Configure eSignet

In this section, we have listed the properties that may change from implementation to implementation. All the properties used by eSignet with their default values can be found in the esignet-default.properties.

Basic Configurations

These are very basic configuration properties of the eSignet service. Most of them are set to ideal values by default.

Generated ID token expiry time in seconds mosip.esignet.id-token-expire-seconds=3600
Generated access token expiry time in seconds mosip.esignet.access-token-expire-seconds=3600
Captcha validation is enabled for the auth-factors - otp, password, biometrics, and pin.
mosip.esignet.captcha.required=send-otp,pwd,kbi
Time gap allowed between authentication and consent capture in seconds mosip.esignet.authentication-expire-in-secs
Applicable for QR code-based login: QR code is embedded with link-code which is used by wallet apps to link transactions between the wallet app and the browser. This is the property to define the lifetime of a link code in seconds. mosip.esignet.link-code-expire-in-secs=600
Regex to validate the input client ID mosip.esignet.supported-id-regex=\\S*
One can configure wallet details that will be used to render as one of the login options. By default eSignet is setup with Inji wallet details. mosip.esignet.ui.wallet.config={{'wallet.name': 'walletName', 'wallet.logo-url': '/images/qr_code.png', 'wallet.download-uri': '#', 'wallet.deep-link-uri': 'io.mosip.residentapp.inji://wla-auth?linkCode=LINK_CODE&linkExpireDateTime=LINK_EXPIRE_DT' }}
Configuration required to display KBI form. individual-id-field is set with field id which should be considered as an individual ID in the authenticate request.
form-details holds the list of field details like below:

id -> unique field id, type -> holds datatype, format -> only supported for date fields, regex -> pattern to validate the input value, maxLength -> number of allowed characters.

mosip.esignet.authenticator.default.auth-factor.kbi.individual-id-field=policyID

mosip.esignet.authenticator.default.auth-factor.kba.field-details={{'id': '${mosip.esignet.authenticator.default.auth-factor.kba.individual-id-field}', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^\s*[+-]?(\d+|\d*\.\d+|\d+\.\d*)([Ee][+-]?\d*)?\s*$'},{'id':'fullName', 'type':'text', 'format':'', 'maxLength': 50, 'regex': '^[A-Za-z\s]{1,}[\.]{0,1}[A-Za-z\s]{0,}$'},{'id':'dob', 'type':'date', 'format':'dd/mm/yyyy'}}

Prefix and Postfix support is added to support the MOSIP handle feature, Prefix will be visible in the oidc-ui, but postfix is automatically added to the entered individual. Finally, the individual sent to the backend has both prefix and postfix appended if configured.

mosip.esignet.ui.config.username.prefix= mosip.esignet.ui.config.username.postfix=

eSignet uses logback for logging. The log level of the application can be easily changed with this property. logging.level.io.mosip.esignet=INFO

OAuth and OpenID

Property to define the list of authorized scopes mosip.esignet.supported.authorize.scopes={'manage-resident-vid'}
Property to define the list of OpenId scopes mosip.esignet.supported.openid.scopes={'profile','email','phone'}
Property to define the OpenId scopes and user claim mappings mosip.esignet.openid.scope.claims={'profile' : {'name','picture','gender','birthdate','address'},'email' : {'email'}, 'phone' : {'phone_number'}}

Note: To know more about the claims supported by eSignet, go through our claims documentation.

OAuth configuration's well-known endpoint is based on the below configuration property. This holds the map which is the same as the oauth-authorization-server's well-known spec. mosip.esignet.oauth.key-values
OIDC configuration well known endpoint is based on the below configuration property. This holds the map which is the same as the openid-configuration's well-known spec. mosip.esignet.discovery.key-values

Cache

eSignet uses a cache to store all the details about UI transactions that are identified with a transaction ID. eSignet uses the spring-cache abstraction library. Hence eSignet could be connected with any spring-cache abstraction supported cache server.

By default, it is set to simple to use springs default in-memory cache spring.cache.type=simple
eSignet transitions the transaction details from one cache to another cache based on the transaction stage. Here is the list of caches maintained in eSignet mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,vcissuance
Property to set the max size of cache mosip.esignet.cache.size

Note: This is applicable only for simple cache type

Property to set the Time To Live(TTL) per cache, applicable to both Redis and simple cache mosip.esignet.cache.expire-in-seconds

Note: For cache other than redis and simple, based on the cache native TTL support a separate cache configuration should be added. Find the Redis cache config here.

Plugin Integrations

In eSignet, we use runtime plugins to connect with external ID systems. As per design we only load one implementation of the plugin interface.

The below properties define the plugin packages to be scanned and which implementations should be loaded into the spring context.

Comma-separated list of plugin implementation packages to scan by spring mosip.esignet.integration.scan-base-package=io.mosip.esignet.mock.integration
Authenticator plugin implementation is a conditional scanned bean based on the property below mosip.esignet.integration.authenticator=MockAuthenticationService
Key binder plugin implementation is a conditional scanned bean based on the property below mosip.esignet.integration.key-binder=MockKeyBindingWrapperService
Audit plugin implementation is a conditional scanned bean based on the property below mosip.esignet.integration.audit-plugin=LoggerAuditService

Note: Configuration properties for mock plugins and MOSIP IDA plugins are by default added to the application.properties file. Please refer to the below links: 1. Mock Plugin properties 2. MOSIP Plugin properties

Key Manager

The key manager connects with the configured keystore. Below are the configurations used:

Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE mosip.kernel.keymanager.hsm.keystore-type=PKCS11
For PKCS11 provide Path of config file. For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only the file path & file name. For Offline & JCE property can be left blank, and specified value will be ignored. mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
Passkey of keystore for PKCS11, PKCS12.For Offline & JCE proer can be left blank. JCE passwords use other JCE-specific properties. mosip.kernel.keymanager.hsm.keystore-pass

Note: Most of the other key manager configurations need not be changed.

eSignet UI

List of properties used by the eSignet UI to render the UI accordingly.

The below property holds the map of ui properties with default values mosip.esignet.ui.config.key-values.

Here is the list of keys used in the mosip.esignet.ui.config.key-values property.

SBI for Biometric Authentication

sbi.env - By default, SBI env is set to 'Develop'
sbi.port.range - Port range to scan for any running SBI
sbi.timeout.DISC - Timeout for SBI discovery endpoint in seconds
sbi.timeout.DINFO - Timeout for SBI device info endpoint in seconds
sbi.timeout.CAPTURE - Timeout for SBI capture endpoint in seconds
sbi.capture.count.face - count is set to 1
sbi.capture.count.finger - Number of fingers to be captured
sbi.capture.count.iris - Number of iris to be captured
sbi.capture.score.face - Quality score threshold for face
sbi.capture.score.finger - Quality score threshold for finger
sbi.capture.score.iris - Quality score threshold for iris
sbi.bio.subtypes.iris - Biometric attribute name to be captured, otherwise it is set to 'UNKNOWN'
sbi.bio.subtypes.finger - Biometric attribute name to be captured, otherwise it is set to 'UNKNOWN'

send.otp.channels - Comma-separated channels list, through which OTP will be sent
resend.otp.delay.secs - Timer to enable resend OTP button
otp.length - Length of the OTP
password.regex - Regex for UI validation
linked-transaction-expire-in-secs - Number of seconds allowed for a linked transaction to complete in the wallet APP.
wallet.qr-code-buffer-in-secs - New QR code will be autogenerated before the expiry of the current QR code, this property defines the time difference in seconds.
wallet.qr-code.auto-refresh-limit - Limit for the QR code auto-refresh.
wallet.config - List of wallets to be displayed for QR code-based login

consent.screen.timeout-in-secs - Timer on the consent page which will expire in the given second
consent.screen.timeout-buffer-in-secs - Buffer time for the consent screen expiry timer

Captcha

captcha.enable - Comma-separated components list, where the captcha should be shown. Currently only supports the OTP page.
captcha.sitekey - Site Key used to generate captcha.

Last updated 2 months ago

Was this helpful?

Configure eSignet

Basic Configurations

These are very basic configuration properties of the eSignet service. Most of them are set to ideal values by default.

Generated ID token expiry time in seconds mosip.esignet.id-token-expire-seconds=3600
Generated access token expiry time in seconds mosip.esignet.access-token-expire-seconds=3600
Captcha validation is enabled for the auth-factors - otp, password, biometrics, and pin.
mosip.esignet.captcha.required=send-otp,pwd,kbi
Time gap allowed between authentication and consent capture in seconds mosip.esignet.authentication-expire-in-secs
Applicable for QR code-based login: QR code is embedded with link-code which is used by wallet apps to link transactions between the wallet app and the browser. This is the property to define the lifetime of a link code in seconds. mosip.esignet.link-code-expire-in-secs=600
Regex to validate the input client ID mosip.esignet.supported-id-regex=\\S*
One can configure wallet details that will be used to render as one of the login options. By default eSignet is setup with Inji wallet details. mosip.esignet.ui.wallet.config={{'wallet.name': 'walletName', 'wallet.logo-url': '/images/qr_code.png', 'wallet.download-uri': '#', 'wallet.deep-link-uri': 'io.mosip.residentapp.inji://wla-auth?linkCode=LINK_CODE&linkExpireDateTime=LINK_EXPIRE_DT' }}
Configuration required to display KBI form. individual-id-field is set with field id which should be considered as an individual ID in the authenticate request.
form-details holds the list of field details like below:

id -> unique field id, type -> holds datatype, format -> only supported for date fields, regex -> pattern to validate the input value, maxLength -> number of allowed characters.

mosip.esignet.authenticator.default.auth-factor.kbi.individual-id-field=policyID

Prefix and Postfix support is added to support the MOSIP handle feature, Prefix will be visible in the oidc-ui, but postfix is automatically added to the entered individual. Finally, the individual sent to the backend has both prefix and postfix appended if configured.

mosip.esignet.ui.config.username.prefix= mosip.esignet.ui.config.username.postfix=

eSignet uses logback for logging. The log level of the application can be easily changed with this property. logging.level.io.mosip.esignet=INFO

OAuth and OpenID

Property to define the list of authorized scopes mosip.esignet.supported.authorize.scopes={'manage-resident-vid'}
Property to define the list of OpenId scopes mosip.esignet.supported.openid.scopes={'profile','email','phone'}
Property to define the OpenId scopes and user claim mappings mosip.esignet.openid.scope.claims={'profile' : {'name','picture','gender','birthdate','address'},'email' : {'email'}, 'phone' : {'phone_number'}}

Note: To know more about the claims supported by eSignet, go through our claims documentation.

OAuth configuration's well-known endpoint is based on the below configuration property. This holds the map which is the same as the oauth-authorization-server's well-known spec. mosip.esignet.oauth.key-values
OIDC configuration well known endpoint is based on the below configuration property. This holds the map which is the same as the openid-configuration's well-known spec. mosip.esignet.discovery.key-values

Cache

By default, it is set to simple to use springs default in-memory cache spring.cache.type=simple
eSignet transitions the transaction details from one cache to another cache based on the transaction stage. Here is the list of caches maintained in eSignet mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,vcissuance
Property to set the max size of cache mosip.esignet.cache.size

Note: This is applicable only for simple cache type

Property to set the Time To Live(TTL) per cache, applicable to both Redis and simple cache mosip.esignet.cache.expire-in-seconds

Note: For cache other than redis and simple, based on the cache native TTL support a separate cache configuration should be added. Find the Redis cache config here.

Plugin Integrations

In eSignet, we use runtime plugins to connect with external ID systems. As per design we only load one implementation of the plugin interface.

The below properties define the plugin packages to be scanned and which implementations should be loaded into the spring context.

Comma-separated list of plugin implementation packages to scan by spring mosip.esignet.integration.scan-base-package=io.mosip.esignet.mock.integration
Authenticator plugin implementation is a conditional scanned bean based on the property below mosip.esignet.integration.authenticator=MockAuthenticationService
Key binder plugin implementation is a conditional scanned bean based on the property below mosip.esignet.integration.key-binder=MockKeyBindingWrapperService
Audit plugin implementation is a conditional scanned bean based on the property below mosip.esignet.integration.audit-plugin=LoggerAuditService

Key Manager

The key manager connects with the configured keystore. Below are the configurations used:

Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE mosip.kernel.keymanager.hsm.keystore-type=PKCS11
For PKCS11 provide Path of config file. For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only the file path & file name. For Offline & JCE property can be left blank, and specified value will be ignored. mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
Passkey of keystore for PKCS11, PKCS12.For Offline & JCE proer can be left blank. JCE passwords use other JCE-specific properties. mosip.kernel.keymanager.hsm.keystore-pass

Note: Most of the other key manager configurations need not be changed.

eSignet UI

List of properties used by the eSignet UI to render the UI accordingly.

The below property holds the map of ui properties with default values mosip.esignet.ui.config.key-values.

Here is the list of keys used in the mosip.esignet.ui.config.key-values property.

SBI for Biometric Authentication

sbi.env - By default, SBI env is set to 'Develop'
sbi.port.range - Port range to scan for any running SBI
sbi.timeout.DISC - Timeout for SBI discovery endpoint in seconds
sbi.timeout.DINFO - Timeout for SBI device info endpoint in seconds
sbi.timeout.CAPTURE - Timeout for SBI capture endpoint in seconds
sbi.capture.count.face - count is set to 1
sbi.capture.count.finger - Number of fingers to be captured
sbi.capture.count.iris - Number of iris to be captured
sbi.capture.score.face - Quality score threshold for face
sbi.capture.score.finger - Quality score threshold for finger
sbi.capture.score.iris - Quality score threshold for iris
sbi.bio.subtypes.iris - Biometric attribute name to be captured, otherwise it is set to 'UNKNOWN'
sbi.bio.subtypes.finger - Biometric attribute name to be captured, otherwise it is set to 'UNKNOWN'

send.otp.channels - Comma-separated channels list, through which OTP will be sent
resend.otp.delay.secs - Timer to enable resend OTP button
otp.length - Length of the OTP
password.regex - Regex for UI validation
linked-transaction-expire-in-secs - Number of seconds allowed for a linked transaction to complete in the wallet APP.
wallet.qr-code-buffer-in-secs - New QR code will be autogenerated before the expiry of the current QR code, this property defines the time difference in seconds.
wallet.qr-code.auto-refresh-limit - Limit for the QR code auto-refresh.
wallet.config - List of wallets to be displayed for QR code-based login

consent.screen.timeout-in-secs - Timer on the consent page which will expire in the given second
consent.screen.timeout-buffer-in-secs - Buffer time for the consent screen expiry timer

Captcha

captcha.enable - Comma-separated components list, where the captcha should be shown. Currently only supports the OTP page.
captcha.sitekey - Site Key used to generate captcha.

Last updated 2 months ago

Was this helpful?

Basic Configurations

OAuth and OpenID

Cache

Plugin Integrations

Key Manager

eSignet UI

SBI for Biometric Authentication

Login Components

Consent screen

Captcha

Basic Configurations

OAuth and OpenID

Cache

Plugin Integrations

Key Manager

eSignet UI

SBI for Biometric Authentication

Login Components

Consent screen

Captcha