From 683ad135dec29455a991afe2a840a351a9f47103 Mon Sep 17 00:00:00 2001 From: ase-101 Date: Thu, 19 Sep 2024 18:32:40 +0530 Subject: [PATCH] ES-1638 Signed-off-by: ase-101 --- docker-compose/README.md | 64 ++--- docker-compose/app/Dockerfile | 7 - docker-compose/app/nginx.conf | 22 -- docker-compose/docker-compose.yml | 21 +- .../resources/application-default.properties | 13 +- .../resources/application-local.properties | 241 +++++++++++------- 6 files changed, 196 insertions(+), 172 deletions(-) delete mode 100644 docker-compose/app/Dockerfile delete mode 100644 docker-compose/app/nginx.conf diff --git a/docker-compose/README.md b/docker-compose/README.md index 532d31dff..4392d79f4 100644 --- a/docker-compose/README.md +++ b/docker-compose/README.md @@ -2,63 +2,33 @@ This is the docker-compose setup to run esignet UI and esignet-service with mock identity system. This is not for production use. -## What is in the docker-compose setup folder? +## I am a developer, how to setup dependent services to edit and test esignet-service? -1. "app" folder holds the Dockerfile required to build custom artifactory-server. This artifactory server will host all the files under app/static folder. -All the i18n bundles, dummy softhsm conf, signin-with-esignet button plugin files are served from this server. -2. "config" folder holds the esignet and mock-identity system properties file. -3. "docker-compose.yml" file with esignet and mock-identity-system setup with other required services -4. "init.sql" comprises DDL and DMLs required by esignet and mock-identity-system. -5. "loader_path" this is esignet mount volume from where all the runtime dependencies are loaded to classpath. If any new esignet plugins to be tested -should be placed in this folder and respective plugin configuration should be updated in config/esignet-default.properties. +1. Run `docker-compose up -f dependent-docker-compose.yml` to start all the dependent services. +2. Go to command line for the project root directory and run `mvn clean install -Dgpg.skip=true -DskipTests=true` +3. Add [esignet-mock-plugin.jar](../esignet-service/target/esignet-plugins/esignet-mock-plugin.jar) to esignet-service classpath in your IDE. +4. Start the [EsignetServiceApplication.java](../esignet-service/src/main/java/io/mosip/esignet/EsignetServiceApplication.java) from your IDE. +5. Import files under [postman-collection](../postman-collection) folder into your postman to test/validate OIDC flow. -```Note: Refer https://docs.esignet.io/integration to know how to create custom plugins to integrate.``` +## How to bring up the complete eSignet setup for a Demo? -## How to run this setup? +1. Run [docker-compose.yml](docker-compose.yml) to start eSignet UI and backend service. +2. Access eSignet UI at http://localhost:3000 +3. Access eSignet backend services at http://localhost:8088/v1/esignet/swagger-ui.html +4. Onboard relying party in eSignet, import files under [postman-collection](../postman-collection) folder into your postman. And invoke requests under `OIDC Client Mgmt/Mock` folder in postman. Copy the client ID in the `Create OIDC client` response. +5. Add a `SignIn with eSignet` button in the relying party website and embed [eSignet authorize URL](http://localhost:3000/authorize?nonce=ere973eieljznge2311&state=eree2311&client_id=client_id&redirect_uri=redirect_uri&scope=openid&response_type=code&acr_values=mosip:idp:acr:generated-code&claims_locales=en&ui_locales=en-IN) in the button. Make sure to replace the query parameter values in the url before embedding in the button. +6. Add a user in the mock-identity-system. +7. Now the setup is completely ready to start the OIDC flow. [Refer eSignet user guides](https://docs.esignet.io/end-user-guide) for more information. -1. Create loader_path folder in the same directory and Download the eisgnet mock plugin from [here](https://repo1.maven.org/maven2/io/mosip/esignet/mock/mock-esignet-integration-impl/0.9.2/mock-esignet-integration-impl-0.9.2.jar) -and copy the downloaded jar under loader_path directory. -2. Start the docker-compose file +`Note: To know more about the relying party onboard and query parameters used in the eSignet authorize URL [refer eSignet docs](https://docs.esignet.io/integration/relying-party)` -> docker-compose up +## How to add user identity in the mock-identity-system? -3. Download the postman script from [here](../docs/postman-collections/esignet-with-mock-IDA.postman_collection.json) -and its environment from [here](../docs/postman-collections/esignet-with-mock-IDA.postman_environment.json) +Import files under [postman-collection](../postman-collection) folder into your postman. And invoke requests under `User Mgmt/Mock` folder in postman. -4. Import the downloaded collection and environment into postman. -5. To create an OIDC/OAuth client, run the below request from the postman collection "OIDC Client mgmt" folder - * Get CSRF token - * Create OIDC Client -6. To Create a Mock identity, run the below request from the postman collection "Mock-Identity-System" folder - * Create Mock Identity -7. To run the OIDC flow with mock identity run the below request(same order) from the postman collection "AuthCode flow with OTP login" folder. - * Get CSRF token - * Authorize / OAuthdetails request - * Send OTP - * Authenticate User - * Authorization Code - * Get Tokens - * Get userInfo -8. To run the Verifiable Credential Issuance flow with mock identity run the below request(same order) from the postman collection "VCI" folder. - * Get CSRF token - * Authorize / OAuthdetails request - * Send OTP - * Authenticate User - * Authorization Code - * Get Tokens - * Get Credential - - -## How to Access esignet UI? - -To invoke the authorize endpoint of esignet UI to start OIDC/VCI flow, use the below URL: - -http://localhost:3000/authorize?nonce=ere973eieljznge2311&state=eree2311&client_id=health-service-client&redirect_uri=https://healthservices.com/callback&scope=openid&response_type=code&acr_values=mosip:idp:acr:generated-code&claims=%7B%22userinfo%22:%7B%22name%22:%7B%22essential%22:false%7D,%22phone_number%22:%7B%22essential%22:true%7D%7D,%22id_token%22:%7B%7D%7D&claims_locales=en&display=page&state=consent&ui_locales=en-IN - -```Note: Change the value of client_id, redirect_uri, acr_values and claims as per your requirement in the above URL.``` diff --git a/docker-compose/app/Dockerfile b/docker-compose/app/Dockerfile deleted file mode 100644 index 021c88a27..000000000 --- a/docker-compose/app/Dockerfile +++ /dev/null @@ -1,7 +0,0 @@ -FROM nginx:alpine - -WORKDIR /app - -COPY . . - -COPY ./nginx.conf /etc/nginx/nginx.conf \ No newline at end of file diff --git a/docker-compose/app/nginx.conf b/docker-compose/app/nginx.conf deleted file mode 100644 index d84cb015e..000000000 --- a/docker-compose/app/nginx.conf +++ /dev/null @@ -1,22 +0,0 @@ -events { - worker_connections 1024; -} - -http { - include mime.types; - sendfile on; - - server { - listen 8080; - listen [::]:8080; - - resolver 127.0.0.11; - autoindex off; - - server_name _; - server_tokens off; - - root /app/static; - gzip_static on; - } -} \ No newline at end of file diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 592b62fcd..91e9e2456 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -37,9 +37,22 @@ services: - KAFKA_ENABLED=false - SPRING_AUTOCONFIGURE_EXCLUDE=org.springframework.boot.autoconfigure.kafka.KafkaAutoConfiguration - SPRING_DATASOURCE_URL=jdbc:postgresql://database:5432/mosip_esignet?currentSchema=esignet - - SPRING_DATASOURCE_USERNAME=postgres - - SPRING_DATASOURCE_PASSWORD=postgres - SPRING_CACHE_TYPE=simple - - MOCK_IDENTITY_SYSTEM_DOMAIN_URL=http://mock-identity-system:8082 + - MOSIP_ESIGNET_MOCK_DOMAIN_URL=http://mock-identity-system:8082 depends_on: - - database \ No newline at end of file + - database + - mock-identity-system + + esignet-ui: + build: + context: ../oidc-ui + dockerfile: Dockerfile + user: root + ports: + - 3000:3000 + environment: + - container_user=mosip + - DEFAULT_WELLKNOWN=%5B%7B%22name%22%3A%22OpenID%20Configuration%22%2C%22value%22%3A%22%2F.well-known%2Fopenid-configuration%22%7D%2C%7B%22name%22%3A%22Jwks%20Json%22%2C%22value%22%3A%22%2F.well-known%2Fjwks.json%22%7D%2C%7B%22name%22%3A%22Authorization%20Server%22%2C%22value%22%3A%22%2F.well-known%2Foauth-authorization-server%22%7D%5D + - SIGN_IN_WITH_ESIGNET_PLUGIN_URL=https://raw.githubusercontent.com/mosip/artifactory-ref-impl/master/artifacts/src/mosip-plugins/sign-in-with-esignet/sign-in-with-esignet.zip + volumes: + - ./nginx.conf:/etc/nginx/nginx.conf \ No newline at end of file diff --git a/esignet-service/src/main/resources/application-default.properties b/esignet-service/src/main/resources/application-default.properties index f84988e53..5a71085f0 100644 --- a/esignet-service/src/main/resources/application-default.properties +++ b/esignet-service/src/main/resources/application-default.properties @@ -118,6 +118,7 @@ spring.security.oauth2.resourceserver.jwt.issuer-uri=${keycloak.external.url}/au spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${keycloak.external.url}/auth/realms/mosip/protocol/openid-connect/certs ##------------------------------------------ Kafka configurations ------------------------------------------------------ +kafka.enabled=true kafka.profile=kafka.svc.cluster.local kafka.port=9092 spring.kafka.bootstrap-servers=kafka-0.kafka-headless.${kafka.profile}:${kafka.port},kafka-1.kafka-headless.${kafka.profile}:${kafka.port},kafka-2.kafka-headless.${kafka.profile}:${kafka.port} @@ -331,7 +332,7 @@ mosip.kernel.keymanager.hsm.keystore-type=PKCS11 mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf # Passkey of keystore for PKCS11, PKCS12 # For Offline & JCE proer can be left blank. JCE password use other JCE specific properties. -mosip.kernel.keymanager.hsm.keystore-pass=${security.pin} +mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.esignet.security.pin} mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io @@ -386,11 +387,11 @@ mosip.esignet.authenticator.default.auth-factor.kbi.field-details={} mosip.esignet.ui.config.otp.length=6 mosip.esignet.ui.config.password.regex=^.{8,20}$ mosip.esignet.ui.config.password.max-length=20 -mosip.esignet.ui.config.username.regex=^[1-9][0-9]{7,8}$ -mosip.esignet.ui.config.username.prefix=+855 -mosip.esignet.ui.config.username.postfix=@phone -mosip.esignet.ui.config.username.max-length=9 -mosip.esignet.ui.config.username.input-type=number +mosip.esignet.ui.config.username.regex=.* +mosip.esignet.ui.config.username.prefix= +mosip.esignet.ui.config.username.postfix= +mosip.esignet.ui.config.username.max-length=12 +mosip.esignet.ui.config.username.input-type=text mosip.esignet.ui.config.key-values={'sbi.env': '${mosip.esignet.authenticator.ida-env:Developer}', 'sbi.timeout.DISC': 30, \ 'sbi.timeout.DINFO': 30, 'sbi.timeout.CAPTURE': 30, 'sbi.capture.count.face': 1, 'sbi.capture.count.finger': 1, \ diff --git a/esignet-service/src/main/resources/application-local.properties b/esignet-service/src/main/resources/application-local.properties index d96efa86d..c3d043887 100644 --- a/esignet-service/src/main/resources/application-local.properties +++ b/esignet-service/src/main/resources/application-local.properties @@ -2,15 +2,32 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at https://mozilla.org/MPL/2.0/. -## ------------------------------------------------- e-Signet ---------------------------------------------------------- -mosip.esignet.amr-acr-mapping-file-path=${amr_acr_mapping_file_path_env:amr_acr_mapping.json} +## Tomcat access logs +server.tomcat.accesslog.enabled=true +server.tomcat.accesslog.directory=/dev +server.tomcat.accesslog.prefix=stdout +server.tomcat.accesslog.buffered=false +server.tomcat.accesslog.suffix= +server.tomcat.accesslog.file-date-format= +server.tomcat.accesslog.pattern={"@timestamp":"%{yyyy-MM-dd'T'HH:mm:ss.SSS'Z'}t","level":"ACCESS","level_value":70000,"traceId":"%{X-B3-TraceId}i","statusCode":%s,"req.requestURI":"%U","bytesSent":%b,"timeTaken":%T,"appName":"${spring.application.name}","req.userAgent":"%{User-Agent}i","req.xForwardedFor":"%{X-Forwarded-For}i","req.referer":"%{Referer}i","req.method":"%m","req.remoteHost":"%a"} +server.tomcat.accesslog.className=io.mosip.kernel.core.logger.config.SleuthValve +#logging.level.org.springframework.web.client.RestTemplate=INFO +logging.level.io.mosip.esignet=INFO + +## eSignet configurations mosip.esignet.auth-txn-id-length=10 -mosip.esignet.generate-link-code.limit-per-transaction=10 mosip.esignet.supported-id-regex=\\S* +# Generated ID and access tokens 'exp' depends on the below properties, default value is 1-hour mosip.esignet.id-token-expire-seconds=3600 mosip.esignet.access-token-expire-seconds=3600 -mosip.esignet.link-code-expire-in-secs=60 -mosip.esignet.authentication-expire-in-secs=60 +# By default, only 2 link codes can be active, and the time period it can be active is defined here, default value is 1 minute +mosip.esignet.link-code-expire-in-secs=600 +# Number of link code allowed to be generated in a transaction, the default value is 10 +mosip.esignet.generate-link-code.limit-per-transaction=10 +# Time to complete consent after successful authentication, the default value is 120 +mosip.esignet.authentication-expire-in-secs=600 +# Time to complete authentication +mosip.esignet.preauthentication-expire-in-secs=600 ## Auth challenge type & format mapping. Auth challenge length validations for each auth factor type. mosip.esignet.auth-challenge.OTP.format=alpha-numeric @@ -44,9 +61,6 @@ mosip.esignet.auth-challenge.IDT.max-length=2000 mosip.esignet.claim-detail.purpose.min-length=3 mosip.esignet.claim-detail.purpose.max-length=300 -mosip.esignet.signup-id-token-expire-seconds=180 -mosip.esignet.signup-id-token-audience=mosip-signup-client - ## Endpoints required to have oauth-details-hash and oauth-details-key HTTP header mosip.esignet.header-filter.paths-to-validate={'${server.servlet.path}/authorization/send-otp', \ '${server.servlet.path}/authorization/authenticate', \ @@ -55,23 +69,24 @@ mosip.esignet.header-filter.paths-to-validate={'${server.servlet.path}/authoriza '${server.servlet.path}/authorization/auth-code',\ '${server.servlet.path}/authorization/prepare-signup-redirect',\ '${server.servlet.path}/authorization/claim-details',\ - '${server.servlet.path}/authorization/resume'} + '${server.servlet.path}/authorization/resume' } -#This property is used for captcha validation and allowed values are send-otp and pwd. -# captcha validation is enabled for the auth-factors - otp, pwd, kbi and pin. +## captcha validation is enabled for the auth-factors - otp, pwd, bio and pin. mosip.esignet.captcha.required= -mosip.esignet.captcha.validator-url=https://api-internal.dev.mosip.net/v1/captcha/validatecaptcha +mosip.esignet.captcha.validator-url=http://captcha.captcha/v1/captcha/validatecaptcha mosip.esignet.captcha.module-name=esignet -mosip.esignet.captcha-validator.site-key= +mosip.esignet.captcha.site-key=test-site-key -## ------------------------------------------ e-Signet binding --------------------------------------------------------- +## Applicable for signup redirection to update profile +mosip.esignet.signup-id-token-expire-seconds=180 +mosip.esignet.signup-id-token-audience=mosip-signup-oauth-client +## ------------------------------------------ e-Signet binding --------------------------------------------------------- mosip.esignet.binding.salt-length=16 mosip.esignet.binding.audience-id=esignet-binding mosip.esignet.binding.key-expire-days=10 ## -------------------------------------- Authentication & Authorization ----------------------------------------------- - mosip.esignet.security.auth.post-urls={} mosip.esignet.security.auth.put-urls={} mosip.esignet.security.auth.get-urls={} @@ -90,28 +105,22 @@ mosip.esignet.security.ignore-auth-urls=${server.servlet.path}/csrf/**,${server. ${server.servlet.path}/v3/api-docs/**,${server.servlet.path}/binding/** ##------------------------------------------ Kafka configurations ------------------------------------------------------ -kafka.enabled=${KAFKA_ENABLED:true} spring.kafka.bootstrap-servers=localhost:9092 -spring.kafka.consumer.group-id=runtime-kafka-registry +spring.kafka.consumer.group-id=esignet-consumer spring.kafka.consumer.enable-auto-commit=true -spring.kafka.listener.concurrency=1 +#spring.kafka.listener.concurrency=1 mosip.esignet.kafka.linked-session.topic=esignet-linked mosip.esignet.kafka.linked-auth-code.topic=esignet-consented -## ------------------------------------------- Integrations ------------------------------------------------------------ - -mosip.esignet.integration.binding-validator=BindingValidatorServiceImpl -mosip.esignet.integration.audit-plugin=LoggerAuditService - ## ------------------------------------------ oauth & openid supported values ------------------------------------------ ## supported scopes -mosip.esignet.supported.credential.scopes={'mock_identity_vc_ldp'} -mosip.esignet.supported.authorize.scopes={'resident-service'} +mosip.esignet.supported.authorize.scopes={'Manage-Identity-Data','Manage-VID','Manage-Authentication','Manage-Service-Requests','Manage-Credentials'} mosip.esignet.supported.openid.scopes={'profile','email','phone'} -mosip.esignet.openid.scope.claims={'profile' : {'name','given_name','middle_name','preferred_username','picture','gender','birthdate','locale','nickname', 'family_name','zoneinfo', 'updated_at','address'},'email' : {'email','email_verified'}, 'phone' : {'phone_number','phone_number_verified'}} -mosip.esignet.credential.scope-resource-mapping={'mock_identity_vc_ldp' : '${mosip.esignet.domain.url}${server.servlet.path}/vci/credential' } +mosip.esignet.openid.scope.claims={'profile' : {'name','address','gender','birthdate','picture','email','phone_number','phone_number_verified','registration_type','updated_at'},'email' : {'email'}, 'phone' : {'phone_number','phone_number_verified'}} +mosip.esignet.supported.credential.scopes={'mosip_identity_vc_ldp'} +mosip.esignet.credential.scope-resource-mapping={ 'mosip_identity_vc_ldp': '${mosip.esignet.domain.url}${server.servlet.path}/vci/credential'} ## supported authorization processing flow to be used, Currently only supports Authorization Code Flow. mosip.esignet.supported.response.types={'code'} @@ -148,47 +157,76 @@ mosip.esignet.supported.client.assertion.types={'urn:ietf:params:oauth:client-as ## Type of the client authentication methods for token endpoint mosip.esignet.supported.client.auth.methods={'private_key_jwt'} -## JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported +## Only S256 method supported mosip.esignet.supported-pkce-methods={'S256'} - ## ---------------------------------------- Cache configuration -------------------------------------------------------- mosip.esignet.cache.secure.individual-id=true mosip.esignet.cache.store.individual-id=true mosip.esignet.cache.security.secretkey.reference-id=TRANSACTION_CACHE mosip.esignet.cache.security.algorithm-name=AES/ECB/PKCS5Padding +mosip.esignet.cache.key.hash.algorithm=SHA3-256 -mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,\ - linkedauth,consented,halted,apiratelimit,blocked,shared_idv_result +mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,apiratelimit,blocked,halted,shared_idv_result -spring.cache.type=${SPRING_CACHE_TYPE:redis} +# 'simple' cache type is only applicable only for Non-Production setup +spring.cache.type=redis spring.cache.cache-names=${mosip.esignet.cache.names} spring.redis.host=localhost spring.redis.port=6379 +management.health.redis.enabled=false + +# Cache size setup is applicable only for 'simple' cache type. +# Cache size configuration will not be considered with 'Redis' cache type +mosip.esignet.cache.size={'clientdetails' : 200, \ +'preauth': 200, \ +'authenticated': 200, \ +'authcodegenerated': 200, \ +'userinfo': 200, \ +'linkcodegenerated' : 500, \ +'linked': 200 , \ +'linkedcode': 200, \ +'linkedauth' : 200 , \ +'consented' :200, \ +'authtokens': 2, \ +'bindingtransaction': 200, \ +'apiratelimit' : 500, \ +'blocked': 500, \ +'halted' : 500, \ +'shared_idv_result' : 100} + +# Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type +mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, \ +'preauth': ${mosip.esignet.preauthentication-expire-in-secs},\ +'authenticated': ${mosip.esignet.authentication-expire-in-secs}, \ +'authcodegenerated': 600, \ +'userinfo': ${mosip.esignet.access-token-expire-seconds}, \ +'linkcodegenerated' : ${mosip.esignet.link-code-expire-in-secs}, \ +'linked': 600, \ +'linkedcode': ${mosip.esignet.link-code-expire-in-secs}, \ +'linkedauth' : ${mosip.esignet.authentication-expire-in-secs}, \ +'consented': 600, \ +'authtokens': 86400, \ +'bindingtransaction': 600, \ +'apiratelimit' : 180, \ +'blocked': 300, \ +'halted' : ${mosip.esignet.signup-id-token-expire-seconds},\ +'shared_idv_result' : 1200 } -mosip.esignet.cache.key.hash.algorithm=SHA3-256 -mosip.esignet.cache.size={'clientdetails' : 200, 'preauth': 200, 'authenticated': 200, 'authcodegenerated': 200, 'userinfo': 200, \ - 'linkcodegenerated' : 500, 'linked': 200 , 'linkedcode': 200, 'linkedauth' : 200 , 'consented' :200, 'halted':100, \ - 'apiratelimit' : 500, 'blocked': 500, 'shared_idv_result' : 100 } -mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, 'preauth': 180, 'authenticated': ${mosip.esignet.authentication-expire-in-secs}, \ - 'authcodegenerated': 60, 'userinfo': ${mosip.esignet.access-token-expire-seconds}, 'linkcodegenerated' : ${mosip.esignet.link-code-expire-in-secs}, \ - 'linked': 60 , 'linkedcode': ${mosip.esignet.link-code-expire-in-secs}, 'linkedauth' : ${mosip.esignet.authentication-expire-in-secs}, \ - 'consented': 120, 'halted': ${mosip.esignet.signup-id-token-expire-seconds}, \ - 'apiratelimit' : 180, 'blocked': 300, 'shared_idv_result' : 1200 } ## ------------------------------------------ Discovery openid-configuration ------------------------------------------- -mosip.esignet.domain.url=${ESIGNET_DOMAIN_URL:http://localhost:8088} +mosip.esignet.domain.url=https://${mosip.esignet.host} mosip.esignet.discovery.issuer-id=${mosip.esignet.domain.url}${server.servlet.path} # This property holds ./wellknown/jwks.json URL, # for local deployments without esignet-ui nginx change the value to ${mosip.esignet.domain.url}${server.servlet.path}/oauth/.well-known/jwks.json -mosip.esignet.jwks-uri=${mosip.esignet.domain.url}${server.servlet.path}/oauth/.well-known/jwks.json +mosip.esignet.jwks-uri=${mosip.esignet.domain.url}/.well-known/jwks.json mosip.esignet.token.endpoint=${mosip.esignet.domain.url}${server.servlet.path}/oauth/v2/token mosip.esignet.oauth.key-values={'issuer': '${mosip.esignet.domain.url}' ,\ - \ 'authorization_endpoint': '${mosip.esignet.domain.url}${server.servlet.path}/authorize' , \ + \ 'authorization_endpoint': '${mosip.esignet.domain.url}/authorize' , \ \ 'token_endpoint': '${mosip.esignet.token.endpoint}' , \ \ 'jwks_uri' : '${mosip.esignet.jwks-uri}' , \ \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \ @@ -199,37 +237,37 @@ mosip.esignet.oauth.key-values={'issuer': '${mosip.esignet.domain.url}' ,\ \ 'response_types_supported' : ${mosip.esignet.supported.response.types}} mosip.esignet.discovery.key-values={'issuer': '${mosip.esignet.domain.url}' ,\ - \ 'authorization_endpoint': '${mosip.esignet.domain.url}${server.servlet.path}/authorize' , \ + \ 'authorization_endpoint': '${mosip.esignet.domain.url}/authorize' , \ \ 'token_endpoint': '${mosip.esignet.token.endpoint}' ,\ \ 'userinfo_endpoint' : '${mosip.esignet.domain.url}${server.servlet.path}/oidc/userinfo' ,\ + \ 'jwks_uri' : '${mosip.esignet.jwks-uri}' , \ \ 'scopes_supported' : ${mosip.esignet.supported.openid.scopes}, \ \ 'response_types_supported' : ${mosip.esignet.supported.response.types}, \ - \ 'response_modes_supported' : { 'query' }, \ - \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \ - \ 'token_endpoint_auth_signing_alg_values_supported' : {'RS256'}, \ + \ 'acr_values_supported' : {'mosip:idp:acr:knowledge', 'mosip:idp:acr:password', 'mosip:idp:acr:static-code', 'mosip:idp:acr:generated-code', 'mosip:idp:acr:linked-wallet', 'mosip:idp:acr:biometrics'},\ \ 'userinfo_signing_alg_values_supported' : {'RS256'}, \ \ 'userinfo_encryption_alg_values_supported' : {'RSAXXXXX'},\ \ 'userinfo_encryption_enc_values_supported' : {'A128GCM'}, \ + \ 'response_modes_supported' : { 'query' }, \ + \ 'token_endpoint_auth_methods_supported' : ${mosip.esignet.supported.client.auth.methods}, \ + \ 'token_endpoint_auth_signing_alg_values_supported' : {'RS256'}, \ \ 'id_token_signing_alg_values_supported' : {'RS256'}, \ \ 'claim_types_supported': {'normal'}, \ \ 'claims_parameter_supported' : true, \ \ 'display_values_supported' : ${mosip.esignet.supported.ui.displays}, \ \ 'subject_types_supported' : { 'pairwise' }, \ - \ 'claims_supported' : {'iss','sub','acr','name','given_name','middle_name','preferred_username','picture','gender','birthdate','locale','nickname', 'family_name','zoneinfo', 'updated_at','address', 'email','email_verified', 'phone_number','phone_number_verified'}, \ - \ 'acr_values_supported' : {},\ - \ 'request_parameter_supported' : false,\ - \ 'verified_claims_supported' : true,\ - \ 'claims_in_verified_claims_supported' : {'name','given_name','middle_name','preferred_username','picture','gender','birthdate','locale','nickname', 'family_name','zoneinfo', 'updated_at','address', 'email','email_verified', 'phone_number','phone_number_verified'},\ - \ 'trust_frameworks_supported' : {'mosip'},\ - \ 'evidence_supported' : {'document','electronic_record','vouch','electronic_signature'},\ - \ 'documents_supported' : {},\ - \ 'attachments_supported' : {},\ - \ 'digest_algorithms_supported' : {'SHA-256'} } + \ 'claims_supported' : {'name','address','gender','birthdate','picture','email','phone_number','individual_id','phone_number_verified','registration_type','updated_at'}, \ + \ 'claims_locales_supported' : {'en'}, \ + \ 'request_parameter_supported' : false, \ + \ 'display_values_supported' : ${mosip.esignet.supported.ui.displays}, \ + \ 'ui_locales_supported' : {'en'} } ##----------------------------------------- Database properties -------------------------------------------------------- - -spring.datasource.url=jdbc:postgresql://localhost:5455/mosip_esignet -spring.datasource.username=postgres +mosip.esignet.database.hostname=localhost +mosip.esignet.database.port=5455 +mosip.esignet.database.name=mosip_esignet +mosip.esignet.database.username=postgres +spring.datasource.url=jdbc:postgresql://${mosip.esignet.database.hostname}:${mosip.esignet.database.port}/${mosip.esignet.database.name}?currentSchema=esignet +spring.datasource.username=${mosip.esignet.database.username} spring.datasource.password=postgres spring.jpa.database-platform=org.hibernate.dialect.PostgreSQL95Dialect @@ -265,9 +303,15 @@ mosip.kernel.crypto.sign-algorithm-name=RS256 #Certificate Sign algo name mosip.kernel.certificate.sign.algorithm=SHA256withRSA -mosip.kernel.keymanager.hsm.config-path=local.p12 +#Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE mosip.kernel.keymanager.hsm.keystore-type=PKCS12 -mosip.kernel.keymanager.hsm.keystore-pass=local +# For PKCS11 provide Path of config file. +# For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only file path & file name. +# For Offline & JCE property can be left blank, specified value will be ignored. +mosip.kernel.keymanager.hsm.config-path=local.p12 +# Passkey of keystore for PKCS11, PKCS12 +# For Offline & JCE proer can be left blank. JCE password use other JCE specific properties. +mosip.kernel.keymanager.hsm.keystore-pass=${security.pin} mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io mosip.kernel.keymanager.certificate.default.organizational-unit=MOSIP-TECH-CENTER @@ -281,7 +325,7 @@ mosip.kernel.keymanager.softhsm.certificate.organizational-unit=MOSIP mosip.kernel.keymanager.softhsm.certificate.organization=IITB mosip.kernel.keymanager.softhsm.certificate.country=IN -# ApplicationId for PMS master key. +# Application Id for PMS master key. mosip.kernel.partner.sign.masterkey.application.id=PMS mosip.kernel.partner.allowed.domains=DEVICE @@ -290,41 +334,66 @@ mosip.kernel.keymanager.jwtsign.validate.json=false mosip.keymanager.dao.enabled=false crypto.PrependThumbprint.enable=true +mosip.kernel.keymgr.hsm.health.check.enabled=true +mosip.kernel.keymgr.hsm.health.key.app-id=OIDC_SERVICE +mosip.kernel.keymgr.hsm.healthkey.ref-id=TRANSACTION_CACHE +mosip.kernel.keymgr.hsm.health.check.encrypt=true + ## -------------------------------------------- IDP-UI config ---------------------------------------------------------- + # NOTE: -# 1. linked-transaction-expire-in-secs value should be a sum of mosip.esignet.authentication-expire-in-secs and linked cache expire in seconds under mosip.esignet.cache.expire-in-seconds property +# 1. linked-transaction-expire-in-secs value should be a sum of 'mosip.esignet.authentication-expire-in-secs' and 'linked' cache expire in seconds under mosip.esignet.cache.expire-in-seconds property # 2. A new Qrcode will be autogenerated before the expiry of current qr-code, and the time difference in seconds for the same is defined in wallet.qr-code-buffer-in-secs property +# 3. If esignet is deployed with MOSIP IDA, then 'resend.otp.delay.secs' must be the same as 'mosip.kernel.otp.expiry-time' -mosip.esignet.ui.wallet.config={{'wallet.name': 'walletName', 'wallet.logo-url': '/images/qr_code.png', 'wallet.download-uri': '#', \ +mosip.esignet.ui.wallet.config={{'wallet.name': 'walletName', 'wallet.logo-url': '/images/qr_code.png', 'wallet.download-uri': '#', \ 'wallet.deep-link-uri': 'inji://landing-page-name?linkCode=LINK_CODE&linkExpireDateTime=LINK_EXPIRE_DT' }} -mosip.esignet.ui.signup.config={'signup.banner': true, 'signup.url': 'http://localhost:3000/signup'} - -mosip.esignet.ui.forgot-password.config={'forgot-password': true, 'forgot-password.url': 'http://localhost:3000/forgot-password'} - -mosip.esignet.ui.eKYC-steps.url='http://localhost:3000/identity-verification' +mosip.signup.domain.url=https://${mosip.signup.host} +mosip.esignet.ui.signup.config={'signup.banner': true, 'signup.url': '${mosip.signup.domain.url}/signup'} +mosip.esignet.ui.forgot-password.config={'forgot-password': true, 'forgot-password.url': '${mosip.signup.domain.url}/reset-password'} +mosip.esignet.ui.eKYC-steps.url=${mosip.signup.domain.url}/identity-verification -mosip.esignet.authenticator.default.auth-factor.kbi.field-details={} +## Configuration required to display KBI form. +# individual-id-field is set with field id which should be considered as an individual ID in the authenticate request. +# form-details holds the list of field details like below: +# id -> unique field Id, type -> holds datatype, format -> only supported for date fields, regex -> pattern to validate the input value, maxLength -> number of allowed characters +# Example: mosip.esignet.authenticator.default.auth-factor.kba.field-details={{'id': '${mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field}', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^\\s*[+-]?(\\d+|\\d*\\.\\d+|\\d+\\.\\d*)([Ee][+-]?\\d*)?\\s*$'},{'id':'fullName', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^[A-Za-z\\s]{1,}[\\.]{0,1}[A-Za-z\\s]{0,}$'},{'id':'dob', 'type':'date', 'format':'dd/mm/yyyy'}} mosip.esignet.authenticator.default.auth-factor.kbi.individual-id-field= +mosip.esignet.authenticator.default.auth-factor.kbi.field-details={} -## Configuration Map input to UI at the start of every transaction. -mosip.esignet.ui.config.key-values={'sbi.env': 'Developer', 'sbi.timeout.DISC': 30, \ +mosip.esignet.ui.config.otp.length=6 +mosip.esignet.ui.config.password.regex=^.{8,20}$ +mosip.esignet.ui.config.password.max-length=20 +mosip.esignet.ui.config.username.regex=.* +mosip.esignet.ui.config.username.prefix= +mosip.esignet.ui.config.username.postfix= +mosip.esignet.ui.config.username.max-length=12 +mosip.esignet.ui.config.username.input-type=text + +mosip.esignet.ui.config.key-values={'sbi.env': '${mosip.esignet.authenticator.ida-env:Developer}', 'sbi.timeout.DISC': 30, \ 'sbi.timeout.DINFO': 30, 'sbi.timeout.CAPTURE': 30, 'sbi.capture.count.face': 1, 'sbi.capture.count.finger': 1, \ 'sbi.capture.count.iris': 1, 'sbi.capture.score.face': 70, 'sbi.capture.score.finger':70, 'sbi.capture.score.iris':70, \ - 'resend.otp.delay.secs': 20, 'send.otp.channels' : 'email,phone', \ - 'captcha.sitekey' : '${mosip.esignet.captcha-validator.site-key}', 'captcha.enable' : '${mosip.esignet.captcha.required}', \ - 'auth.txnid.length' : '${mosip.esignet.auth-txn-id-length}', 'consent.screen.timeout-in-secs':${mosip.esignet.authentication-expire-in-secs}, \ + 'resend.otp.delay.secs': ${mosip.kernel.otp.expiry-time:180}, 'send.otp.channels' : '${mosip.esignet.authenticator.ida.otp-channels:email,phone}', \ + 'captcha.sitekey' : '${mosip.esignet.captcha.site-key}', 'captcha.enable' : '${mosip.esignet.captcha.required}', \ + 'auth.txnid.length' : '${mosip.esignet.auth-txn-id-length}', \ + 'preauth-screen-timeout-in-secs':${mosip.esignet.preauthentication-expire-in-secs}, \ + 'consent.screen.timeout-in-secs':${mosip.esignet.authentication-expire-in-secs}, \ 'consent.screen.timeout-buffer-in-secs': 5, 'linked-transaction-expire-in-secs': 240, 'sbi.port.range': '4501-4600', \ - 'sbi.bio.subtypes.iris': 'UNKNOWN', 'sbi.bio.subtypes.finger': 'UNKNOWN', 'wallet.qr-code-buffer-in-secs': 10, 'otp.length': 6, \'password.regex': '^.{8,20}$', \ - 'password.max-length': 20, \ - 'username.regex': '^[1-9][0-9]{7,8}$',\ - 'username.prefix': '+855', \ - 'username.postfix': '@phone', \ - 'username.max-length': 9, \ - 'username.input-type': 'number', 'wallet.config': ${mosip.esignet.ui.wallet.config}, \'signup.config': ${mosip.esignet.ui.signup.config}, \ + 'sbi.bio.subtypes.iris': 'UNKNOWN', 'sbi.bio.subtypes.finger': 'UNKNOWN', 'wallet.qr-code-buffer-in-secs': 10, \ + 'otp.length': ${mosip.esignet.ui.config.otp.length}, \ + 'password.regex': '${mosip.esignet.ui.config.password.regex}', \ + 'password.max-length': ${mosip.esignet.ui.config.password.max-length}, \ + 'username.regex': '${mosip.esignet.ui.config.username.regex}',\ + 'username.prefix': '${mosip.esignet.ui.config.username.prefix}', \ + 'username.postfix': '${mosip.esignet.ui.config.username.postfix}', \ + 'username.max-length': ${mosip.esignet.ui.config.username.max-length}, \ + 'username.input-type': '${mosip.esignet.ui.config.username.input-type}', 'wallet.config': ${mosip.esignet.ui.wallet.config}, \'signup.config': ${mosip.esignet.ui.signup.config}, \ 'forgot-password.config': ${mosip.esignet.ui.forgot-password.config}, \ - 'eKYC-steps.config': ${mosip.esignet.ui.eKYC-steps.url}, \ + 'eKYC-steps.config': '${mosip.esignet.ui.eKYC-steps.url}', \ 'error.banner.close-timer': 10,\ 'auth.factor.kbi.individual-id-field' : '${mosip.esignet.authenticator.default.auth-factor.kbi.individual-id-field}',\ - 'auth.factor.kbi.field-details': ${mosip.esignet.authenticator.default.auth-factor.kbi.field-details} } + 'auth.factor.kbi.field-details': ${mosip.esignet.authenticator.default.auth-factor.kbi.field-details}} +##-------------------------------------------- Default Integrations ----------------------------------------------------- +mosip.esignet.integration.audit-plugin=LoggerAuditService