 'a square logo of a MOSIP'},\
                                  'background_color': '#12107c',\
                                  'text_color': '#FFFFFF'}}\
                      }\
              }\
          },\
   'latest' : {\
              'credential_issuer': '${mosip.esignet.vci.identifier}', 	\
              'credential_endpoint': '${mosipbox.public.url}${server.servlet.path}/vci/credential', \
              'display': {{'name': 'e-Signet', 'locale': 'en'}},\
              'credentials_supported' : { \
                 "MockVerifiableCredential_ldp" : {\
                    'format': 'ldp_vc',\
                    'scope' : 'mock_identity_vc_ldp',\
                    'cryptographic_binding_methods_supported': {'did:jwk'},\
                    'cryptographic_suites_supported': {'RsaSignature2018'},\
                    'proof_types_supported': {'jwt'},\
                    'credential_definition': {\
                    'type': {'VerifiableCredential','MockVerifiableCredential'},\
                    'credentialSubject': {\
                    'name': { 'display': {{'name': 'Given Name', 'locale': 'en' }}}, \
                    'age': { 'display': {{ 'name': 'Age', 'locale': 'en'}}}\
                     }},\
                    'display': {{'name': 'Mock Verifiable Credential by e-Signet', \
                                  'locale': 'en', \
                                  'logo': {'url': '${mosipbox.public.url}/logo.png',\
                                  'alt_text': 'a square logo of a MOSIP'},\
                                  'background_color': '#12107c',\
                                  'text_color': '#FFFFFF'}}\
                 }, \
                'MOSIPVerifiableCredential_ldp' : {\
                    'format': 'ldp_vc',\
                    'scope' : 'mosip_identity_vc_ldp',\
                    'cryptographic_binding_methods_supported': {'did:jwk'},\
                    'cryptographic_suites_supported': {'RsaSignature2018'},\
                    'proof_types_supported': {'jwt'},\
                    'credential_definition': {\
                    'type': {'VerifiableCredential','MOSIPVerifiableCredential'},\
                    'credentialSubject': {\
                      'fullName': { 'display': {{'name': 'Full Name', 'locale': 'en' }}},\
                      'phone': { 'display': {{'name': 'Phone Number', 'locale': 'en' }}},\
                      'dateOfBirth': { 'display': {{'name': 'DOB', 'locale': 'en' }}},\
                      'gender': { 'display': {{'name': 'Gender', 'locale': 'en' }}},\
                      'residenceStatus': { 'display': {{'name': 'Residence Status', 'locale': 'en' }}},\
                      'email': { 'display': {{'name': 'Email Id', 'locale': 'en' }}},\
                      'region': { 'display': {{'name': 'Region', 'locale': 'en' }}},\
                      'province': { 'display': {{'name': 'Province', 'locale': 'en' }}},\
                      'city': { 'display': {{'name': 'City', 'locale': 'en' }}},\
                      'postalCode': { 'display': {{'name': 'Postal Code', 'locale': 'en' }}}\
                     }},\
                    'display': {{'name': 'MOSIP Verifiable Credential by e-Signet', \
                                  'locale': 'en', \
                                  'logo': {'url': '${mosipbox.public.url}/logo.png','alt_text': 'a square logo of a MOSIP'},\
                                  'background_color': '#12107c',\
                                  'text_color': '#FFFFFF'}}\
                 }\
              }\
        }\
  }
## -------------------------------------------- Others ----------------------------------------------------------

#logging.level.org.springframework.web.client.RestTemplate=DEBUG
#logging.level.io.mosip.esignet=INFO