1 of 100

MOSIP Docs 1.2.0

MOSIP

The Future of Digital Identity: Secure, Scalable and Open-Source.

Welcome !🌍

What is MOSIP?

Modular Open-Source Identity Platform (MOSIP) is an open-source, open standards-based designed to help countries build and manage their national ID systems. Anchored at the , MOSIP enables governments to conceive, develop, implement, and own secure and scalable digital identity solutions.

Built with an API-first approach, MOSIP provides features, covering , , and . The platform is designed to foster global Digital Public Goods (DPGs) in digital identification and governance. By leveraging open-source technologies, MOSIP ensures scalability, security, and privacy, adhering to best industry practices.

MOSIP’s modular and adaptable architecture gives adopting countries full ownership and flexibility to customize the system to their needs. As a transparent and human-centric initiative, MOSIP encourages global collaboration, welcoming contributions from developers, technology partners, and research institutions worldwide.

Our global team of experts and advisors supports countries throughout the adoption and implementation of their digital ID systems, ensuring that they function as a common governance infrastructure for inclusive and secure digital transformation.

👉

Our Mission & Objectives

At MOSIP, our mission is to empower governments worldwide to build and own secure, inclusive, and scalable digital identity systems. As an open-source, modular platform, MOSIP provides a strong foundation for nations to establish their digital public infrastructure, ensuring privacy, security, and interoperability.

Our key objectives include:

Enabling countries to develop secure, citizen-centric ID systems by providing a robust and fully functional framework.
Offering flexibility and customization so that nations can tailor the platform to their specific needs.
Ensuring privacy, security, and confidentiality of individuals’ data, following global best practices.
Upholding transparency, security, and human-centric technology to foster trust and reliability.
Supporting global collaboration through open-source contributions, partnerships, and an ecosystem of technology providers, researchers, and developers.
Providing a scalable and accessible solution that serves populations from a few thousand to several hundred million.

By fostering an open and collaborative ecosystem of technology partners, researchers, and developers, MOSIP enables nations to build robust, adaptable, and future-ready identity solutions tailored to their unique needs.

👉

Why MOSIP?

1. Modular

MOSIP’s mutually exclusive technology bundles allow adopting nations to build custom workflows instead of relying on a fixed system. Each functionality is designed as an independent microservice, ensuring flexibility and control over digital ID implementation.

2. Open Source

We are committed to developing trusted and transparent technology while contributing to global standards. Our open-source code repository is available entirely on , encouraging contributions from user communities and providing governments with full control over their ID systems. MOSIP actively collaborates with IEEE, governments, and industry partners to establish common Open Standards and Protocols, making MOSIP easy to integrate, interoperable, cost-effective, and time-efficient.

3. Vendor-Neutral

We offer governments the ability to integrate with a wide range of compliant technology partners. A foundational digital ID system requires smooth integration of platforms, biometric devices, and system integrators. MOSIP ensures vendor neutrality through the MOSIP Partner Programme and , allowing countries to choose and update their technology solutions freely, saving both time and financial resources.

4. Secure and Private Design

We believe every individual should be in control of their own data. MOSIP ensures data security and privacy, with cryptographic encryption and zero-knowledge architecture safeguarding information both in transit and at rest. Governments retain sovereign control over their ID systems, and data sharing occurs only with the individual’s consent. Learn more about our security and privacy principles .

5. Cost-Effective

MOSIP provides a zero-cost platform for adoption and licensing, enabling governments and organizations to build a foundational digital ID system under Mozilla’s Public License 2.0. The automation of processes within MOSIP minimizes implementation costs, allowing countries to test and establish effective digital infrastructure efficiently.

Note: For more details on licensing, click .

6. Human-Centric

We aim to develop technology that can cater to diverse and varying requirements around the world. The expert team at MOSIP constantly strives to learn from on-ground experiences in adopting nations, to understand their context-specific requirements and provide unique and adaptable solutions.

7. Inclusive

MOSIP is committed to inclusivity, ensuring technology remains accessible to all, regardless of gender, race, or economic status. Our ongoing collaborations with universities, research institutions, and field teams help refine our technology for unrestricted accessibility. Innovations like Inji, a digital wallet mobile app, empower residents to access their digital identities even in remote, low-connectivity areas.

To know more, click .

Explore Key Areas

Note: To read through the previous version of the documentation, please refer to our !

Overview

Understanding MOSIP’s Role in Foundational ID Systems.

What is a Foundational Identity?

A Foundational Identity System provides individuals with a unique identifier issued by the government, enabling identity assertion and verification across multiple services. Unlike functional IDs, which are designed for specific use cases such as healthcare, finance, and social services, foundational IDs serve as a universal framework that various sectors can leverage.

MOSIP empowers governments to build secure, interoperable, and inclusive foundational ID systems. With robust privacy protections and modular architecture, MOSIP ensures individuals have control over their personal information while enabling seamless access to public and private services.

Below is a diagram illustrating the relationship between Foundational IDs and Functional IDs.

Foundational ID systems provide individuals with a unique, government-recognized identifier for identity verification. They help de-duplicate records, authenticate individuals, and verify identity attributes.
Functional IDs are sector-specific and designed for specific use cases such as healthcare, finance, social protection, education, and voting. These IDs can leverage the foundational ID system to ensure accuracy, efficiency, and seamless service access.

This structure helps create a secure and interoperable identity ecosystem for both public and private services.

What is MOSIP?

is a secure, scalable, and open-source framework designed to help governments and organizations build foundational identity systems. It offers a flexible and configurable approach, allowing countries to tailor their national ID systems to meet specific requirements while ensuring privacy, security, and interoperability.

The below image illustrates MOSIP as a modular, open-source identity platform designed for secure and scalable digital identity systems. It highlights key features such as interoperability, open standards, security, and privacy, ensuring seamless integration without vendor lock-in.

Additionally, it showcases MOSIP’s core functionalities, including ID issuance, identity verification, and lifecycle management, making it a flexible solution for national ID implementations.

Privacy and Security

The image below highlights MOSIP’s security and privacy principles, emphasizing its "Security by Design" and "Privacy by Intent" approach.

These principles align with MOSIP’s Privacy and Security framework.

For more details, please refer to section. To learn more about MOSIP’s Principles, .

MOSIP Modules

The image below illustrates the various MOSIP Modules:

Pre-Registration – Enables users to provide basic demographic data and book appointments for registration.
Registration – Facilitates registration of an individual, for availing a Unique Identification Number (UIN) by providing demographic and biometric data (fingerprint, iris, and face photograph) in online/offline mode.
Registration Processor – Generates a Unique Identification Number (UIN) post a regulated process and enriches data.
ID Authentication – Provides demographic and biometric authentication services, including Yes/No and E-KYC services, enabling access to a myriad of rights and services.
Resident Services – Allows residents to update and monitor usage of their IDs, giving individuals control over their own identity.
Partner Management – For onboarding, managing, and integrating external partners (relying parties) within the MOSIP ecosystem.

To learn more about the MOSIP modules, please refer .

MOSIP Ecosystem

MOSIP collaborates with ecosystem partners to develop tailored identity solutions for each country.

The diagram below illustrates the MOSIP Ecosystem, highlighting how various components integrate with the MOSIP Platform to deliver a comprehensive ID solution.

To learn more about the MOSIP Ecosystem, please refer .

MOSIP's Offerings

The diagram illustrates MOSIP’s Key Offerings in ID Lifecycle Management and ID Authentication, highlighting two main processes:

1. ID Registration Process

Step 1: Online Pre-Registration – A resident submits demographic details online.
Step 2: Biometric Enrollment – The resident visits a registration center for biometric data collection.
Step 3: ID Issuance – After successful validations and processing, the resident receives a Unique Identification Number (UIN).

2. ID Authentication Process

An ID holder requests authentication to access services.
Authentication is performed via an authentication partner equipped with biometric or digital verification tools.
The MOSIP Authentication System validates the identity, providing eKYC or token-based responses for service access.

These offerings enable secure, scalable, and modular identity management and authentication solutions.

Building a National ID System Using MOSIP

Countries can leverage MOSIP as the base identity platform and configure, customize, and extend it to build systems just the way needed.

The image below depicts how MOSIP provides the base layer to build a national ID platform.

License

Empowering users through transparent licensing.

The documentation is licensed under a Creative Commons Attribution 4.0 International License.

All MOSIP's core repositories are licensed under the terms of Mozilla Public License 2.0.

All trademarks are the property of their respective holders. Other products and company names mentioned herein may be trademarks and/or service marks of their respective owners..

Principles

The guiding foundation.

MOSIP is designed, developed, and implemented based on core principles that drive its effectiveness and adaptability. These principles ensure that MOSIP remains open, secure, interoperable, scalable, and inclusive, allowing it to meet the needs of diverse users and support the creation of accessible, digital identity systems globally.

Modular: Identity systems that serve unique needs with mutually exclusive technology bundles. Rather than a stand-alone solution offered to every adopting nation, MOSIP technology allows user countries to build custom workflows. Each functionality is built with independent microservices to provide flexibility and control.\
Open Source: Trusted & transparent technology, adhering to global standards. An open-source code repository, available on GitHub, encourages contributions from user communities and offers governments control over their ID systems. MOSIP also works with the Institute of Electrical and Electronics Engineers (IEEE), governments, and a commercial ecosystem to arrive at common Open Standards and Protocols. This makes MOSIP easy to integrate, interoperable, cost- and time-efficient.\
Vendor-Neutral: Offering the ability to integrate with a wide range of compliant technologies. In the setting up of a foundational digital ID system, it is critical that the platform, biometric devices, and system integrators, are able to integrate and function smoothly. Vendor-neutrality, maintained through the MOSIP Partner Programme and the establishment of the MOSIP Marketplace offers countries the ability to choose and change their technology solutions at any time and save precious time and financial resources.\
Private and Secure: Ensuring every individual is in control of their data. MOSIP is designed to keep data security and privacy in mind, ensuring that data is protected in flight and rest. Cryptographic encryption and zero knowledge architecture ensure that no sensitive data is stored on the MOSIP system. Governments of adopting nations have sovereign control over their ID systems, and data sharing only happens with the individual’s consent.\
Scalable: Designed to accommodate growth and changing needs. The platform is designed to be scalable, accommodating the growth of users and services. It can cater to large populations, support various regions, and integrate with multiple systems securely, without compromising performance. Its modular architecture allows it to easily expand and adapt to new requirements, making it suitable for both small-scale deployments and national level rollouts. This scalability ensures that MOSIP can serve diverse countries and populations with varying technological and infrastructural capabilities.\
Human-Centric: Technology for all. We aim to develop technology that can cater to diverse and varying requirements around the world, yet being human-centric. The team at MOSIP constantly strives to learn from on-ground experiences in adopting nations, to understand their context-specific requirements and provide adaptable solutions.\
Inclusive: Technology that leaves no one behind. With the mission of empowering lives all over the world, MOSIP continues to take steps toward being an inclusive platform. Ongoing collaborations with global universities, research organizations, and strong on-ground teams have sharpened our focus on developing technology that is unrestricted by gender, race, and economic status. Additionally, technology features allow residents to access their digital identities even in remote areas with low connectivity. Please refer here for more details.

Inclusion

Technology that leaves no one behind.

With the mission of empowering lives all over the world, MOSIP continues to take steps towards being an inclusive platform. Ongoing collaborations with global universities, research organizations, and strong on-ground teams have sharpened our focus on developing technology that is unrestricted by gender, race, and economic status. Additionally, technology features allow individuals to access services with digital identities through multiple channels, and even in remote areas with low connectivity, ensuring no one is left behind.

Some mechanisms through which the MOSIP platform supports inclusivity is illustrated below:

Introducer Support For The Undocumented
- The Introducer concept in MOSIP allows individuals without formal identity documents to be enrolled into the digital identity system. A trusted and verified Introducer, such as a community leader or an authorized individual, vouches for the person’s identity. This ensures that marginalized populations, including refugees, nomadic groups, and those lacking paperwork, can still obtain a digital identity. By enabling inclusion through trust-based verification, the Introducer mechanism helps governments provide identity access to all, promoting social and financial inclusion.
Multi-Language Support for Linguistically Diverse Communities
- Multi-language support in MOSIP enhances inclusivity by ensuring individuals can interact with digital identity systems in their native or preferred languages. This helps bridge linguistic barriers, making identity services accessible to diverse populations, including those with limited literacy in dominant languages. By supporting localization, MOSIP enables governments to customize the platform to suit national needs, fostering greater adoption, trust, and usability. This approach aligns with the goal of creating inclusive and equitable digital identity ecosystems worldwide.
Biometric Exception Handling for Individuals with Difficult-to-Capture Biometrics
- MOSIP’s biometric exception handling ensures that individuals with difficult-to-capture biometrics, such as worn fingerprints or missing biometrics like finger or eyes, are not excluded from digital identity systems. When biometrics cannot be collected, MOSIP provides alternative methods, such as marking the biometric modality as an exception and capturing a photograph as evidence, thereby allowing inclusive identity registration for all. This approach ensures that elderly individuals, manual laborers, and persons with disabilities can still obtain a secure and verifiable identity, reinforcing inclusivity and accessibility in digital identity.
Enabling In-Home registration with Android Registration Client
- The (ARC) enhances inclusivity by enabling in-home registration for individuals who are unable to visit physical registration centers. This portable solution ensures that residents, especially in remote locations, can access identity registration services at their convenience. By providing mobility for registration agents and allowing remote registrations, ARC significantly expands coverage and accessibility, ensuring that even those in underserved or hard-to-reach areas are included in national identity systems.
Ensuring Gender Inclusivity with MOSIP's GenderMag Collaboration
- MOSIP’s collaboration with ensures inclusivity by integrating gender-sensitive design principles into the User Interface (UI) and Design. This approach helps identify and address barriers that may disproportionately affect users based on gender, ensuring that the digital identity platform is accessible and effective for all users, regardless of gender. This approach emphasizes on creating interfaces that are intuitive and equitable, thus ensuring an inclusive user experience for diverse populations.
Multi-Modal Verification with Inji and eSignet
- MOSIP ensures inclusivity by offering multiple verification modalities through and . These solutions provide secure and convenient citizen verification across various channels, including online/offline, self-service/assisted modes, and accessible even with smartphones, feature phones, or no phones. This flexibility allows individuals from diverse backgrounds, including those with limited access to technology or support, to easily access and benefit from the services.

Through its inclusive mechanisms, MOSIP continues to push boundaries in providing accessible and equitable digital identity solutions. By focusing on universal access and adaptability, MOSIP ensures that everyone—regardless of their background, location, or physical limitations—can benefit from the services enabled by the platform. These efforts reflect MOSIP's commitment to creating a more inclusive and sustainable digital future for all.

Privacy and Security

MOSIP's fundamental architecture and design incorporate the highest levels of privacy and security.

Security by design

Key security features:

Encryption of data in-flight or rest. (See )
Integration with trusted applications only.
Fraud avoidance - association of authentication only with specific transactions.
Misuse prevention - user can lock or unlock their authentication.
Virtual ID and Tokens to prevent identity theft.
All data sent out of MOSIP will be digitally signed.
All incoming data will be signed by the respective entity.
Any data sent to a relying party will be encrypted.
Protection against internal attacks with every record in DB protected with integrity.
Centralized key management.
All API's are protected with OAUTH 2.0.

Privacy by intent

Key privacy features:

Minimal data with selective disclosure on a need-to-know basis.
Sensitive data protected (not stored or logged in clear form).
Consent support – the user decides who can receive what credentials & what attributes.
No search on the database (You can find a record only if you know the ID).
Clear segregation of Biometric & Demographic data.
De-centralised ID usage and data (cannot profile based on usage).
Users are not limited to one permenant ID - Virtual ID.
All relying party gets a privacy enabled tokens to prevent profiling across transactions. Permenant ID is never shared.
Supports Wallet based decentralized ID issuance and usage.
Face data is not sent to ABIS for deduplication.

Security

MOSIP Security Practices

This document provides a comprehensive analysis of security implementations across multiple levels. Additionally, it clearly delineates the boundaries of responsibility between MOSIP and the countries implementing the system.

Within this document, we have categorized security practices into 'Internal Practices' and 'Operational Protection'.

Internal security practices are integrated into the MOSIP development lifecycle to build security within the system from the ground up. These include rigorous threat modeling, secure coding practices, comprehensive code reviews, and continuous vulnerability assessments to ensure that potential risks are identified and mitigated early. By embedding these security measures during development MOSIP fosters a proactive security culture that not only minimizes vulnerabilities but also supports a robust defense strategy throughout the system's lifecycle.

On the other hand, operational security practices include firewall rules, intrusion detection systems, continuous monitoring, and incident response strategies. These measures focus on maintaining the security and integrity of the system during its operational phase, addressing runtime threats and ensuring compliance with best practices. Operational practices are outside of MOSIP development stage and to be taken up by the implementing countries.

Internal Practices

Internal security practices encompass measures such as security requirement elicitation, design, adherence to the MOSIP Principles, Platform development, static and dynamic code analysis, dependency scanning, code signing, and vulnerability management. These practices ensure that potential threats are identified and mitigated early in the development lifecycle.

Platform Design

MOSIP's fundamental architecture and design incorporate high levels of privacy and security.

(Table to be updated soon)

Development and Release Practices

This section details the measures taken during the development, testing, and release phases to ensure maximum security. Multiple checks are enforced at each stage through the use of various tools, tests, and scans. Key practices include:

Static Application Security Testing (SAST)

Static Application Security Testing (SAST) is a cornerstone of our security strategy. Tools like SonarCloud are used to perform in-depth code analysis during the development phase, identifying vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure coding practices. SAST provides developers with real-time feedback, enabling them to address security flaws early, thereby reducing the cost and effort of remediation later in the software lifecycle. These tools integrate seamlessly into our CI/CD pipelines, ensuring that security is addressed continuously and early. Dependency scanning tools like Dependabot, CodeQL, and others further enhance this layer of protection by monitoring and updating vulnerable dependencies.

Sonar Cloud - Development Phase - SonarCloud is integrated with Github actions, offering developers actionable insights directly within the workflow. By highlighting security hotspots and technical debt, it enables teams to prioritize and address critical issues efficiently.

MOSIP Sonar cloud Link : https://sonarcloud.io/organizations/mosip/projects

CodeQL (Java and Python) - Development Phase - CodeQL performs semantic code analysis, enabling the detection of complex vulnerabilities
Github Dependabot (Vulnerability assessment and Version upgrade suggestions) - Development Phase - Dependabot simplifies the process of updating dependencies by creating pull requests with the necessary upgrades reducing manual effort and ensuring the codebase remains secure against known vulnerabilities. Its integration into GitHub workflows ensures timely updates and fosters a proactive approach to dependency management.
Open source compliance scanning - Ensures that all open-source components in use comply with licensing requirements and security best practices. This scanning helps in identifying potential legal or security risks associated with third-party libraries. Automated tools are used to track, analyze, and flag issues related to incompatible or outdated licenses, ensuring smooth and compliant project operations.
Github scan - Provides robust scanning capabilities integrated directly into GitHub repositories. It includes features such as secret scanning, dependency graph analysis, and vulnerability alerts, helping developers proactively detect and fix security issues within their workflows.
Data Breach Detector - It is a prodcution grade tool/script which goes through the DB and utilizes Deduce library to find out anomalies in various places such as names, address or numbers in plaintext etc.

Dynamic Application Security Testing (DAST)

DAST focuses on identifying security vulnerabilities in a running application by simulating real-world attack scenarios. Unlike SAST, which examines static code, DAST tests live applications, analyzing responses to detect flaws such as authentication issues, session management vulnerabilities, and exposure of sensitive data. Tools like Burp Suite Professional and ZED Attack Proxy (ZAP) are leveraged to conduct automated and manual penetration tests. These tools allow testers to evaluate application behavior under various conditions, ensuring robust protection against runtime threats. By integrating DAST into the release process, vulnerabilities can be identified and mitigated before applications are deployed into production.

Burp Suite Professional : This tool is used for automated and manual penetration testing . It provides features such as intercepting proxy, web vulnerability scanner, and advanced debugging capabilities. Burp Suite enables testers to identify vulnerabilities like SQL injection, cross-site scripting (XSS), and insecure session management. It also supports extensions for customized scanning and integrates seamlessly into security workflows.
ZED Attack Proxy: This tool is used for finding vulnerabilities in web applications during the development and testing phases.

Release Practices

Release practices are essential for ensuring the security, authenticity, and traceability of software releases. Here is an overview of the components used in MOSIP releases.

Image Signing: ASC (ASCII-armored PGP) signing is typically used to ensure the authenticity and integrity of software artifacts, including Docker images, by attaching a digital signature. When signing software images, MOSIP uses the private key to sign the image, and users can verify the signature using the corresponding public key.
JAR (Java Archive) Signing is the practice of signing Java archive files to ensure that the contents of the JAR haven't been tampered with and to provide a way to verify the source of the file. This is currently not implemented in MOSIP.

Operational Practices

These recommendations provide a robust framework to ensure the security and integrity of production systems for MOSIP implementing countries, helping to mitigate risks and enhance overall cybersecurity posture.

SBI Compliant Devices: Ensure that all devices used in the production environment are compliant with the latest Secure Biometric Interface (SBI) standards to ensure a highest level of security.
Trusted Platform Module: A Trusted Platform Module (TPM) is a specialized chip on a local machines that stores cryptographic keys specific to the host system for hardware authentication. The private key is maintained inside the chip and can't be extracted out. By leveraging this security feature every individual machine would be uniquely registered and identified by the MOSIP server component with it's TPM public key.
Compliance Tool Kit: MOSIP Provides Compliance Tool Kit (CTK) to help the device vendors to check if their products comply with SBI specifications.
Access and Audit Logs: Enables detailed access and audit logging for all critical systems and services in the production environment.
Patch Management (Host/Machines): Implement a robust patch management policy to ensure that all production systems are up-to-date with the latest security patches.
Safe Data Centers: Ensure that data centers housing production systems are designed and operated with a focus on security, availability and operational safety.
International standards: Stay compliant on international standards such as ISO/IEC 27001, NIST Cybersecurity Framework, and relevant national regulations. Better to validate the compliance using third party assessments.
Ensuring Data Protection: Enforce robust data protection measures to safeguard sensitive information at rest and in transit.
Consent-Based Data Handling: Ensure that data is only collected, processed, and stored with the explicit consent of the individuals it pertains to, in accordance with privacy laws and regulations.
Regular Security Audits: Perform regular security audits to assess the effectiveness of security measures and identify potential vulnerabilities in production systems.
Principle of Least Privilege: Ensure that users and systems are granted only the minimum level of access necessary to perform their tasks, reducing the risk of accidental or malicious misuse.
Rate Limiting: Implement rate limiting to protect services from abuse, such as brute force attacks or denial-of-service (DoS) attempts.

Data Protection

The security of user data is given the highest priority in MOSIP. Data is protected in flight and rest using strong cryptographic techniques. All operations on decrypted data are done in memory.

Various flows with encryption are illustrated below. Refer to Keys for all references of the type 'Kx' and 'KPx'.

Registration data flow

The below diagram represents a registration data flow system for biometric authentication and identity management.

Biometric Capture:
- A biometric device captures and signs biometric data before sending it to the Registration Client (PK2). Then registration client verifies the signature
Registration & Encryption:
- The Registration Client, running on the operator’s system, receives biometric data and securely encrypts it into packets.
- The client always refers to Keycloak for authentication, ensuring that only authorized operators can access the system.
- Registration Client signs the packet using the TPM key of the machine (K10) and encrypts the packet using MOSIP public key specific to (the registration centre, machine id) combination (K11).
Data Processing & Storage:
- The encrypted packets are transmitted to the Registration Processor, which processes and signs the data.
- The processed data is then stored in the Object Store and ID Repository for further use.
Secure Storage of Biometric Data:
- ID Repository encrypts biometrics, demographics, and documents and stores them in the Object Store. (K7.1,K7.2,K7.3)
Hashed UIN Storage:
- The UINs are hashed, encrypted, and stored in uin the table of mosip_idrepo DB. (K7.4)
Data Sharing & Policy Enforcement:
- When encrypted biometric data needs to be shared, it is sent to ABIS for authentication.
- The system consults the Partner/Policy Management System to verify partner details and enforce data-sharing policies.
- Only partners who have registered and authenticated via Keycloak can access the Partner Management System, where they must subscribe to specific policies to receive data.
Demographic Data Storage:
- Encrypted demographic data is stored in the Registration Processor Database. (K11)
Credential Issuance:
- Encrypted resident data is shared with credential requestors and printers based on the subscribed policies. (K12)
Operator Authentication:
- The Registration Client checks Keycloak to ensure that only authenticated operators can perform registrations.
Policy Validation for Data Transfer:

Before transferring encrypted data to ABIS, partners, or credential requestors, the system refers to the Partner/Policy Management System to validate policies.

11. Partner & Policy Control:

The Partner Management System is controlled by Keycloak, ensuring that only registered partners with valid credentials can subscribe to and enforce policies for data access. (11,12,13)

Datashare

Data shared with all partners like ABIS, Print, Adjudication, IDA, etc. is encrypted using partners' public key. Note that IDA is also a partner, however, a special partner in the sense that data is additionally zero-knowledge encrypted before sending to IDA (see the section below).

Zero-knowledge encryption

The ID Authentication module (IDA) is independent and may be hosted by several providers. IDA hosts all the biometric templates and demographic data. Unique additional protection is provided here to make sure that mass decryption of user data is very difficult to achieve. The data can only be decrypted if the user's UIN is provided. Here is the encryption scheme:

Generate master symmetric encryption key K9.
Generate a 10,000 symmetric keys pool (ZKn). Encrypt each ZKn with K9 and store it in DB. (K12)
Randomly select one key from ZKn, and decrypt using K9.
Derive new key ZKn' = ZKn + UIN/VID/APPID.
Encrypt biometric templates and demographics.
- BIO = encrypt(bio/demo with ZKn').
Encrypt ZKn (this is done to share ZKn with IDA).
- ZKn-IDA = encrypt(ZKn with K22)
Share the following with IDA:
1. ZKn-IDA
2. BIO
3. Random index (0 - 9999)
4. SHA-256 hash of UIN/VID/APPID
Share data in step 7 via standard Datashare encryption (which encrypts entire data with PK8).

Decryption by IDA

Generate master symmetric encryption key K18.
Decrypt data in Step 8 above using PK8.
Decrypt ZKn-IDA with K22 to get ZKn.
Encrypt ZKn with K18 and store it at a random index.
Bio-data is stored as is.

ID authentication flow

L1 devices contain FTM to encrypt (DE1, K21) and sign (FK1) biometrics at the source and send them to the authentication client.
The authentication client further encrypts the auth request with the IDA-PARTNER public key.
IDA decrypts zero-knowledge data as given in Step 4 and then performs a demographic and/or biometric authentication.
The match result is returned to the Auth client. In the case of KYC, the KYC attributes are encrypted with the Partner's public key (as in Datashare).

Technology

Discover how MOSIP's tools, components, and architecture come together.

Architecture

Modular, Secure, and Scalable: The Architectural Foundation of MOSIP.

MOSIP is built on a modular, microservices-based architecture. Its modularity enables seamless adoption even in complex scenarios. Most are designed as robust foundational infrastructure components, making them suitable for integration into various projects.

MOSIP is designed with the following architectural principles. These architecture principles are core to the development of the system's features and have a great influence on how and why specific software design patterns are used within.

Data Privacy
No Vendor Lock-in
Open Standards
Async/ Offline First
Commodity Computing
Fault tolerant
Manageable
Secure By Default

Architecture Overview

The diagram below provides an architectural overview, visually representing the components of the MOSIP Identity framework and its associated technology stack.

High Level Functional Architecture

The High Level Reference Functional Architecture serves as a blueprint outlining the system's high-level functioning and interactions, providing a structured framework.

To know how MOSIP can be deployed, refer to . The different installation models are detailed in the section.

Digital ID DPI Framework

Blueprint for Scalable and Interoperable Identity Systems.

This reference blueprint provides a comprehensive vision for designing and implementing a Digital ID-led DPI infrastructure. It outlines how foundational identity systems can be leveraged alongside key DPI components, enabling various use cases across both the public and private sectors. The blueprint is structured in layers of technology, governance, and service delivery, ensuring scalability, inclusivity, and compliance with legal frameworks.

Below is an explanation of its core components and their roles within the ecosystem.

1. Unique Digital Identity

At the core of the system is the Unique Digital Identity, which establishes a singular, definitive identity for every individual. This digital identity forms the backbone of all operations, ensuring secure identification and verification across diverse domains.

2. ID Project Custodian

The ID Project Custodian, whether a designated authority, ministry, or department, oversees this infrastructure. This custodian is crucial for maintaining governance, regulatory compliance, and operational efficiency, ensuring that all identity services align with national policies and frameworks.

3. Infrastructure Layer

Supporting the ecosystem is a robust Infrastructure Layer, consisting of cloud infrastructure and connectivity. The cloud ensures scalability, resilience, and the ability to manage large volumes of identity data. The connectivity layer ensures the system's accessibility, making it functional in both urban and remote areas.

4. Foundational ID Platform

At the heart of the blueprint is the Foundational ID Platform, a centralized framework for issuing and managing foundational IDs. This platform underpins all identity-related services, ensuring secure identity handling and enabling core functions like registration, lifecycle management, verification, authentication, and e-KYC (Electronic Know Your Customer). These services are essential for building trusted interactions across all sectors.

5. Core & Augmented Services

Now that we have established the core layers to anchor trust, we can expand functionality through augmented services, such as eSignature capabilities. These enable secure digital transactions and help governments transition from traditional in-person signatures. These added features enhance the system's utility, which is especially crucial for enabling paperless workflows.

6. Accessibility and Inclusivity

To ensure widespread adoption and accessibility, the system features a Multi-Channel Access Layer that enables interaction through web, mobile (Apps, USSD), and physical interfaces(QR). This design ensures inclusivity by accommodating individuals with diverse backgrounds and varying levels of technological proficiency, to interact with the system effortlessly.

7. Consent Management, Data Exchange and Payments

In addition to its core and augmented services, consent management and data exchange capabilities are crucial for advancing digitization and digital development. These capabilities facilitate the regulated sharing of information across both public and private platforms. Moreover, the integration of payment systems adds significant value to Government-to-People (G2P) use cases. Additionally, data exchange can be further enhanced through the use of Verifiable Credentials.

8. Use Cases and Benefits Delivery

This blueprint is designed to act as a catalyst for seamless service delivery and impactful use cases across both the private and public sectors. It is essential to involve the private sector in the digitization process, as it plays a key role in enabling services such as banking, e-commerce, and telecommunications, thereby streamlining operations. In the public sector, this blueprint enhances service delivery in areas like social welfare, healthcare, taxation, and education, contributing to better governance and increased citizen engagement. By adopting an overall ID-led approach, it not only accelerates the adoption of digital identity but also ensures improved governance, streamlined operations, and enhanced citizen participation.

9. Legal and Regulatory Framework

Finally, the framework operates within a robust legal and regulatory environment, complying with key legislation such as the Data Protection Act, the Cybersecurity Act, and the Electronic Transactions Act. These laws safeguard data privacy and security, ensuring that the system operates transparently, trustworthy, and in full legal compliance.

Sandbox Details

Seamless Integration with MOSIP: Explore Our Sandbox Environments.

Are you interested in integrating with MOSIP as a partner? We invite you to connect with us by completing the form. This will assist us in facilitating a seamless integration with our designated sandbox environments.

Please find below the two sandbox environments available for your use.

Collab

Collab is our development integration environment that has QA-tested dockers deployed. Our partners and contributors can use this to build on the platform or integrate with the QA-certified version of the latest platform code.

Regular nightly builds from engineering are deployed here and this environment is used for continuous development.

The link to access the Collab environment is available here.

Looking to collaborate with us? Click here to get started with the Collab environment!

Synergy

Synergy is our stable environment where the latest released version of the MOSIP platform and applications are deployed for partners to integrate and test.

The link to access the Synergy environment is available here.

Standards & Specifications

Ensuring secure and interoperable digital identity through global standards.

At MOSIP (Modular Open Source Identity Platform), we are committed to building a secure, interoperable, and privacy-centric identity system for nations worldwide. MOSIP adheres to internationally recognized standards in biometric authentication, security, cryptography, privacy, and interoperability to ensure the highest levels of security, efficiency, and compliance.

1. Why Standards Matters?

By following these global standards, MOSIP ensures that our identity platform is: ✅ Secure – Protecting citizens’ data from cyber threats. ✅ Privacy-First – Upholding the highest standards of data protection. ✅ Scalable & Future-Ready – Enabling nations to build robust digital identity programs. ✅ Interoperable – Seamlessly integrating with digital identity solutions worldwide.

2. Our Adherence to Global Standards

1. Biometric Standards for Secure Identity Verification

To ensure seamless biometric interoperability and security, MOSIP follows:

ISO/IEC 19794 – Standardized biometric data formats for fingerprints, iris, and facial recognition.
(Common Biometric Exchange Formats Framework) – Facilitates interoperability and efficient biometric data exchange.
IEEE P3167 (DRAFT) – Strengthening the trustworthiness of biometric devices and their captured data while ensuring overall data security.

2. Security & Cryptography Standards for Data Protection

To guarantee robust data security and encryption, MOSIP aligns with:

NIST Cybersecurity Framework – Provides guidelines for IT security evaluation and risk management.
RSA, EC, JSE – Implements industry-standard cryptographic algorithms for secure encryption and data integrity.

3. Open Standards for Seamless Interoperability

To enable effortless integration with national and global identity ecosystems, MOSIP adopts:

OAuth 2.0 / OpenID Connect – Providing secure and scalable authentication mechanisms.
REST, OpenAPI Standards – Ensuring standardized communication across different platforms.
JMS (Java Message Service) & WebSub – Facilitating real-time messaging and event-driven architecture.

4. MOSIP Standards

Claim 169 – A globally registered specification under the , developed by It allows demographic and biometric data (like a low-res face image) to be embedded in a digitally signed QR code, enabling reliable offline identity verification. to know more.

MOSIP Standards

This page lists the standards and specifications published by MOSIP which are mentioned below:

Inji

Empowering Trusted Digital Identity with Secure and Seamless Credential Verification.

About Inji

In today's fast-paced, interconnected world, ensuring seamless access to essential services—such as healthcare, financial inclusion, global mobility, and social support has never been more critical. The need for trusted identity authentication and secure data exchange is at the heart of accessing these services.

To address this, Inji offers a transformative solution – enabling the secure issuance, digitalization, storage, exchange, and seamless verification of trusted data as verifiable credentials, through a comprehensive set of tools.

Inji, meaning "knowing" or "recognizance" in Korean, is evolving into a comprehensive digital credential stack with a strong focus on user empowerment. Inji simplifies the management and verification of credentials by providing secure solutions that work across multiple interfaces. It aims to streamline creating, sharing, and verifying all types of digital and physical credentials.

eSignet

Enabling Secure, Inclusive, and Seamless Digital Identity Verification.

In today’s digital-first world, most services are transitioning online, making a secure and trusted digital identity more important than ever. A secure and trusted digital identity is crucial to facilitate personalized access to these online services.

eSignet strives to provide a user-friendly and effective method for individuals to authenticate themselves and utilize online services while also having the option to share their profile information. Moreover, eSignet supports multiple modes of identity verification to ensure inclusivity and broaden access, thereby reducing potential digital barriers.

Additionally, eSignet offers a seamless and straightforward solution for incorporating an existing trusted identity database into the digital realm. By enabling digital identities and providing identity verification and service access, eSignet delivers a sophisticated and user-friendly experience.

ID Lifecycle Management

Managing identities seamlessly.

Overview

Identity Lifecycle Management refers to issuing and managing user identities in a given system. An individual can visit a registration centre to get a new ID or update their ID details. A registration officer would typically capture the individual’s demographic (name, date of birth, gender, etc.) and biometric (face, iris, and fingerprint image) details.

The lifecycle of an identity involves multiple events, categorized into different stages, each managed within specific system modules. The following sections outline these key lifecycle events, detailing their roles and functions categorized under relevant modules. Browse the cards below to explore the various applications and services that support Identity Lifecycle Management.

Identity Issuance

The ID Issuance component in MOSIP encompasses the set of modules responsible for the creation and assignment of unique identities to individuals. It orchestrates the end-to-end process, starting from the collection of demographic and biometric data, through validation and processing, to the final generation of a unique identity number (UIN). The sub-modules under ID Issuance include:

Pre-registration: Enables individuals to submit demographic details online in advance, expediting the in-person registration process.
Registration Client: Facilitates the collection of demographic and biometric data at registration centers, providing an intuitive interface for operators.
Android Registration Client: A mobile application version of the Registration Client, allowing for data collection in remote or field locations using Android devices.
Registration Processor: Validates and processes registration data, ensuring its integrity before moving to the next stage.
id-repository: Manages the storage and retrieval of identity data, ensuring secure and efficient access to demographic and biometric information.

Together, these modules ensure a secure, efficient, and streamlined approach to issuing unique identities within MOSIP. For more details on each module, refer to their respective overview pages.

Pre-registration

Overview

Introduction

Pre-registration module enables a resident to:

enter demographic data and upload supporting documents,
book an appointment for one or many users for registration by choosing a suitable registration center and a convenient time slot,
receive appointment notifications,
reschedule and cancel appointments.

Once the resident completes the above process, their data is downloaded at the respective registration centers before their appointment, thus, saving enrollment time. The module supports multiple languages.

MOSIP provides backend APIs for this module along with a reference implementation of .

Pre-registration process

Create an application

User provides consent
The user provides demographic information
User uploads supporting documents (Proof of Address, Birth certificate, etc.)
A pre-registration request ID known as is generated and provided to the user.

Note: The AID was formerly called PRID in the pre-registration context.

Book an appointment

The user selects a registration center based on postal code, geo-location, etc.
The available slots are displayed
An option to cancel and re-book the appointment is made available

Receiving acknowledgement notifications

An acknowledgment is sent via email/SMS
The user can print the acknowledgment containing AID and QR code.
This QR code can be scanned at the in-person registration centers.

Download of pre-registration data at registration centers

The user provides the AID/ QR code at the registration center.
The registration form gets pre-filled with the pre-registration data.

Pre-registration module

The relationship of the pre-registration module with other services is explained here.

NOTE: The numbers do not signify a sequence of operations or control flow.

Fetch details with the help of Syncdata service.
Fetch a new OTP for the user on the login page.
Log all events.
Pre-Registration interacts with Keycloak via . The Pre-Reg module communicates with endpoints of other MOSIP modules. However, to access these endpoints, a token is required. This token is obtained from Keycloak.
The database used by pre-reg.
Generate a new AID for the application.
Send OTP in the email/SMS to the user.
Registration Processor uses reverse sync to mark the pre-reg application as consumed.
Registration clients use the to get the pre-reg application details for a given registration center, booking date, and AID.
Request data from the MasterData service to get data for dropdowns, locations, consent forms etc.

Services

Pre-registration module consists of the following services:

For more details, refer to the .

Pre-registration portal

MOSIP provides a reference implementation of the pre-registration portal that may be customized as per country needs. The sample implementation is available at the . For getting started with the pre-registration, refer to the

Build and deploy

To access the build and read through the deployment instructions, refer to the .

Configurations

For details related to Pre-registration configurations, refer to .

Developer Guide

To know more about the developer setup, read the .

API

Refer to .

Source code

Develop

Build, integrate, and enhance solutions.

UI Specifications

Overview

UI specs of Pre-Registration module are used to configure the form fields in the Demographic Details and Document Upload functionality. UI specs are saved as a JSON file with a list of fields. Each field has a set of attributes/ properties that can be configured which affects the look and feel along with the functionality of the field. Below is the list of all the properties available for each field in the UI specs:

Property Name

Details

Sample Value

Test

Pre-registration Collab Guide

Overview

Welcome to the Pre-registration Collab Guide! This guide will equip you to seamlessly access the Pre-registration demo application, explore, integrate, and effectively demonstrate its capabilities.

The Pre-registration module within MOSIP is designed keeping residents in mind, offering a user-friendly pre-registration process. This module boasts of a wide range of functionalities, starting with the collection of demographic data along with easy uploading of essential supporting documents, such as proof of address and birth certificates, besides facilitating appointment booking, modifications, and notification alerts to mention a few.

With this Pre-registration Client Demo Setup, you're one step closer to showcasing the power of MOSIP's pre-registration capabilities.

So let's get started!

Note: For the developer's setup of pre-registration locally into your system, refer here.

Pre-requisites

Accessing the Pre-registration portal in the Collab environment does not require any complex setup.
All you need is a 10-digit Mobile Number or a valid email ID and you are good to go!

Step-by-Step Process

Step 1 - Access the Pre-registration Portal:

Visit the following URL to access the Pre-registration portal in the Collab environment: Pre-registration portal

Mobile Number:

If you choose to login using your mobile number, you will be required to enter any 10-digit mobile number, for example - “1234567890”.
Click on the captcha tick box to proceed to the next step.

Email ID:

Alternatively, you can choose to log in with your email ID.
For the Collab environment, real email ID OTP verification is performed.
Enter a valid email ID and an OTP will be sent to your email address. You can then enter the OTP received on the provided email ID to verify yourself and log in to the portal.

Step 3: Explore the features on the Pre-registration Portal:

To access all the features of the Pre-registration portal and explore the pre-registration process in MOSIP, refer to our end user guide.

Note: Please use 111111 as the OTP, for any OTP-based feature in the Collab environment.

Additional Resources

Watch this informative video here for a visual walkthrough of the features.

For more information about Pre-registration, click here.

By following these instructions, you will be equipped to seamlessly set up the pre-registration portal and effectively use all the features and book an appointment.

Get in Touch

If you require any assistance or encounter any issues during the testing and integration process, kindly reach out to us through the support mechanism provided below.

Navigate to Community.
Provide a detailed description of the support you require or provide detailed information about the issue you have encountered, including steps to reproduce, error messages, logs, and any other relevant details.

Thank you. We wish you a pleasant experience!

Registration Client

Overview

The Registration Client is a thick Java-based client where the resident's demographic and biometric details are captured along with the supporting documents in online or offline mode. Data is captured in the form of registration packets and is cryptographically secured to ensure that there is no tampering. The captured information is packaged and sent to the server for further processing.

MOSIP provides a reference implementation of a Java-based Registration Client. The code, and build files for the Registration Client are available in the Registration Client repo.

Multiple language support

Registration Client is featured to allow an operator to choose the operation language. The option to select their preferred language is provided on the login screen.
Data collection during registration client supports more than one language at a time.
Before starting any registration process, the operator can choose the languages amongst the configured ones.

To know more about setting up the reference registration client, refer to the Registration Client Installation Guide.

To know more about the features present in the Registration Client, refer to the Registration Client User Guide.

Who operates the Registration Client?

The Registration Client can be operated by an operator who can be either a Supervisor or an Officer. They can login to the client application and perform various activities. The Supervisor and the Officer can perform tasks like Onboarding, Synchronize Data, Upgrade software, Export packets, Upload packets, View Re-registration packets, Correction process, Exception authentication, etc. In addition to this, the Supervisor has exclusive authority to Approve/reject registrations.

To know more about the onboarding process of an operator, refer to Operator onboarding.

Registration Client entity diagram

The relationship of the Registration Client with other services is explained here. NOTE: The numbers do not signify a sequence of operations or control flow.

Registration Client connects to the Upgrade Server to check on upgrades and patch downloads.
All the masterdata and configurations are downloaded from SyncData-service.
Registration Client always connects to external biometric devices through SBI.
Registration Client scans the document proofs from any document scanner.
Acknowledgment receipt print request is raised to any connected printers.
Packets ready to be uploaded meta-info are synced to the Sync Status service. Also, the status of already uploaded packets is synced back to the registration Client.
All the synced packets are uploaded to the Packet Receiver service one by one.

The image below shows the setup of the Registration Client Host machine.

Registration Client comprises JavaFX UI, Registration-services libraries, and any third-party biometric-SDK.
SBI is allowed to run on loopback IP and should listen on any port within the 4501-4600 range. More than one SBI can run on the host machine. Registration Client scans the allowed port range to identify the available SBI.
Registration Client connects to the local Derby database. This is used to store all the data synced.
All the completed registration packets are stored under the packetstore directory.
.mosipkeys directory is used to store sensitive files. db.conf under this directory stores encrypted DB passwords. This is created at the start of the registration client for the first time.
TPM - is the hardware security module used to get machine identifier, secure DB password, and prove the client authenticity on auth requests and packets created in the host machine.

Data protection

The registration packets and synced data are stored in the client machine.
Most of the synced data are stored in the Derby DB. Derby DB is encrypted with the bootpassword.
Derby DB boot password is encrypted with the machine TPM key and stored under .mosipkeys/db.conf.
Synced UI-SPEC/script files are saved in plain text under the registration client working directory. During sync, SPEC/script file hash is stored in derby and then the files are saved in the current working directory. Every time the file is accessed by the client performs the hash check.
Synced pre-registration packets are encrypted with a TPM key and stored under the configured directory.
The directory to store the registration packets and related registration acknowledgments is configurable.
The registration packet is a signed and encrypted ZIP.
Registration acknowledgment is also signed and encrypted with a TPM key.

Background Tasks

The Registration Client runs background tasks to keep data synchronized with the Registration Processor. It continuously updates the server with newly created packets and syncs additional metadata to improve packet recovery in case of a client failure.

Another background task handles packet uploads. If supervisor approval is required ('y'), approved packets are uploaded in batches. If approval is not required ('n'), packets are uploaded during the next scheduled job. With this feature, the registration client has fully capable auto upload.

You can configure these settings in the Scheduled Jobs and Batch Configuration sections.

Configurations

Registration Client can be customized as per a country's requirements. For details related to Registration Client configurations, refer to Registration Client configuration.

UI Specifications for Registration Tasks

The blueprint of registration forms to be displayed in the registration client is created as json called UI-SPEC.
Every process ( NEW / LOST / UPDATE UIN / CORRECTION ) has its own UI-SPEC json.
Kernel-masterdata-service exposes APIs to create and publish UI-SPEC.
Published UI-SPEC json are versioned.
Only published UI-SPEC is synced into registration-client.
UI-SPEC json files are tamper proof, the client checks the stored file hash every time it tries to load the registration UI.
UI-SPEC json will fail to load if tampered.

Default UI Specifications loaded with Sandbox installation is available here

Developer Guide

To know more about the developer setup, read the Registration Client Developers Guide.

Develop

Developers Guide

Overview

Registration Client is a thick Java-based client where the resident's demographic and biometric details are captured along with the supporting documents in online or offline mode.

The documentation here will guide you through the prerequisites required for the developer' setup.

Software setup

Below are a list of tools required in Registration Client:

JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
Git

Follow the steps below to set up Registration Client on your local system:

Code setup

For the code setup, clone the Registration Client repository and follow the guidelines mentioned in the Code Contributions.

Importing and building of a project

Open the project folder where pom.xml is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.

Environment setup

1. For the environment setup, you need an external dependency that is available here with different versions. (E.g.: You can download mock-sdk.jar and add to registration-services project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).

2. Registration Client UI is developed using JavaFX and the UI pages are fxml files which can be opened using a tool called Scene Builder. The JavaFX integration with the Eclipse IDE is provided with the e(fx)clipse tool. Go to Help → Install New Software → Work with → Add. Give Name and Location as mentioned in below image.

Once the software is installed, you will be prompted to restart your IDE.

3. Download openjfx-11.0.2_windows-x64_bin-sdk.zip from here, unzip and place it in your local file system. This folder contains list of javafx related jars that are necessary for running Registration Client UI.

4. We can change the application environment in the file registration-services\src\main\resources\props\mosip-application.properties by modifying the property mosip.hostname

Below are the configurations to be done in Eclipse:

1. Open Eclipse and run the project for one time as Java application, so that it creates a Java application which you can see in debug configurations.

2. Open the arguments and pass this --module-path C:\Users\<USER_NAME>\Downloads\openjfx-11.0.2_windows-x64_bin-sdk\javafx-sdk-11.0.2\lib --add-modules=javafx.controls,javafx.fxml,javafx.base,javafx.web,javafx.swing,javafx.graphics --add-exports javafx.graphics/com.sun.javafx.application=ALL-UNNAMED in VM arguments.

3. Click Apply and then debug it (starts running). You can see a popup which shows informative messages of what is happening in background while Registration Client UI is loading and the application will be launched.

Running the Registration Client Downloader Docker image

Dockerfile is available under registration-client repository.
The concept here is to run nginx in the docker container from which registration-client.zip is hosted and also registration-client on the field will connect to this nginx to check for new updates or changes.

Note: We refer this nginx server as registration-client download and upgrade server.

While running the registration-client docker container we need to pass below environment variables:

Required

client_version_env : pom version of the registration client build

client_upgrade_server_env : public URL of this nginx server

reg_client_sdk_url_env : URL to download sdk zip. Make sure to have SDK jar and its dependent jars in the zip.

artifactory_url_env : artifactory URL to download below mentioned runtime dependencies

“${artifactory_url}/artifactory/libs-release-local/icu4j/icu4j.jar”

“${artifactory_url}/artifactory/libs-release-local/icu4j/kernel-transliteration-icu4j.jar”

“${artifactory_url}/artifactory/libs-release-local/clamav/clamav.jar”

“${artifactory_url}/artifactory/libs-release-local/clamav/kernel-virusscanner-clamav.jar”

keystore_secret_env : password of the keystore.p12 file

host_name_env : syncdata-service public domain name

signer_timestamp_url_env : URL of timestamp server to timestamp registration-client jar files.

Need to mount a volume to “/home/mosip/build_files” with below files

logback.xml
Client.crt : Signer certificate to be added in the registration-client build for jar sign verification.
keystore.p12 : Store private key used to sign the registation-client and registration-services jar files with “CodeSigning” alias.
maven.metadata.xml : Holds the current version of registration-client hosted in the upgrade server.

Optional

reg_client_custom_impls_url_env : URL to download scanner custom implementation jars(runtime dependency).

Finally, you can download the registration client zip from below URL. {registratiionclient download server domain name/ip}/registration-client/{client_version}/reg-client.zip}

References

Run (https://github.com/mosip/mosip-infra/blob/develop/deployment/v3/mosip/regclient/create-signing-certs.sh) to generate Client.crt and keystore.p12.

To get the content of maven-metadata.xml and logback.xml check (https://github.com/mosip/mosip-helm/blob/develop/charts/regclient/templates/configmap.yaml)

Test

Deploy

Installation Guide

Overview

This guide helps the operator in setting up the registration client.

Know your machine TPM keys

A Trusted Platform Module (TPM) is a specialized chip on a local machines that stores RSA encryption keys specific to the host system for hardware authentication.The pair is maintained inside the chip and cannot be accessed by software. By leveraging this security feature every individual machine would be uniquely registered and identified by the MOSIP server component with it's TPM public key.

To extract the TPM public key, use the TPM key extractor utility.

Prerequisites

To onboard the machine and the operator, the Admin needs to:

Create and activate the registration client machine using Admin portal.
Create a user/operator account in Keycloak
Assign the operator a role of either the Supervisor or Officer using the Admin portal.
Finally, perform the User Zone mapping and User Center mapping in the Admin portal.

System prerequisites:

CPU - Dual Core Processor - 2GHZ
RAM - 16 GB
Local Storage Disk Space - 500 GB
USB 2.0 ports or equivalent hub.
Physical machine with TPM 2.0 facility.
Windows OS [10 v]

Registration client setup

To setup the registration client:

Download the reg-client.zip from the hosted server.
Unzip the client. You can see the directory structure below.
Click run.bat to launch registration client.

Launching the registration client

The client always launches with the pre-loader screen which displays the information about the network status, build status verification, online status, etc.

First time launch

After the pre-loader, the login screen is displayed.
Any valid operator credentials can be provided to authenticate and start the initial sync.
On successful intial sync, the operator will be prompted to restart the application.
After the first launch, the operator can notice .mosipkeys and db folders created under the registration client setup folder.

Note: Deletion of either the .mopsipkeys or the db folder makes the application get into an invalid state and hence will fail to launch. To be able to launch the client again, the operator should make sure that both the folders are removed and then re-launch the client.

On the next launch after the initial sync,

The registration client login page provides the operator an option to select the language for viewing the registration client UI.
After successful login, the operator either lands into the operator onboard page or the home page.

For more details on operator onboarding, refer to Operator onboarding guide.

For more details on Home page, refer to Registration client home page.

Modes of operation

Offline- Operator can use the registration client in offline mode to only do the registrations and EOD process. During offline mode, the operator authentication will be based on locally saved password hash. An operator can work in offline mode only if they have logged into to the registration client being online atleast once.
Online- Machine must be online for the registration client first launch. For any server-client sync or vice-versa, the registration client must be online. In the online mode, the client reaches out to the server for password authentication.

Note: On successful onboard of the operator, biometric templates of the operator are stored locally. Biometric authentication does not reach out to the server everytime, instead it is validated based on the locally stored templates on the registration client machine.

Setting up MOCK SBI (MDS)

In the development environment, Registration client can be tested using mock SBI. Find the instructions to build and run the mock SBI, click here.

Troubleshooting

1. Incorrect username/password

-> Cross-check the machine keys mapping in server ('Machine not found' error in logs)

-> Cross-check machine status

-> 'Invalid Request' error in log - Check your machine time, it shouldnt be less or greater than local timezone datetime (usually accepted lag is +5/-5 minutes)

-> check logs/registration.log for more details

2. Configuration / masterdata Sync failed

-> check if kernel-syncdata-service is up.

Operator Onboarding

This guide contains all the details you may want to know about the operator onboarding.

Creating the first operator in MOSIP

To generate the first operator in MOSIP eco-system, refer to the steps below.

The Admin needs to:

Create the role Default in KeyCloak with all the other roles.
Create the operator' user account in KeyCloak.
Assign the operator user account with the Default role.
Perform Zone and Center mapping for the operator using the Admin Portal.
Onboard the operator machine using the Admin Portal. Machine' details can be extracted using the

The operator will need to:

Download the latest registration client and login with the credentials set in KeyCloak. The operator will automatically skip Operator/Supervisor onboarding and reaches the home page of the registration client.
Register themselves in MOSIP and get a RID and UIN.

Once the operator is registered:

The Admin changes the role of the operator to either REGISTRATION_OFFICER or REGISTRATION_SUPERVISOR.
Deletes the role Default from KeyCloak so that no other user has the role Default.
This operator can now register and onboard other Supervisors and Officers.

On-boarding an operator

Admin needs to map the operator' UIN in KeyCloak under Attributes with attribute name as individualId.
Admin needs to remove the "Default" role mapping for the operator' user account if it exists.
The operator needs to login (password based) to the Registration Client using Keycloak credentials.
The operator needs to ensure that the Registration Client machine is online.
The operator will land into the below page and needs to click on Get Onboarded
The operator needs to provide their biometrics and click Save.
All the biometric modalities displayed in the Operator biometrics page must be captured before clicking on Save.
Captured biometrics quality must be greater than or equal to the threshold displayed in the UI.
Note- The threshold values are configurable and can be set as per the ID issuer.
After successful onboarding, the operator is automatically re-directed to the .

Note:

After successful onboarding of the operator, the templates are extracted from the captured biometrics using configured Bio-SDK. The extracted templates are stored in Derby DB. This can be used later for operator' biometric-authentication and also for local de-duplication checks during registration.
After the first login and successful on-boarding, the registration client would mandate the operator to login with the configured authentication mode decided by the administrator.
Any number of operators can login to a registration client machine but they need to be mapped to the same center where the machine is onboarded.
Login operator' user ID is case-insensitive.

Summarizing, on-boarding of an operator is successful only if,

The operator is active and not block listed.
The operator and the machine belongs to the same center.
The operator's User ID is mapped to their UIN.
The operator's biometric authentication is successful during on-boarding.
The system is online during on-boarding.

Operator onboarding workflow

Operator logs into Registration Client for the first time and is redirected to Onboarding screen. Here, they need to capture all their biometrics and then click SAVE button.
Request from Registration Client goes to for operator authentication.
Registration Processor passes this request to where it checks whether the user is mapped to a valid UIN and then matches the biometrics sent in the request with the biometrics of the mapped UIN.
Success/Failure response sent back to Registration Processor based on the authentication result.
Registration Processor sends back this response to Registration Client.
After successful authentication, the captured biometrics are sent to configured Bio-SDK to extract templates.
Extracted templates are sent back from .
The extracted templates are stored in local Derby DB.
These templates stored in local DB can be used later for operator's biometric-authentication and also for local de-duplication checks during registration.

MOSIP supports single factor and multi factor login including password, iris, fingerprint, and face authentication for registration client. An administrative configuration setting determines the mode of authentication login.
The registration client can authenticate an operator in offline mode using the locally stored biometrics templates (face/finger/iris) and password hash.

Temporarily lock the operator

The registration client temporarily locks the operator’s account in case they provides an invalid password/fingerprint/iris/face for X times continuously to login (X is configurable). The temporary account lock lasts for X minutes (X is again configurable).

Logout

An Operator can logout of the registration client by:

Clicking on the Logout button,
Closing the registration client,
Being in-active on the registration client for configured amount of time after which they are automatically logged out.
Upon logout, any unsaved data will be lost.
Data will not be automatically saved in the database and will not be retained in memory though transaction details which is used for auditing will be captured and stored (except for PII data).

Note- Registration client provides an alerts to the operator ‘X’ minutes before reaching the auto logout time limit. Registration client displays a countdown timer in the alert. The operator can choose to dismiss the alert and continue working. This will also reset the timer to zero.

Settings page

Settings Schema

Default settings schema is configured as below:

[
	{
		"name":"scheduledjobs",
		"description":{
			"ara":"إعدادات الوظائف المجدولة",
			"fra":"Paramètres des travaux planifiés",
			"eng":"Scheduled Jobs Settings"
		},
		"label":{
			"ara":"إعدادات الوظائف المجدولة",
			"fra":"Paramètres des travaux planifiés",
			"eng":"Scheduled Jobs Settings"
		},
		"fxml":"ScheduledJobsSettings.fxml",
		"icon":"scheduledjobs.png",
		"order":"1",
		"shortcut-icon":"scheduledjobs-shortcut.png",
		"access-control":[
			"REGISTRATION_SUPERVISOR"
		]
	},
	{
		"name":"globalconfigs",
		"description":{
			"ara":"إعدادات التكوين العامة",
			"fra":"Paramètres de configuration globale",
			"eng":"Global Config Settings"
		},
		"label":{
			"ara":"إعدادات التكوين العامة",
			"fra":"Paramètres de configuration globale",
			"eng":"Global Config Settings"
		},
		"fxml":"GlobalConfigSettings.fxml",
		"icon":"globalconfigs.png",
		"order":"2",
		"shortcut-icon":"globalconfigs-shortcut.png",
		"access-control":[
			"REGISTRATION_SUPERVISOR"
		]
	},
	{
		"name":"devices",
		"description":{
			"ara":"إعدادات الجهاز",
			"fra":"Réglages de l'appareil",
			"eng":"Device Settings"
		},
		"label":{
			"ara":"إعدادات الجهاز",
			"fra":"Réglages de l'appareil",
			"eng":"Device Settings"
		},
		"fxml":"DeviceSettings.fxml",
		"icon":"devices.png",
		"order":"3",
		"shortcut-icon":"devices-shortcut.png",
		"access-control":[
			"REGISTRATION_SUPERVISOR",
			"REGISTRATION_OFFICER"
		]
	}
]

Clicking on in the home page opens a pop-up displaying configured Settings page as per the above sample settings schema.

Device settings

All the connected devices are listed in this page.
Option to scan for SBI for any specific port range is available in this page.
If more than one device is idenitied, operator can choose amongst the listed devices to set the default device for the current login session.
Access control on this page is controlled via the settings-schema.

Global configuration

All the Registration Client related configuration key-value pairs are listed in this page.
Operator can set the local preference on the server configraton value, applicable only for permitted configuration keys.
Access control on this page is controlled via the settings-schema.

Scheduled Jobs

All the available background jobs are listed here along with their cron expression.
Every job's next and previous trigger time is listed along with the job name.
Privileged operator can update the cron expression of any job.
Synchornize Data in home page will trigger all of these listed jobs with just one click.
If the operator needs to trigger specific job, the same can be handled in this page.
Access control on this page is controlled via the settings-schema.

Telemetry from Registration Client

Following are the metrics that are collected in the client application using the micrometer library:

JVM Memory Metrics
JVM Thread Metrics
JVM GC Metrics
JVM Heap Pressure Metrics
Processor Metrics
Class Loader Metrics
Disk Metrics
Packet Metrics based on client and server status

All the metrics collected are appended to metrics.log file. Rolling policy of the metrics.log is defined in registration-services logback.xml.

Below are the challenges faced in exporting the collected metrics from client application to the server for further analysis:

Unreliable network conditions on field.
Metrics files are mostly large files, and cannot afford retries on failed attempts.
Required HTTP based metrics export.

To overcome the above challenges, Registration Client is built with tus-java-client (version: 0.4.3) . Tusd server URL and the upload chunk-size are made configurable in the client application.

mosip.registration.tus.server.url: This is the server URL config which specifies to which URL the metrics files are to be uploaded.

mosip.registration.tus.server.upload.chunksize: This config defines the chunk size, which means, how much size of the file is to be uploaded at once. By default, this is given as 1024, which means 1KB

Note:

The Tus protocol is designed to enable resumable uploads of large files over HTTP, which can be useful for web applications that need to handle file uploads in unreliable network conditions or with large files that might take a long time to upload. For more information on TUS, refer here.
Tusd is a popular implementation of the Tus protocol that can be used as a standalone server. It is a part of the MOSIP deployment.

Each metric json logged into metrics.log file is tagged with machine name. Refer the below log lines with the machine names.

{"@timestamp":"2023-03-12T15:00:10.654+05:30","@version":"1","message":"{\"@timestamp\":\"2023-03-12T09:30:10.654Z\",\"name\":\"jvm.threads.states\",\"type\":\"gauge\",\"machine\":\"c1ml54597\",\"state\":\"waiting\",\"value\":8,\"unit\":\"threads\"}","logger_name":"io.mosip.registration.config.LoggingJsonMeterRegistry","thread_name":"logging-metrics-publisher","level":"INFO","level_value":20000}


{"@timestamp":"2023-03-12T15:00:10.654+05:30","@version":"1","message":"{\"@timestamp\":\"2023-03-12T09:30:10.654Z\",\"name\":\"jvm.threads.states\",\"type\":\"gauge\",\"machine\":\c1ml54597\",\"state\":\"timed-waiting\",\"value\":20,\"unit\":\"threads\"}","logger_name":"io.mosip.registration.config.LoggingJsonMeterRegistry","thread_name":"logging-metrics-publisher","level":"INFO","level_value":20000}


{"@timestamp":"2023-03-12T15:00:10.654+05:30","@version":"1","message":"{\"@timestamp\":\"2023-03-12T09:30:10.654Z\",\"name\":\"jvm.threads.states\",\"type\":\"gauge\",\"machine\":\"c1ml54597\",\"state\":\"blocked\",\"value\":0,\"unit\":\"threads\"}","logger_name":"io.mosip.registration.config.LoggingJsonMeterRegistry","thread_name":"logging-metrics-publisher","level":"INFO","level_value":20000}


{"@timestamp":"2023-03-12T15:00:10.654+05:30","@version":"1","message":"{\"@timestamp\":\"2023-03-12T09:30:10.654Z\",\"name\":\"jvm.threads.states\",\"type\":\"gauge\",\"machine\":\"c1ml54597\",\"state\":\"terminated\",\"value\":0,\"unit\":\"threads\"}","logger_name":"io.mosip.registration.config.LoggingJsonMeterRegistry","thread_name":"logging-metrics-publisher","level":"INFO","level_value":20000}


{"@timestamp":"2023-03-12T15:00:10.654+05:30","@version":"1","message":"{\"@timestamp\":\"2023-03-12T09:30:10.654Z\",\"name\":\"jvm.threads.states\",\"type\":\"gauge\",\"machine\":\"c1ml54597\",\"state\":\"new\",\"value\":0,\"unit\":\"threads\"}","logger_name":"io.mosip.registration.config.LoggingJsonMeterRegistry","thread_name":"logging-metrics-publisher","level":"INFO","level_value":20000}

A job is scheduled to upload collected metrics to server from the client application.
Job runs with a fixed delay of 15 minutes.
Resumable file URLs are stored under .metrics folder of registration client. Once the complete file is uploaded to server, the metrics file is deleted locally.

Android Registration Client

Overview

The Android Registration Client is a tablet application that serves as a portable version of the existing desktop Registration Client. It has been developed to support accessibility on all Android devices. The creation of the Android Registration Client was driven by the need to meet the mobility requirements of countries adopting MOSIP.

The primary objective of the tablet version is to facilitate the registration process for residents, especially those who are unable to physically visit registration centers. It also serves remote locations where setting up registration centers is not feasible. To address this challenge, the Android Registration Client was created, enabling operators and supervisors to easily reach remote areas and maximize resident registrations across the country.

Configuration Guide

To read through the comprehensive list of configurable properties for the Android Registration Client, refer Android Registration Client Configuration Guide.

UI Specifications

For more details on UI specifications for the Android Registration Client, refer here.

Compatibility

The Android Registration Client is compatible with the following MOSIP platform versions:

1.1.5.x
LTS 1.2.0 and above

Develop

Developer Guide

The documentation here will guide you through the pre-requisites and the other necessary details required for Android Registration Client developer setup.

The android-registration-client repository contains the Android Registration Client software for MOSIP. The feature-flutter branch focuses on integrating Flutter into the client.

Setup

To set up the Android Registration Client with Flutter and Android Studio, follow the steps below:

Prerequisites

Flutter SDK (3.10.4): Install Flutter by following the official Flutter installation guide.
Android Studio (or Any IDE of your choice): Download and install Android Studio from the official Android Studio website.

Step 1: Clone the Repository

The develop branch of android-reg-client is currently being actively developed. If you wish to access this branch, you can clone the repository by executing the following command in your terminal. Alternatively, you can download one of the releases available in the repository's release section.

git clone -b feature-flutter https://github.com/mosip/android-registration-client.git

Active Branches:

release-1.0.x(developer release branch)
develop(active development branch)

Step 2: Set up Flutter in Android Studio

To begin, launch Android Studio.
Next, select Open an existing Android Studio project and navigate to the cloned repository.
Open the android-registration-client directory as a project in Android Studio.
In order to integrate Flutter with Android Studio, install the Flutter plugin by accessing File > Settings > Plugins and searching for Flutter. Proceed to click on Install to install the plugin.
To ensure proper functionality, configure the Flutter SDK path by navigating to File > Settings > Languages & Frameworks > Flutter and specifying the Flutter SDK path as the location where you have installed Flutter.
Finally, save the changes by clicking on the "Apply" button.

Customizing the Registration Client

Styling of the application can be configured by modifying these files lib/utils/app_style.dart, lib/utils/app_config.dart
Application language bundles can be added to this path lib/l10n After adding the bundle run the below command to generate Localization data (Required for the first time).

flutter gen-l10n

The label and application logo can be changed here android/app/src/main/AndroidManifest.xml

Step 3: Build and Run the Application

The pigeon.sh file consists of the necessary commands for downloading dependencies and generating Flutter - Android native communication code. Please execute the pigeon.sh file or execute the commands within the file separately.
Ensure you have connected an Android device or initiated an Android emulator.
Open the terminal within Android Studio or use an external terminal.
Navigate to the android-registration-client directory.
Run the following command to build and execute the application:

flutter run

Step 4: Build, debug, and release APK

Execute the commands below to debug and release the APK

// Debug APK
flutter build apk --debug

// Release APK
flutter build apk --release

Set up Mock MDS for Biometric Scan

The Mock MDS tool can be utilized to simulate the functionalities of biometric devices. The Mock MDS application is compliant with CTK standards and can serve as a substitute for Android SBI modules during testing and validation.

Install the Mock MDS application.
Access the Settings menu.
Under Device Configuration, choose Registration from the dropdown menu.
In P12 Configuration:
- Enter the necessary credentials for the Device Key and upload the Device P12 file.
- Enter the required credentials for the FTM Key and upload the FTM P12 file.
- Complete all fields in MOSIP IDA Configuration.
In Modality Configuration, specify the quality score for Face, Finger, and Iris scans(these values can also be adjusted during testing).
Click on the Save button.
Go back to the Home Page and select LOAD AND VALIDATE CERTIFICATES.

A toast message will be displayed indicating the success of the validation process.

Note: To view the released version of the Mock SBI APK, click here.

To download the Mock SBI APK, click on camera-mds.zip.

Contributions

If you would like to contribute to the Android Registration Client, please follow the guidelines outlined here.

License

The Android Registration Client is licensed under the MIT License.

Support

If you encounter any issues or have any questions, please open an issue on the GitHub repository.

Sources

GitHub- mosip/android-registration-client: Reference Android Registration Client Software - WIP
Flutter- Get started: Install
Android Studio- Download

Technology Stack

The table below outlines the frameworks, tools, and technologies employed by the Android Registration Client.

Tool /Technology

Version

Description

License

Android SDK Versions :

Target SDK Version : 31

Compile SDK Version : 31

Test

Collab Guide

Android Registration Client (ARC) is a tablet application that serves as portable version of the existing desktop Registration Client. It can be accessed through Android devices and also meets mobility requirements of countries adopting MOSIP Identity.

The primary objective of the tablet version is to facilitate the registration process for residents who are not able to physically visit Registration centers and also serve remote locations where setting up Registration centers is not feasible. To address this challenge, the ARC was developed enabling Operators / Supervisors to easily access the remote areas and maximize resident registrations across the country.

This guide serves as a tool to demonstrate the impressive capabilities of MOSIP's system. Additionally, the primary user of this guide will be the Operator / Supervisor trying to register individuals for generating UIN.

Let's embark on this journey together to explore the potential of ARC.

For developers setting up ARC locally, refer Developers Guide.

Pre-requisites

Reliable and consistent Internet connectivity
Tablets running Android version 10 to 13
Tablets with a minimum of 4 GB RAM
The tablets should be capable of capturing fingerprints, IRIS, and face (photo) biometrics. Additionally, they should also have the ability to scan documents. However, if the tablets do not support these capabilities, MOCK SBI can be used as an alternative.

Note: For Mock MDS, click here to download the Mock MDS in your system folder, which will enable you to simulate biometric capture (without real biometric devices).

The following details are required to access ARC in the Collab environment:
- UIN or a VID
- Machine details
To obtain your UIN credentials for the Collab environment follow the below steps:
- The provision of a Unique Identification Number (UIN) as a demonstration credential will enable you to have a firsthand experience of the ARC's capabilities and explore its various features.
- Please fill out the form with the correct details and submit the form. Upon receiving the form, we will generate a demo credential for you. We will also register you as an Operator on Keycloak and map your device to the center to which your credential is required to be mapped.

Step-by-Step Process

Mentioned below are the steps to download, install, and use ARC.

Step 1: Download and install the APK on an Android tablet. Visit the Android Registration Client to access ARC in the Collab environment.

Step 2: Install ARC and launch it.

Step 3: Login as an Operator with the credentials received and wait for synchronization to complete.

Step 4: Refer to our comprehensive User Guide document to learn how to register and use ARC.

Note: Please be advised that if the Android Registration Client is uninstalled and then re-installed, the aforementioned steps will need to be repeated from the start.

Additional Resources

To know more about features of the Android Registration Client, click here.
To learn more about the ARC configurations, click here.

Get in Touch

If you require any assistance or encounter any issues during the testing and integration process, kindly reach out to us through the support provided below.

Navigate to Community.
Provide a detailed description about the support you require or provide complete information about the issue you have encountered, including steps to reproduce, error messages, logs and any other required details.

Thank you. Wishing you a pleasant experience!

Deploy

Registration Processor

Overview

Introduction

Registration Processor (Regproc) is a backend processing engine to enable ID Lifecycle management. The diagram below shows the Registration Processor along with the other modules that contribute to issuing a Unique Identification Number(UIN) for an individual. Internally, Regproc follows the SEDA architecture where data flows via multiple stages till the UIN is issued.

The relationship of Regproc with other services is explained here. NOTE: The numbers do not signify a sequence of operations or control flow

Registration packets are uploaded by the Registration Client to the Packet Receiver.
After packet validation is done Regproc notifies the pre-registration application using the datasync service.
The quality of biometrics is checked using an external biometric SDK. This is done in Regproc's Quality Classifier stage.
Regproc shares biometric data with ABIS, Manual adjudication System, and Verification System. The policy for sharing this data is fetched from PMS.
The above data is shared by providing a URL that partners use to fetch data. This URL is obtained from the Datashare service.
Regproc's ABIS Middleware stage communicates with ABIS via Activemq. The ABIS performs deduplication and sends back the result to the Queue.
Regproc stores and updates applicant demographic and biometric information in the ID Repository. Also, activate or deactivate the applicant's UIN.
Regproc calls IDA Internal Authentication Service to authenticate Applicant(for update flow), introducer, operator, and supervisor(when bio auth mode is used to create packet).
After the UIN is processed the Printing Stage calls Credential Service to create credentials for print. This credential will be pushed to websub and the Printing systems will consume the same.
The Notification Service is used to send email/sms notifications to the applicant after the request processing is completed on the server.
Regproc connects to the external "Manual Adjudication System" via a queue. Regproc sends applicant information required for adjudication in the queue and the external adjudication system consumes it. The data is shared from mosip to an external adjudication system based on policy.
Regproc calls Key Manager for decrypting packets and encrypting information.
Regproc uses Masterdata Service to validate the center, machine, user, etc.
Regproc connects to Virus Scanner for scanning packets in the Packet Receiver Stage and Packet Uploader Stage
Each Stage in regproc calls Packet Manager to read information from the packet.

Stages and services

The Registration Processor contains several stages and services.

The registration packet flows through the various stages depending on the type of flow. See Registration Flows and Stage Sequence.

Note: The Print Stage has been renamed as the Credential Requestor Stage. For further information, please click here.

Build and deploy

Refer to repo.

Configurations

Refer to Configuration Guide.

Developer Guide

To know more about the developer setup, read the Registration Processor Developers Guide.

API

Refer to API Documentation.

Source code

Github repo.

Develop

Registration Processor Developers Guide

Overview

Registration Processor(Regproc) is a backend processing engine to enable the ID Lifecycle management. It has several stages and services, registration packet flows through various stages depending on the type of flow.

The documentation here will guide you through the prerequisites required for the developer's setup.

Software setup

Below are a list of tools required in Registration Processor:

JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)

Follow the steps below to set up Registration Processor on your local system:

1. Download lombok.jar and settings.xml from here.

2. Unzip Apache Maven and move the unzipped folder in C:\Program Files and settings.xml to conf folder C:\Program Files\apache-maven-3.8.4\conf.

3. Install Eclipse, open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update.

4. Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse to see if the lombok.jar is added. By doing this, you don't have to add the dependency of lombok in your pom.xml file separately as it is auto-configured by Eclipse.

5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Code setup

For the code setup, clone the registration repository from and follow the guidelines mentioned in the Code Contributions.

Importing and building of a project

Open the project folder where pom.xml is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.

Environment setup

1. For the environment setup, you need an external JAR that is available here with different versions. (E.g.: You can download kernel-auth-adapter.jar and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).

2. Clone mosip-config repository.

3. Create an empty folder inside the mosip-config with sandbox-local name and then copy and paste all the config files inside sandbox-local folder except .gitignore, README and LICENSE.

4. As Registration Processor is using two properties files, registration-processor-default and application-default, you will have to configure them according to your environment. The same files are available here for reference.

5. To run the server, two files are required- kernel-config-server.jar and config-server-start.bat.

6. Put both the files in the same folder and change the location attribute to sandbox-local folder in config-server-start.bat file and also check the version of kernel-config-server.jar towards the end of the command.

Example:

java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:C:\Users\myDell\mosipProject\mosip-config\sandbox-local -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 kernel-config-server-1.2.0-20201016.134941-57.jar.

7. Run the server by opening the config-server-start.bat file.

The server should now be up and running.

8. Before running any application of Registration Processor, replace the below properties in bootstrap.properties:

spring.cloud.config.uri=http://localhost:51000/config

spring.cloud.config.label=master

spring.profiles.active=default

spring.profiles.active can be dmz or mz(default)

9. An alternative approach to start the application is to place the dependency of application to be executed in the pom of MOSIP stage executor update maven and place above mentioned properties in the bootstrap.properties and then start MOSIP stage executor.

Test

Credential Requestor Stage

Rename - “Print Stage” to “Credential Requestor Stage”

Note: The change in nomenclature from 'Print Stage' to 'Credential Requestor Stage' was implemented to enhance clarity and better reflect its expanded functionality.

History of Print Stage in MOSIP

In MOSIP 0.9.0, the "print stage" was primarily designed to facilitate the submission of printing requests. The core functionality of print stage revolved around initiating a request for the physical printing of credentials. However, as the system evolved and incorporated additional features, the scope of the print stage expanded beyond its original purpose.

In the evolved approach, at the print stage, apart from processing a print request, the application enables partner-specific print capabilities. Contrary to its initial purpose, the print stage no longer serves the singular function of printing credentials. Instead, it has transformed into a multifaceted component with enhanced set of responsibilities.

In the current system, the print stage's role extends beyond traditional printing activities. Its primary function now revolves around initiating a request for credential generation once a Unique Identification Number (UIN) is generated. This request is not aimed at physical printing but serves as a mechanism to gather additional information for specific partners. These partners may require supplementary data beyond what is initially generated with the UIN.

Therefore, in the evolved approach, the print stage has transitioned from being a straightforward printing request to a more versatile component that manages the initiation of credential requests tailored to partner-specific information needs. This adaptation reflects the system's responsiveness to changing requirements and the dynamic nature of credentialing processes. This reason led us to re-name the “Print Stage” to the “Credential Requestor Stage” as this name serves the purpose of the work executed by this stage.

Introduction

The Credential Requestor Stage in MOSIP, formerly known as the Print Stage, is a crucial component used to request credentials for configurable partners after the UIN is generated. This stage enables countries to share information with multiple partners, each with specific needs after UIN generation. Partners, such as Print Partners and Digital Card Partners, may require demographic or biometric information to perform operations.

What is the credential requestor stage?

The Credential Requestor Stage plays a crucial role in the MOSIP system, serving as a mechanism to solicit credentials from configurable partners post-UIN generation. In this context, partners, previously registered with MOSIP, require demographic and biometric data to execute their respective operations. For instance, a Print Partner necessitates specific demographic details for the purpose of printing cards. Similarly, digital card partners seek demographic information to generate digital cards. Additionally, DPGs might seek confirmation of successful UIN generation to integrate this information into their systems. The Credential Requestor Stage facilitates various use cases where the country aims to share pertinent information with multiple partners subsequent to UIN generation.

What are the latest changes done in the credential requestor stage?

Partner Profile Configuration

MOSIP has introduced a new partner profile for the Credential Requestor Stage. The partner profiles are maintained here.

Sample Partner Profile:

jsonCopy code{
  "partners": [
    {
      "id": "digitalcardPartner",
      "partnerId": "mpartner-default-digitalcard",
      "credentialType": "PDFCard",
      "template": "RPR_UIN_CARD_TEMPLATE",
      "appIdBasedCredentialIdSuffix": ".pdf",
      "process": null,
      "metaInfoFields": null
    },
    {
      "id": "printPartner",
      "partnerId": "mpartner-default-print",
      "credentialType": "euin",
      "template": "RPR_UIN_CARD_TEMPLATE",
      "appIdBasedCredentialIdSuffix": null,
      "process": null,
      "metaInfoFields": null
    },
    {
      "id": "opencrvsPartner",
	  "partnerId": "opencrvs-partner",
      "type": "opencrvs",
      "template": "RPR_UIN_CARD_TEMPLATE",
      "process": ["OPENCRVS_NEW"],
      "metaInfoFields": ["opencrvsBRN"]
    }
  ]
}

Field Description

id: Logical unique identifier
partnerId: Partner identifier configured in MOSIP
credentialType: Type of credential configured in MOSIP
template: Template used for generating the credential
appIdBasedCredentialIdSuffix: Applicable for special conditions where the credential ID is the application ID itself, with an optional suffix (for example, .pdf). Currently, this is applicable for digital card credentials.
process: If applicable for a particular process. If applicable for all processes, value is null
metaInfoFields: Meta information fields to be sent as additional information while generating the credential

Configuration Changes

Once the partner profile is configured, the System Integrator (SI) should make changes to the following configurations:

mosip.registration.processor.credential.partner-profiles: Specify the file name for the partner profiles. By default its → registration-processor-credential-partners.json. If a country intends to change the file name only then this configuration should be updated otherwise default configuration can be used
mosip.registration.processor.credential.default.partner-ids: Specify default partner IDs for which credentials will be created automatically
mosip.registration.processor.credential.conditional.partner-id-map: Define conditions for conditional partners. Credentials for these partners will be requested only if the conditions are met. Use MVEL expressions for conditions
mosip.registration.processor.credential.conditional.no-match-partner-ids: Specify a partner ID to be used when no conditions are met for conditional partners

Conditional Partner Requests

The stage will create credentials for default partner IDs by default
For conditional partners, credentials will be requested only if they match a particular MVEL expression
MVEL expressions can be written on any identity field as well as meta info field
If there is no condition match for conditional partners, SI can configure a no-match partner, which will be used when no conditional partner match is found

Configuration File Locations

Credential Requestor Stage Configuration: Click here to view credential requestor stage configuration details.
Partner Profile Configuration: Click here to view partner profile configuration details.

Conclusion

The Credential Requestor Stage configuration is an essential part of MOSIP's functionality, enabling seamless communication with partners and ensuring the secure exchange of information post-UIN generation.

Note: Ensure that configured IDs are logically unique and consistent across future configurations.

Deploy

Effortlessly deploy and configure with comprehensive guides , repositories and more.

Configurations Details

Overview

This guide details the configuration updates required in MOSIP to enable CRVS-initiated birth and death registration requests. It covers ID schema changes to add key fields, updates to authentication policies, property files, and identity mapping, along with new Camel routes and workflow settings. These changes ensure the proper handling and processing of vital events within the MOSIP ecosystem.

ID Schema Update for Initiating Infant Birth Requests

Before initiating an infant birth registration request from the CRVS system, updating the ID schema in MOSIP to include the necessary fields required for capturing introducer information is essential.

The following fields should be added to support the processing of infant birth registration requests:

introducerInfoToken (Optional)
- Description: A user information token representing the individual reporting the infant's birth to CRVS.

ID Schema Update for Initiating Death Requests

Before initiating a death registration request from the CRVS system, updating the ID schema in MOSIP to include the necessary fields required for capturing information related to the deceased and informant is essential.

The following fields should be added to support the processing of death registration requests:

deceasedDeclarationDate (Optional)
- Description: The date on which the individual was declared deceased.
declaredAsDeceased (Mandatory)
- Description: A flag indicating that the individual has been officially declared deceased.
typeOfDeath (Optional)
- Description: Specifies the nature of the death, such as natural or jurisdictional.
deceasedInformer (Optional)
- Description: A user information token representing the individual reporting the death to CRVS.

Note: The field declaredAsDeceased is mandatory and must be included in the ID schema to initiate any death registration request. The remaining fields can be configured based on specific use case requirements.

Configuring mosip-auth-policy

After updating the ID schema with the necessary fields for birth/death registration, corresponding changes must be applied to the default authentication policy. This step ensures that the new fields are correctly reflected in the ID authentication module particularly required when the authentication process involves the national ID of a deceased individual.

To include the new attributes in the authentication policy:

Update the existing policy_file_id by appending the newly added fields.
Execute the upgrade script to apply the changes.

Below is a sample SQL script for updating default-authpolicy to include the field declaredAsDeceased:

UPDATE pms.auth_policy SET policy_group_id='mpolicygroup-default-auth', "name"='mpolicy-default-auth', descr='mpolicy-default-auth', policy_file_id='{"shareableAttributes":[{"attributeName":"fullName","source":[{"attribute":"fullName"}],"encrypted":true},{"attributeName":"dateOfBirth","source":[{"attribute":"dateOfBirth"}],"encrypted":true},{"attributeName":"gender","source":[{"attribute":"gender"}],"encrypted":true},{"attributeName":"phone","source":[{"attribute":"phone"}],"encrypted":true},{"attributeName":"email","source":[{"attribute":"email"}],"encrypted":true},{"attributeName":"addressLine1","source":[{"attribute":"addressLine1"}],"encrypted":true},{"attributeName":"addressLine2","source":[{"attribute":"addressLine2"}],"encrypted":true},{"attributeName":"addressLine3","source":[{"attribute":"addressLine3"}],"encrypted":true},{"attributeName":"region","source":[{"attribute":"region"}],"encrypted":true},{"attributeName":"province","source":[{"attribute":"province"}],"encrypted":true},{"attributeName":"city","source":[{"attribute":"city"}],"encrypted":true},{"attributeName":"postalCode","source":[{"attribute":"postalCode"}],"encrypted":true},{"attributeName":"zone","source":[{"attribute":"zone"}],"encrypted":true},{"attributeName":"preferredLang","source":[{"attribute":"preferredLang"}],"encrypted":false},{"attributeName":"individualBiometrics","group":"CBEFF","source":[{"attribute":"individualBiometrics"}],"encrypted":true,"format":"extraction"},{"attributeName":"declaredAsDeceased","source":[{"attribute":"declaredAsDeceased"}],"encrypted":true}],"dataSharePolicies":{"typeOfShare":"Data Share","validForInMinutes":"30","transactionsAllowed":"2","encryptionType":"Partner Based","shareDomain":"datashare.datashare","source":"ID Repository"}}' , policy_type='DataShare', "version"='1', policy_schema='https://schemas.mosip.io/v1/auth-policy', valid_from_date='2025-03-17 11:53:55.388', valid_to_date='2025-04-28 09:37:00.000', is_active=true, cr_by='admin', cr_dtimes='2025-03-17 11:53:55.388', upd_by='admin', upd_dtimes='now()', is_deleted=false, del_dtimes=NULL WHERE id='mpolicy-default-auth';

Properties Added

The following property files have been updated with the mentioned properties to support the new functionality:

application-default.properties:

mosip.kernel.idobjectvalidator.mandatory-attributes.reg-processor.crvs_new Mandatory attributes for infant birth registration flow.
mosip.kernel.idobjectvalidator.mandatory-attributes.reg-processor.crvs_death Mandatory attributes for death registration flow.
provider.packetreader.crvs1 Packet reader for the source with the name CRVS1. This property should be updated if the source name is changed.
provider.packetwriter.crvs1 Packet writer for the source with the name CRVS1. This property should be updated if the source name is changed.

Fields Added to identity-mapping JSON:

deceasedDeclarationDate
declaredAsDeceased
typeOfDeath

New Camel Routes:

registration-processor-camel-routes-crvs_death-default.xml New Camel route for death registration packet processing.
registration-processor-camel-routes-infant-crvs_new-default.xml New Camel route for infant birth registration packet processing.

registration-processor-default.properties:

registration.processor.additional-process.category-mapping Mapping of the additional process to the internal process.
registration.processor.vid-support-for-update Enables VID support for updates.
mosip.regproc.workflow-manager.instance.api-id Unique ID for the workflow instance API.
mosip.regproc.workflow-manager.instance.version A version of the workflow instance API.
registration.processor.notification.additional-process.category-mapping Mapping of the additional process to the internal process for notification.

For more details on ID schema and configurations please refer here.

Deploy

Effortlessly deploy and configure with comprehensive guides , repositories and more.

Build and deploy

Refer to repo.

Configurations

Refer to Configuration Guide.

.well-known

What is .well-known folder?

The ".well-known" folder is a convention used in web development to provide a standardized location for certain files or resources that need to be publicly accessible and discoverable. It typically resides at the root level of a website or web server. The purpose of this folder is to make it easy for web clients (browsers, applications, or services) to find important files or resources related to web services and security.

Why should we use ".well-know" directory in MOSIP?

MOSIP can use the ".well-known" directory to serve the following purposes:

Standardization: To provide a standardized location for specific public files and resources related to web services and security. It makes it easier for developers and web clients using MOSIP to know where to look for important information.
Security: Security-related files and resources can be placed in the ".well-known" directory, such as the public certificate for encryption and signature verification can be placed here.
Interoperability: By following the ".well-known" convention, web developers using MOSIP can ensure interoperability with various web standards and protocols. For example, MOISP shares the context file which contains the structure of its Verifiable Credentials.
Ease of Configuration: Web servers can be configured to serve files from the ".well-known" directory without needing custom configurations for each specific resource. This simplifies the server setup and maintenance process.
Transparency: For matters related to security policies and contact information, such as in the "security.txt" file, placing them in a well-known location makes it transparent and easily accessible to anyone interested in the website's security practices.

How is ".well-known" directory used in MOISP?

MOSIP's ".well-know" directory contains three files,

controller.json
mosip-context.json
public-key.json

controller.json

The "controller.json" file is used in MOSIP to share the details of the public key using which a MOSIP-issued verifiable credential can be asserted.

mosip-context.json

The "mosip-context.json" file contains the schema of the subject in the MOSIP-issued verifiable credential.

public-key.json

The "public-key.json" file contains the public key using which the signature of the MOSIP-issued verifiable credential can be asserted.

Custom Handle Implementation Guide

What is a handle?

UIN / VID are system-generated unique identifiers provided to Residents. Residents are allowed to authenticate themselves using either UIN / VID.

What if residents are given the flexibility to create their handle (username) and use their unique handle to authenticate?

Handles can include resident's phone number, e-mail ID, or any linked functional ID / sectoral ID.
The handle can also be a custom username created through the resident portal.

Note: A recyclable ID, such as a mobile number, cannot be used as a handle. Handles must be unique and persistent to ensure reliable identification and authentication. Since mobile numbers and similar IDs can be reassigned or changed over time, they do not meet the criteria for a secure handle. Instead, handles should be chosen from identifiers that remain constant for the user, minimizing the risk of identity conflicts or unauthorized access.

Overview

Countries that have an established user base can now register users onto a relying portal using their distinctive identifiers referred to as handles. These handles are tailored to meet the specific requirements of each country, enabling users to easily access digital services and receive prompt benefits from both the government and private sector. This approach eliminates the need for users to remember a new or system generated IDs.

How does it work?

The implementation of custom handles involves below steps:

Mark the fields that can be used as user handles. A new attribute is introduced in identity schema, handle which accepts boolean value. More than one field in the identity schema can be marked as handle.
With phone as an example:
{"fieldCategory": "phone number", "format": "none", "type": "string", "fieldType": "default", "requiredOn" : "", **"handle" : true**},
When the user registers, collected user data should contain selectedHandles, as more than one field can be marked as handle, user can choose amongst the handle fields to use. User can also choose all of them. Client UI’s collecting user data during registration can decide to provide this option to the user or it can also set selected handles to default values as decided by the country. selectedHandles is also a field in schema, identity.
"selectedHandles" : {"fieldCategory": "none","format": "none","type": "array","items" : { "type" : "string" },"fieldType": "default" }
When the collected identity object is sent to the ID repository, it validates the data and accepts the handle provided it is unique amongst the registered handles.
Note: If duplicated, a request to register the user is rejected.
Once identity is successfully processed and stored in an ID-repository, identity credentials are issued to IDA to store user credentials for each ID (UIN & VID) as well for each selected handle.
ID-repository can be configured to disable issuance of user credential to IDA for both UIN or VID using below properties.
mosip.idrepo.identity.disable-uin-based-credential-request=true

What is handles collision? How handles collision can be avoided?

If the system is configured to use more than one functional ID as a handle and if two different functional ID systems followed the same format /pattern to generate an ID, handles collision may occur.

Collision between two different functional IDs will result in denying the creation / updating of a handle for a resident.

Solution: Every handle stored is postfixed with handle type and the handle type is chosen based on the handle field ID in the identity schema. On every authenticate request, IDA will expect handle postfixed with handle_type as input.

Property mentioned below is introduced in ID repository to postfix handle type on every creation of identity.

mosip.identity.fieldid.handle-postfix.mapping={'phone':'@phone'}

Property mentioned below is introduced in Id-authentication-default.properties file to validate the handle value based on the postfix provided in the inidivdualId input.

mosip.ida.handle-types.regex={ '@phone' : '^\\+91[1-9][0-9]{7,9}@phone$' }

Conclusion

Implementing custom handles provides a user-friendly approach to user authentication without burdening end users with the need to remember additional or system generated complex IDs.

Identity Verification

The Identity Verification category in MOSIP encompasses modules responsible for authenticating and verifying the identity of individuals using various mechanisms. Below are the modules under this category, each with a brief description and a link to their respective overview pages:

ID Authentication Services: Provides APIs for authenticating individuals based on their identity data, including demographic and biometric information.
ID Authentication (IDA): IDA module in MOSIP is an independent service that enables seamless identity verification using data from any system. Multiple IDA modules can run from a single issuer, providing services like authentication, OTP generation, and internal processes.

ID Authentication Demographic Data Normalization

Demographic data normalization is the process of applying rules for formatting of the demographic data (such as the address) into a common format before demographic data matching is verified during the demographic authentication in IDA. For example, for address lines, the '1st Street' can be replaced with '1 st' and 'C/o' can be removed from both the input and database data before the match is verified. These rules will be different for different languages, and may be configured/implemented differently.

The ID-Authentication Demographic data normalization mentioned here is specific to the Demo-SDK reference implementation of the Kernel Demographic API. It takes the below configuration to apply the name and address normalization rules.

For any other custom implementation of the normalization, the Demo-SDK needs to be implemented accordingly.

Demographic name/address normalization using regular expressions and their replacement configurations

The below configuration is used to define the separator for normalizing regex (pattern) and the replacement word. The default is set to '='.

ida.norm.sep==

The format for configuring the name/address normalization rules for any language is given below:

ida.demo.<name/address/common>.normalization.regex.<languageCode/any>[<sequential index starting from 0>]=<reqular expression>${ida.norm.sep}<replacement string>

* name/address/common - type of normalization, common applies to both name and address

* languageCode - this is the code for languages like hin, eng, any('any' applies to any language)

If replacement string is not specified, the regular expression will be replaced with empty string.

Note: It is recommended that the sequence is not broken in the middle otherwise all normalization properties will not be read for the particular type.

Normalization rules for English language

ida.demo.address.normalization.regex.eng[0]=[CcSsDdWwHh]/[Oo]
ida.demo.address.normalization.regex.eng[1]=(M|m|D|d)(rs?)(.)
ida.demo.address.normalization.regex.eng[2]=(N|n)(O|o)(\\.)?
ida.demo.address.normalization.regex.eng[3]=[aA][pP][aA][rR][tT][mM][eE][nN][tT]${ida.norm.sep}apt 
ida.demo.address.normalization.regex.eng[4]=[sS][tT][rR][eE][eE][tT]${ida.norm.sep}st 
ida.demo.address.normalization.regex.eng[5]=[rR][oO][aA][dD]${ida.norm.sep}rd 
ida.demo.address.normalization.regex.eng[6]=[mM][aA][iI][nN]${ida.norm.sep}mn 
ida.demo.address.normalization.regex.eng[7]=[cC][rR][oO][sS][sS]${ida.norm.sep}crs 
ida.demo.address.normalization.regex.eng[8]=[oO][pP][pP][oO][sS][iI][tT][eE]${ida.norm.sep}opp 
ida.demo.address.normalization.regex.eng[9]=[mM][aA][rR][kK][eE][tT]${ida.norm.sep}mkt 
ida.demo.address.normalization.regex.eng[10]=1[sS][tT]${ida.norm.sep}1 
ida.demo.address.normalization.regex.eng[11]=1[tT][hH]${ida.norm.sep}1 
ida.demo.address.normalization.regex.eng[12]=2[nN][dD]${ida.norm.sep}2 
ida.demo.address.normalization.regex.eng[13]=2[tT][hH]${ida.norm.sep}2 
ida.demo.address.normalization.regex.eng[14]=3[rR][dD]${ida.norm.sep}3 
ida.demo.address.normalization.regex.eng[15]=3[tT][hH]${ida.norm.sep}3 
ida.demo.address.normalization.regex.eng[16]=4[tT][hH]${ida.norm.sep}4 
ida.demo.address.normalization.regex.eng[17]=5[tT][hH]${ida.norm.sep}5 
ida.demo.address.normalization.regex.eng[18]=6[tT][hH]${ida.norm.sep}6 
ida.demo.address.normalization.regex.eng[19]=7[tT][hH]${ida.norm.sep}7 
ida.demo.address.normalization.regex.eng[20]=8[tT][hH]${ida.norm.sep}8 
ida.demo.address.normalization.regex.eng[21]=9[tT][hH]${ida.norm.sep}9 
ida.demo.address.normalization.regex.eng[22]=0[tT][hH]${ida.norm.sep}0 
# Note: the common normalization attributes will be replaced at the end.
# Special characters are removed : . , - * ( ) [ ] ` ' / \ # "
# Replace special char with space. Trailing space is removed from property. As a workaround first replacing with " ." then removing the "."
ida.demo.common.normalization.regex.any[0]=[\\.|,|\\-|\\*|\\(|\\)|\\[|\\]|`|\\'|/|\\|#|\"]${ida.norm.sep} .
# Trailing space is removed from property. As a workaround first replacing with " ." then removing the "."
ida.demo.common.normalization.regex.any[1]=\\s+${ida.norm.sep} .
ida.demo.common.normalization.regex.any[2]=\\.${ida.norm.sep}

Normalization rules for Non-English language

For non-english languages, the non-english words needs to be converted into UTF-16 and then copied to the configuration. For example, convert the Unicode characters to UTF-16.

Before conversion: ida.demo.address.normalization.regex.hin[0]=पहली${ida.norm.sep}पहला

After conversion: ida.demo.address.normalization.regex.hin[0]=\u092a\u0939\u0932\u0940${ida.norm.sep}\u092a\u0939\u0932\u093e

ID Authentication Service Developers Guide

Overview

The services mentioned below are used by Authentication/e-KYC Partners.

Authentication service- used to authenticate an individual's UIN/VID using one ore more authentication types.
KYC Authentication service- used to request e-KYC for an individul's UIN/VID using one ore more authentication types.

The documentation here will guide you through the prerequisites required for the developer' setup.

Software setup

Below are a list of tools required in ID Repository Services:

JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)

Follow the steps below to set up ID Repository Services on your local system:

1. Download lombok.jar and settings.xml from .

2. Unzip Apache Maven and move the unzipped folder in C:\Program Files and settings.xml to "conf" folder C:\Program Files\apache-maven-3.8.4\conf.

3. Install Eclipse, open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update.

5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Code setup

For the code setup, clone the repository and follow the guidelines mentioned in the .

Importing and building of a project

Open the project folder where pom.xml is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.

Environment setup

1. For the environment setup, you need an external JAR that is available with different versions. (E.g.: You can download kernel-auth-adapter.jar and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).

2. Clone .

3. Create an empty folder inside the mosip-config with sandbox-local name and then copy and paste all config files inside sandbox-local folder except .gitignore, README and LICENSE.

4. As ID Authentication is using two properties files, id-authentication-default and application-default, you will have to configure them according to your environment. The same files are available for reference.

Properties to be updated:

application-default.properties

mosip.mosip.resident.client.secret = <current_password>.
db.dbuser.password=<password>.
mosip.kernel.xsdstorage-uri=file:///home/user/Desktop/tspl/mosip-config/sandbox-local/(i.e. sandbox-local folder location).
Comment this out auth.server.admin.issuer.internal.uri in application-default.properties file because you already have this auth.server.admin.issuer.uri , and hence there is no need of auth.server.admin.issuer.internal.uri.
mosip.identity.mapping-file=<Path_to_identity_mapping_json_file>. (For Example: file:///home/user/Desktop/tspl/mosip-config/sandbox-local/identity-mapping.json)

id-authentication-default.properties

......
......

5. To run the server, two files are required- and .

Example:

7. Run the server by opening the config-server-start.bat file.

The server should now be up and running.

Below are the configurations to be done in Eclipse:

1. Open Eclipse and run the project for one time as Java application, so that it will create a Java application which you can see in debug configurations and then change its name. (e.g.: project name with environment - "Auth-Service-Dev").

2. Open the arguments and pass this -Ddomain.url=dev.mosip.net -Dapplication.base.url=http://localhost:8090 -Dspring.profiles.active=default -Dspring.cloud.config.uri=http://localhost:51000/config -Dspring.cloud.config.label=master in VM arguments.

3. Here, the domain URL represents the environment on which you are working (eg., it can be dev2.mosip.net or qa3.mosip.net).

4. Click Apply and then debug it (starts running).

Authentication Service API

For API documentation, refer .

ID Authentication OTP Service Developer Guide

Overview

OTP Request Service is used by Authentication/e-KYC Partners to generate OTP for an individual's UIN/VID. The generated OTP is stored in IDA DB for validation during OTP Authentication.

The documentation here will guide you through the prerequisites required for the developer' setup.

Software setup

Below are a list of tools required in ID Repository Services:

JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)

Follow the steps below to set up ID Repository Services on your local system:

1. Download lombok.jar and settings.xml from .

2. Unzip Apache Maven and move the unzipped folder in C:\Program Files and settings.xml to "conf" folder C:\Program Files\apache-maven-3.8.4\conf.

3. Install Eclipse, open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update.

5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Code setup

For the code setup, clone the repository and follow the guidelines mentioned in the .

Importing and building of a project

Open the project folder where pom.xml is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.

Environment setup

2. Clone .

3. Create an empty folder inside the mosip-config with sandbox-local name and then copy and paste all config files inside sandbox-local folder except .gitignore, README and LICENSE.

Properties to be updated:

application-default.properties

mosip.mosip.resident.client.secret = <current_password>.
db.dbuser.password=<password>.
mosip.kernel.xsdstorage-uri=file:///home/user/Desktop/tspl/mosip-config/sandbox-local/(i.e. sandbox-local folder location).
Comment this out auth.server.admin.issuer.internal.uri in application-default.properties file because you already have this auth.server.admin.issuer.uri , and hence there is no need of auth.server.admin.issuer.internal.uri.
mosip.identity.mapping-file=<Path_to_identity_mapping_json_file>. (For Example: file:///home/user/Desktop/tspl/mosip-config/sandbox-local/identity-mapping.json)

id-authentication-default.properties

......
......

5. To run the server, two files are required- and .

Example:

7. Run the server by opening the config-server-start.bat file.

The server should now be up and running.

Below are the configurations to be done in Eclipse:

3. Here, the domain URL represents the environment on which you are working (eg., it can be dev2.mosip.net or qa3.mosip.net).

4. Click Apply and then debug it (starts running).

Authentication OTP Service API

For API documentation, refer .

ID Authentication

Overview

What is ID Authentication?

IDA (ID Authentication) module in MOSIP is an independent service that enables seamless identity verification using data from any system. Multiple IDA modules can run from a single issuer, providing services like authentication, OTP generation, and internal processes.

MOSIP recommends using eSignet for authentication, which leverages the IDA module to ensure secure and unified identity verification. eSignet simplifies the process by streamlining authentication across services, ensuring compliance with MOSIP’s security protocols. This enables both governmental and private entities to securely authenticate residents without needing multiple solutions.

Read more about eSignet and its capabilities here. The typical authentication flow is illustrated below:

Authentication types

The following types of authentication are offered by MOSIP's ID Authentication (IDA) module and are utilized through eSignet for ID verification by external parties:

1. Yes/No Authentication

MOSIP offers a yes/no API that can be used for the verification of attributes supplied along with authentication factors. The API verifies the identifier and the provided demographic attributes and also validates other authentication factors such as the OTP or biometrics and responds with a yes or a no. Successful verification of the data results in a yes. This kind of API can be typically used to support the verification of a limited set of demographic data about the person or for simple presence verification when biometrics are used.

2. KYC Authentication

MOSIP additionally offers a KYC API, which can be used to get an authorized set of attributes for the resident in the response of the API. This API is intended for use by authorized relying parties to perform KYC requests. The authentication includes an identifier along with authentication factors such as OTP and biometrics. The information returned is governed by a policy. Different relying parties can be provided with different KYC data based on their needs. The policy helps implement selective disclosure as part of the KYC data. The data thus returned is digitally signed by the server and can be used by the relying party with confidence.

3. Multifactor authentication

The authentication APIs support multiple factors. These can be:

Biometric: Finger, face, iris
Demographic: Name, date of birth, age, gender, etc.
OTP: One-Time Password Based on the level of assurance needed for the transaction, the relying party can decide which factors are sufficient for identity verification.
Password-based authentication.

Biometric authentication is performed using third-party matcher SDK that performs 1:1 matches on a given modality. Each biometric modality is treated as an independent factor in authentication.

VID

All authentications in MOSIP operate on a 1:1 matching principle. This requires the authentication request to include an identifier for the individual, along with authentication factors to verify the identity. MOSIP supports multiple identifiers for each person, which enhances privacy and prevents profiling. The individual can be authenticated using their UIN or alternate identifiers like VIDs. When a VID is used, additional checks ensure it hasn't expired or been revoked. The expiration of a VID is governed by the policy set during its creation.

To understand VIDs and their characteristics, read more about VID.

Tokenization

In certain contexts, identity verification can be performed anonymously for one-time use. However, when identity verification is tied to transactions requiring identity assurance, it becomes necessary to link the user's identity to the transaction. This is done by providing relying parties with a "sticky" token identifier, which can serve as a reference ID for the individual in their system. When authentication is successful, the APIs return a token. Depending on the relying party’s policies, the token may be random or "sticky." The relying party is expected to store this token for future reference, customer identification, and audit or redressal purposes.

Learn more about the Token ID.

Relying parties and policies

Hotlisting

MOSIP has a provision to help protect against the misuse of identity. For any report of lost identity or detection of fraudulent activity by fraud, the module can require the temporary suspension of authentication activities on a user. This is enabled by the hotlisting feature. The authentication service checks if the identifier used is hotlisted and if so, the authentication process is aborted and fails. The hotlisting service can be used by helpdesk and fraud solutions to list and delist the identifiers that need to be blocked temporarily.

Identity Management

Identity Management refers to the processes and technologies used to create, maintain, and manage digital identities. In MOSIP, it ensures secure and efficient handling of individual identity data throughout its lifecycle.

Resident Services: Provides APIs for managing resident data, including creation, updates, and retrieval of demographic and biometric information.
Resident Portal: A reference UI for residents to easily access and manage their identity data.
ID Schema: Defines the structure and format of identity data, ensuring consistency and interoperability across the system.
Identifiers: Manages the generation, assignment, and lifecycle of unique identifiers for individuals within the MOSIP ecosystem.

ID Schema

Overview

ID Schema is a standard JSON schema that defines dataset that can be stored in the Identity repository for a resident. The schema allows the adopters to customize the fields that's needed for running the identity program.

Defining the ID Schema is the first step towards creating a foundational ID system. Once defined, all applications built on top of the MOSIP platform must conform to the same.

One should not confuse ID Schema with what is seen on the screen of the Registration client/ Pre-registration. ID Schema is the final data that you would like to store against each user in the final ID Repository. Quite often we collect more data than listed in ID Schema. This is essential to validate the user's claim. We should consider these data as transactional and it will never reach the final ID Repository.

Understanding ID Schema

This guide is intended for adopters who would customize the default ID Schema to suit the needs of a specific deployment.

Terminology

Field: Unit of data collected from residents (eg. fullName, dateOfBirth, proofOfIdentity etc).
Field attribute: Qualification of Field (e.g.: fieldCategory, fieldType, etc).
Definition: Custom data types are defined for collecting different types of data:
- simpleType: Multiple languages.
- documentType: Document metadata.
- biometricType: Biometric file CBEFF XML metadata

JSON keys

bioAttributes:
- leftEye, rightEye, leftIndex, leftRing, leftLittle, leftMiddle, rightIndex, rightRing, rightMiddle, rightLittle, rightThumb, leftThumb, face,
fieldCategory
- none: Cannot be used for any purpose. But will be stored in id.json (default subpacket). These are used in exceptional cases when we need to store some data for future reference in case of investigating an ID fraud or if law mandates the storage of such data.
- pvt: Private information, can be used in authentication. A limited data that can be used for authentication & kyc.
- kyc: Information that can be disclosed to partners either as a credential or through the ekyc API's.
- evidence: Field is treated as proof and may be subjected to removal. In certain countries law mandates deletion of such data once the Identity of the user is verified. Marking some of the fields as evidence helps in deleting them without violating the source of truth signatures.
- optional: Field is treated as proof and will be removed after a predefined interval (defined as policy).
format
- lowercased: Value stored in lower case format
- uppercased: Value stored in upper case format
- none: No format applied to the data
validators
- type: Validation engine type. Supported type as of now is regex.
- validator: Based on the type the actual script is placed here. In case the type is regex then the actual regex pattern is used here.
- arguments: Array to hold parameter or dependent field IDs required for validation.
subType
- For every documentType field, document category code must be the value of this key. This document category code is used to validate the provided document types in the ID object.

Refer to the sample ID Schema. A guide to customising the same is given below.

ID schema is loaded as a part of master data to identity_schema table in mosip_masterdata DB.

Dependencies

If any changes are made to the default ID Schema, make sure the following dependencies are updated as well:

UI Specifications
- Pre-registration
- Registration Client
Identity Mapping JSON
ID Authentication Mapping JSON
Applicanttype MVEL

Versions of ID Schema

ID Schema is identified based on it's version in the MOSIP system. On publishing of an ID Schema, the schema is versioned. Every ID Object stores the ID Schema version which is validated during ID Object validation.

Good Practice

The following is the list of good practices that MOSIP recommends for creating your ID Schema.

As a privacy by design practice, it is recommended that the number of fields is kept to a usable minimum in order to avoid profiling.
Larger number of data results in serious data quality issues.
Keeping the fields minimum ensures everyone is inclusively added to the foundational identity.
As a best guide, limit the total number of fields to be less than 10.
Stick to one version of ID Schema for better compatibility.

Identifiers

Overview

In the context of MOSIP, identifiers are alphanumeric digital handles for identities in the system. While a person's identity is represented as a collection of biographic and biometric attributes that can uniquely identify the person, the identity is referred to using identifiers.

UIN

Unique Identification Number (UIN), as the name suggests, is a unique number assigned to a resident. UIN never changes and is non-revocable. UIN is randomized such that one should not be able to derive any Personal Identifiable Information (PII) from the number itself.

The rules that govern generation of a UIN are listed here.

VID

The VID / Virtual ID is an alias identifier that can be used for authentication transactions. The key characteristic of such an identifier is that it expires. This allows for free disclosure and usage of this identifier in various contexts. It is privacy friendly in a way such that it can be revoked, configured for one time usage and is not linkable. Since these are used for authentication transactions, such identifiers are to be known to the user only or generated with their participation.

RID / AID

The Application ID (AID) refers to the unique identifier given to a resident during any ID lifecycle event, such as ID Issuance, ID Update, or Lost ID retrieval, at the registration center. It serves as a distinguishing factor for each specific event and can later be utilized by the resident to check the progress or status of the event. Previously, in MOSIP, the Application ID was referred to as the RID (Registration ID) and/or PRID (Pre-registration ID).

PRID

The PRID is a specialized RID used in the pre-registration system.

Token ID (PSUT - Partner Specific User Token)

The Token identifier/PSUT is a system provided customer reference number for relying parties to uniquely identify the users in their system. The token identifier is an alias meant for the partner/relying party typically unique (Configured through PMS policy, in case uniqueness is not the need then partner policy can be set to provide random number) to them. This identifier is included in the response of the authentication transactions. One key differentiator is that the PSUT is not accepted as an identifier for authentication transactions. This ensures that the partner who has the PSUT can not reauthneticate.

Resident Portal

Smart, Secure and Self-service for every resident.

Overview

Resident services are self-service tools utilized by residents through an online portal. The is a web-based user interface application that offers services related to the residents' Unique Identification Number (UIN). Through this portal, residents can perform various operations related to their UIN or VID and can also raise any concerns they may have.

The relationship of Resident services with other services is listed below.

Note: The numbers do not signify the sequence of operations or the control flow.

Audit Manager: Resident services sends all the audit logs to the Audit Manager.
Digital card service: Resident services use this service to download the PDF of the UIN card or VID card.
Credential Request Generator Service: This service is used to share credentials with various partners, such as print, authentication, and digital card partners.
ID Repository Identity Service: Resident services use this service to retrieve a credential's identity information and lock/unlock authentication types.
ID Repository VID service: This service is used to generate/revoke various types of VIDs.
ID Authentication: This service is used by Resident services to authenticate users.
MOSIP e-Signet: This is used to authenticate and authorize the users in the event of login using UIN/ VID.
Resident UI: This is the interface through which users can interact with the Resident Services.
WebSub: This is used to get asynchronous notifications from IDA for acknowledgment purposes.
Registration Processor: This is used to sync and upload packets for features about changes in identity data.
Packet Manager: Resident services use this service to create packets.
Partner Management Service: Resident services use this service to get information about various partners and policies.
Keycloak: Resident services use this to authenticate to access the MOSIP internal APIs. The Resident Services communicates with endpoints of other MOSIP modules via a token obtained from Keycloak.
Master data service: Resident services invoke the Master Data services to get various templates and machine details.
Notification service: Resident services use this service to send various notifications through email or SMS.
Key Manager: Resident services use Key Manager to encrypt or decrypt the data used across features.

Design Principles

The design of the Resident portal embodies the following principles:

One-stop solution: The Resident portal is designed to have components that aim to solve all the queries, issues, or discrepancies of the residents and act as a one-stop solution for all the requirements.
Self-Sovereign: Once the ID is issued by an authority, the user/resident/citizen chooses to control and manage their data in their choice of devices.
Inclusive: The Resident portal aims to be available in all browsers while also catering to the needs of visually impaired, dyslexic, and color-blind folks.
Presence assurance: This web-based UI application would put in all its efforts to ensure easy access to all the residents with high availability.
Works Remote: The Resident portal should be able to share credentials when data needs to be shared remotely without physical presence.
Trusted: The identity verification process on the device should be trusted so that it can be used in service delivery without any concerns.
Grievance redressal: The Resident portal ensures that in case of any concerns or grievances, the issue is raised and resolved through the portal itself.

Documentation

Features

Explore features of the Resident Portal.

The key features provided on the Resident portal are mentioned below.

1. Avail UIN services using UIN/ VID (through ):

View My History: This feature enables the Resident to view the history of transactions associated with their UIN.
Manage My VID: Residents can create, delete, and download VID cards based on requirements.
Secure My ID: Residents can lock or unlock their authentication modalities such as fingerprint authentication, iris authentication, email OTP authentication, SMS OTP authentication, thumbprint authentication, and face authentication.
Track My Requests: This feature enables the Residents to enter an Event ID associated with the logged-in user’s UIN to track the status of the event.
Get Personalized Card: The residents can download a personalized card which essentially means that they can choose the attributes that they would want to be added to their cards.
Share My Data: This feature enables Residents to choose the data that they want to share with a MOSIP-registered partner.
Update My Data: This feature enables the Resident to update their identity data, address, email ID, phone number, and notification language preference.
Logout: Once the Resident is done with the activities that he wanted to perform, he can end the active session by logging out from the portal.

2. Get Information

About Registration Centers: Residents can get a list of Registration Centers near them or Registration Centers based on the location hierarchy.
List of supporting documents: Residents can get the list of all the supporting documents as Proof of Identity, Proof of Address, Proof of Relationship, etc.

3. Get My UIN (using UIN/ VID/ AID)

Using this feature, the Resident can download their password-protected UIN card if the UIN card is ready or they can view the status of their Application ID (AID) if the UIN card is still in progress.

4. Verify Email ID and/ or phone number

Using this feature, the Resident can verify if the email ID/ Phone number given during registration is correct or not. This will be done by verifying the OTP sent over the registered email ID/ Phone number.

5. Book an appointment for new enrollment (via the pre-registration portal)

Using this feature, the Resident can book an appointment to visit the Registration center.

6. Ancillary features

Multi-lingual support: Residents can view and use the Resident Portal in multiple languages including RTL languages.
Get Notifications (email and bell notifications): Residents will be getting bell-icon notifications for the asynchronous events if they have an active session i.e. they have logged into the Resident Portal.
View profile details of the logged-in user (name, photo, and last login details): The Resident will be able to view the name, and photo of the logged-in user. They will also be able to see the last login details of the Resident.
Responsive UI support: Support for the application to work seamlessly on various resolutions.

Below is an image summarizing the features provided in the Resident portal.

Develop

UI Developers Guide

This repository contains the UI code for the Resident portal. To know more about the features and functions present on the portal, refer here.

Build and Deployment

The code is written in Angular JS.

Install node.js- To build the angular code using angular cli that runs on node, recommended Node: 14.17.3, Package Manager: npm 6.14.13
Install angular cli – To install angular cli for building the code into deployable artifacts. Follow the following steps to install angular cli on your system.
- npm install -g @angular/cli (to install angular cli)
- ng --version (to verify angular is installed in the system) We recommend Angular CLI: 7.2.1
Check out the source code from GIT – To download the source code from git, follow the steps below to download the source code on your local system.
- git clone https://github.com/mosip/resident-ui.git (to clone the source code repository from git)

For Production build

Build the code
Follow the steps below to build the source code on your system.
- Navigate to the resident-ui directory inside the cloned repository.
- Run the command ng build "--prod" "--base-href" "." "--output-path=dist" in that directory to build the code.
Build Docker image
Follow the steps below to build the docker image on your system.
- docker build -t name . (replace name with the name of the image you want, "." signifies the current directory from where the docker file has to be read.)
- Example: docker build -t residentui .
Run the Docker image
Follow the steps to build a docker image on your system.
- docker run –d –p 80:80 --name container-name image-name (to run the docker image created with the previous step,-d signifies to run the container in detached mode, -p signifies the port mapping left side of the":" is the external port that will be exposed to the outside world and the right side is the internal port of the container that is mapped with the external port. Replace container-name with the name of your choice for the container, replace image-name with the name of the image specified in the previous step)
- Example: docker run -d -p 8080:8080 --name nginx residentui
Now you can access the user interface over the internet via a browser.
- Example: http://localhost:8080/#/dashboard

For Local build

Build & deploy the code locally
Follow the steps below to build the source code on your system.
- Navigate to the resident-ui directory inside the cloned repository. Then, run the following command in that directory:
  - npm install
  - ng serve
Now, you can access the user interface via the browser.
- Example: http://localhost:4200

UI Specifications

Overview

UI specs of resident module are used to configure the form fields across Resident Portal. UI specs are saved as a JSON file with a list of fields. Each field has a set of attributes/ properties that can be configured which affects the look and feel along with the functionality of the field.

Below is the list of all the properties available for each field in the Resident Portal UI specs:

Property Name

Details

Sample Value

id

The id property is the unique id provided to a field to uniquely identify it. The id can be alpha-numeric without any spaces between them.

"id":"zone"

description

This is a non-mandatory property used to describe the field.

"description": "zone"

labelName

This property defines label name for the field. This property has sub-attributes as the language code (eng, fra, ara) to store data in different languages based on the country's configuration.

"labelName": { "eng": "Zone", "ara": "منطقة", "fra": "Zone"}

controlType

This property defines the kind of UI component to be used to capture data in UI. Currently the values that can be used are: • textbox (creates multiple textboxes for each field to capture input in all the languages configured for the setup) • dropdown • fileupload • date (creates a date picker) • ageDate (creates a date picker along with number toggle to provide age directly) • checkbox (creates a toggle checkbox for the field which can be checked or unchecked) • button (creates dropdown options as buttons, which user can select easily)

inputRequired

This property decides if the field is to be displayed in the UI form or not. It is useful for some internal fields which do not need any input from the user.

required

This is a mandatory property which decides if the field is a required form field or not. If true, user must provide some value for the field.

type

This property defines the data type of the value corresponding to this field. The data types supported are “number”, “string” and “simpleType”. The type “simpleType” means that language specific value will be saved along with the language code.

fieldType

This property is relevant when control type is “dropdown” or “button”. It defines if the field is of type “default” or “dynamic”. If it is “dynamic” then all the options for the dropdown are populated from the “master.dynamic_field” table otherwise they are populated from corresponding table example “master.gender”

subType

This is relevant for 2 cases: 1. When control type is “dropdown”/ “button” and the type is “dynamic” then “subtype” can be used to populate the options for the field with the data available in “master.dynamic_field” table. 2. When the control type is “fileupload”, then the property ”subtype” is used to map the field to a “code” in the “master.doc_category” table.

validators

This property enables us to add the list of language specific validators for the field. * Each validator can have the below fields, “langCode”, “type”, “validator”, “arguments”, “errorMessageCode” * The “type” defines the validation engine type. * The “validator” gives the pattern/ methodName/ scriptName/ expression * The “arguments” array to is used to hold parameter or dependent field ids required for validation * The “errorMessageCode” can be given to add custom error message which will be shown to the user when the validation fails. The error message corresponding to this code will be picked from language specific i18n translation files. In case “errorMessageCode” is not given then generic error message will be displayed to the user when validation fails. Currently, regex is supported by MOSIP. If “langCode” is not added then same “validator” is used for all languages of the field.

"validators": [{ "langCode": "eng", "type": "regex", "validator": "^(?=.{0,50}$).*", "arguments": [], "errorMessageCode": "UI_1000" },{ "langCode": "ara", "type": "regex", "validator": "^[A-Z]+$", "arguments": [] },{ "langCode": "fra", "type": "regex", "validator": "^[A-Z]+$", "arguments": [] }]

locationHierarchyLevel

This attribute is mandatory for the location dropdown fields. The value will be as per corresponding location hierarchy level from the master.loc_hierarchy_list table.

{ "id":"region", "controlType":"dropdown", "fieldType":"default", "type":"simpleType", "parentLocCode":"MOR", "locationHierarchyLevel":1 ..}

parentLocCode

This attribute is to be used only for location dropdown fields and it is optional. The corresponding location dropdown will be pre populated in UI based on the value in “parentLocCode”. If this attribute is NOT mentioned in UI specs, then the dropdown will be populated based on selection in its parent dropdown, as before. For the first dropdown, in case this attribute is not mentioned in UI specs then the value from “mosip.country.code” configuration will be used for backward compatibility.

{ "id":"region", "controlType":"dropdown", "fieldType":"default", "type":"simpleType", "parentLocCode":"MOR", "locationHierarchyLevel":1 ..}

alignmentGroup

* This property is used to group the fields on the screen. * If it is skipped, then all the fields will appear in same sequence (horizontally layout) as they appear in UI specs. * If you want the first and fifth field to be in same row in the screen, you can add this attribute with same group name. * The UI is responsive so it will accommodate as many fields in one row as they will fit comfortably.

containerStyle

This is used to optionally apply some CSS styles to the UI field container.

"containerStyle": { "width": "600px", "margin-right": "10px" }

Technology Stack

UI & Rest end points:

The table below outlines the frameworks, tools, and technologies employed by Resident Portal.

Tool / Technology

Version

Description

License

Resident Services:

The table below outlines the frameworks, tools, and technologies employed by Resident Services.

Tool / Technology

Version

Description

License

Test

Functional Overview

Resident Portal is a self-help web-b portal that can be used by the residents of a country to avail of the services related to their Unique Identification Number (UIN). The architecture, interface overview, and key services provided are discussed below:

Architecture
Interface overview
Key Services
1. UIN services
  1. View My History
  2. Secure My ID
  3. Manage My VID
  4. Track My Request
  5. Download My Personalized Card
  6. Update My Data
  7. Share My Credential
2. Get Information
  1. Supporting Document
  2. Registration Center
3. Verify Email ID/Phone number
4. Get My UIN
5. Booking an Appointment

Below is a detailed explanation of each of the features along with the list of relevant APIs.

Architecture

Interface Overview

The Resident Portal menu bar contains the following:

Font Size- Residents can alter the size of the font based on their preferences.
Language- Residents can select the language of preference.
Bell icon Notification- Residents can view the notifications of all the asynchronous events in chronological order.

Profile Icon:

Profile Icon- Residents can view the following:
1. Name of the logged in user
2. Photo of the logged in user
3. Last login details
4. Logout option

Workspace

A dashboard view to quickly locate the 'Key Services'

Key Services

UIN Services

View My History

The residents can view the history of all the transactions associated with their logged-in UIN/ AID/ VID. They can also view their details and if any unaccounted entry is found, a report can be raised against the same.

Secure My ID

On clicking “Secure My ID”, the residents can view the status of all the authentication types. They can choose to lock or unlock authentication types like the following:

Email OTP authentication
Phone OTP authentication
Demographic authentication
Fingerprint authentication
Iris authentication
Face authentication

Fetch Authentication Types - Lock status of the individual
Applies the Authentication Types Lock/Unlock request in IDA
\

Manage My VID

On clicking “Manage My VID”, the resident will be taken to a page where they can view details of the existing VIDs, generate new VID, revoke existing VIDs, or download a VID card.

The following types of VIDs can be seen based on the VID policy:

Perpetual VID
Temporary VID
One-time VID

Fetch Active VIDs of the Individual

Revoke the VID of the Individual

Store the Credential Request ID and a new Event ID

Notify that the VID card is Ready to Download status.

Download PDF Card

Track My Requests

On clicking “Track My Requests”, the residents can track the status of an Event ID (EID) associated with the logged-in UIN/ VID. They can also view and download the detailed information about the entered EID.

Download My Personalized Card

On clicking “Get Personalized Card”, the residents can select the data to be added to their credential. They can preview the chosen data and download it. Residents should select at least 3 attributes.

Creates the personalized card and signs it

On clicking “Share My Data”, the residents can choose the data to be shared with any of the registered partners to avail various third party services.

Submits the share credential request

Notifies resident about the credential shared status for the event ID

Update My Data

Fetch existing AID in progress

Submits the update request

Notifies that the UIN card is ready to Download status

Notify for IDENTITY_UPDATED for the Event Id

Get the Status for the AID

Validate the Access token and ID token

Get Information

Fetch Supporting Documents PDF\

Fetch registration centers
\

Verify Email ID/ Phone number

The residents can use this feature to verify their registered email ID or phone number.

Get My UIN

The residents can use this feature for one of the following:

Download their UIN card
Check the status of their Application ID (AID)

Get PDF card for AID if ready

Check if PDF card URL is notified by Digital card service.

Validates the Action token and ID token.

Book an appointment

The residents can book an appointment for registration using the pre-registration portal. To do so, they can click on “Book an appointment” tile which will redirect them to the pre-registration portal. To know more about pre-registration portal, refer to this link [ ]

Collab Guide

The Resident Portal Guide for Collab Environment provides a comprehensive introduction to the services available on Resident Portal, as well as a guide on how to navigate its features.

Resident Portal is a user-friendly web-based platform designed to assist residents in accessing services related to their Unique Identification Number (UIN). This portal allows residents with a UIN to conveniently manage their UIN, protect their identity, track requests, and obtain personalized cards. For a more detailed overview of the features offered, please visit .

This Resident Portal Demo Setup guide serves as a tool to demonstrate the impressive capabilities of MOSIP's system. Let's embark on this journey together to explore the potential of Resident Portal.

Please note that for developers setting up Resident Portal locally, refer to the .

Pre-requisites

Accessing Resident Portal in Collab environment does not require any complex setup.
All you need is a UIN or a VID and you are good to go!
To get your UIN credentials for Collab environment follow the below steps:
- The provision of a UIN (Unique Identification Number) as a demo credential will enable you to have a firsthand experience of the Resident Portal's capabilities and explore its various features.
- Now you can self generate your own UIN Credential using the .
  - Click on the Get UIN button located at the top-right corner of the page. This will open the , Alternatively, you can simply click on this to self register. You need to duly fill the self registration form.
  - On successful registration the UIN is sent to you over the email you used for registration, For more details you follow the .

Note: Please use 111111 as the OTP, for any OTP-based feature in the Collab environment.

Step-by-Step Process

Step 1: Access Resident Portal

Visit the following URL to access Resident Portal in Collab environment:

Step 2: Login

The recommended method for accessing the Resident Portal in the Collab environment is to use a valid UIN (Unique Identification Number), which can be obtained by completing the form provided. This is one of the options available for logging in and accessing UIN-related services on the Resident Portal.

There are multiple methods for logging in to access UIN services on the Resident Portal:

Login with Inji: To download and use the Inji application, click .
Login with Biometrics: To set up a biometrics device on your system, click .
Login with OTP (One-Time Password): Enter UIN/VID received from our end and use 111111 as OTP, for login to Resident Portal in Collab environment.

Step 3: Explore the features of Resident Portal

To access registration related information, click .
Go to Get Information section.
- Click Registration Centers to get the list of Registration Centers near you or to look for Registration Centers based on location hierarchy.
- Click Supporting Documents to get the list of documents that Resident Portal supports.
To download the UIN card or to know the status of your AID, click .
- Next, go to Get My UIN section.
To book an appointment for a new enrolment, click .
- Go to Book an Appointment section.
- Explore the steps of Pre-registration Portal to book an appointment.
To verify your email ID or phone number, click .
- For Email verification- Use the OTP received on your email, as provided at the time of UIN creation.
- For Phone number verification - Since our mobile services are temporarily unavailable, please use the email services.
To access all the features of Resident portal in MOSIP, click to login.
For more information, refer to our .

Additional Resources

To get more information about Resident Portal, click .

You will be able to explore and get a better understanding of Resident Portal configurations, UI, deployment, and OIDC client configuration to mention a few.

By adhering to these instructions, you will acquire the necessary knowledge to effortlessly configure the Resident Portal and proficiently utilize all of its functionalities.

Get in Touch

If you require any assistance or encounter any issues during the testing and integration process, kindly reach out to us through the support mechanism provided below.

Navigate to .
Provide a detailed description about the support you require or provide detailed information about the issue you have encountered, including steps to reproduce, error messages, logs and any other relevant details.

Thank you. Wishing you a pleasant experience!

Deploy

Deployment Guide

This guide contains all the information required for successful deployment and running of Resident Portal. It includes information about the Database and template scripts, seed data, roles, OIDC client setup, etc.

DB scripts

Resident Service DB Scripts to be run: DB scripts

Master-data Template Scripts

The master-data templates required for the Resident portal are added to the template and template type DML excel files in mosip/mosip-data repository. These scripts need to be applied to the corresponding table.

Keycloak Roles

mosip-resident-client needs to have below roles in keycloak:

RESIDENT
SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL
SUBSCRIBE_AUTHENTICATION_TRANSACTION_STATUS_GENERAL
SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL
SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL
CREDENTIAL_REQUEST

Resident OIDC Client setup

Here is the document which explains how resident-oidc partner is onboarded through partner-onboarder after deployment.

For more details on how to configure the Resident OIDC client, refer here.

End User Guide

This user guide is designed to provide assistance to Operators and Supervisors in successfully installing, running, and registering applicants to obtain their Unique Identification Numbers (UIN) on tablet devices.

Prerequisites

Reliable and consistent Internet connectivity.
Tablets running Android version 10 to 13.
Tablets with a minimum of 4 GB RAM.
The tablets need to be capable of capturing fingerprints, iris, and face (photo) biometrics. Additionally, they should also have the ability to scan documents. However, if the tablets do not support these capabilities, MOCK SBI can be used as an alternative.

How to install Android Registration Client (ARC)

Download and install the APK on Android tablet.
Once ARC is installed, long press on the logo to copy the machine details.
On the Admin Portal, using admin credentials, login and perform the following to add the device:
- Go to Resources/Machine and click on Create machine
- Add a new machine and enter the machine details:
  - Add the specs as Mobile
  - Map it to a Zone and Center
  - Add the Machine spec ID as Mobile
  - Enter Device name
  - Enter Public Key
  - Enter Sign Public Key
- Create the role Default in KeyCloak with all the other roles.
- Create the Operator’s user account in KeyCloak set the password and assign the role as Default, REGISTRATION_OFFICER, Registration Operator, REGISTRATION_SUPERVISOR
- Login into Admin Portal to perform the following and add the user:
  - After login into the Admin Portal, go to User Zone Mapping and add the zone for the user and activate it.
  - Go to User Center Mapping and add the center for the user and activate it.

Note: The user should be assigned to the same Zone and Center as the device.

The user should relaunch the ARC and log in using their valid credentials. Additionally, the operator has the option to select their preferred display language.

Upon successful login, the user will be directed to the Home page, which includes the following options:

New Registration
Operational Tasks
Dashboard
Settings (Future scope)

New Registration

To begin the Registration process, the Operator is required to follow the steps outlined below.

Click on New Registration card.
Select the language to be used for data entry, which will be used to collect the resident's information. There will be a default language for data entry.
Choose the language in which the notification will be sent to the resident. Click Submit to proceed.

The operator will be redirected to the Consent page, where the resident must agree to the terms and conditions to proceed.
After accepting consent, the Operator will need to fill out the demographic data of the resident, including their name, age, date of birth, and address. Once all mandatory fields are completed, the Continue button will be enabled.

Upon clicking the Continue button, the Operator will be navigated to the Document upload page where they will need to:
- Select the type of document (e.g. proof of identity, proof of address) from the drop-down menu.
- Enter the Reference Number of the document.

Upload the document by clicking on the Scan button to open the camera. The Operator can take a picture of the document and then choose from the following actions:
- Cancel: Clicking on the "Cross" icon will remove the captured image and return the Operator to the previous screen.
- Crop: The Operator can drag from the four corners of the captured image to crop it as needed.
- Save: Clicking on the "Save" button will save the captured image and return the Operator to the previous Document Upload page.
- Retake: Clicking on the "Retake" button will remove the captured image, reopen the camera, and allow the Operator to take a new photo.

After ensuring all required information has been accurately entered into the Document Upload screen, the Operator can proceed by clicking on the Continue button to access the Biometric Capture page. Here, the Operator can capture the biometric data of the Resident, including a face photo, fingerprint, and iris scan.

Face photo capture process

To capture the face photo, the Operator should click on the Scan button to activate the camera and take a picture.
The image quality will be displayed on the screen and must meet a certain threshold to be considered acceptable.
The Operator has three attempts to capture the biometric image.
It is important to note that no exceptions can be made for the face photo biometric capture process.

Biometric Data Capture Process:

To capture biometric data, the Operator should click on the Scan button.
This will allow the Operator to capture the biometric information.
Once the data is captured, the image quality will be displayed on the screen and must meet the acceptable threshold limit.

Note: Three attempts are provided to capture the biometric data.

Fingerprint Capture Process:

If a thumb is missing or experiencing difficulties that prevent its fingerprint from being captured, the Operator is authorized to indicate an exception. To mark an exception, the operator must select the affected thumb and specify the type of exception as either Temporary or Permanent. Additionally, the operator may include any relevant additional comments.

Iris Scanning Process:

To initiate the Iris scan, the Operator is required to click on the Scan button.
This action will allow the Operator to capture the Iris image.
Once the Iris has been successfully captured, the quality of the image will be displayed on the screen.
The quality score needs to meet the established threshold limit.
The Operator has three opportunities to capture the biometric data.

If one or both of the Irises are not detected or encounter issues that prevent successful capture, the Operator has the option to mark an exception. To do so, the Operator must identify the specific Iris that is problematic and indicate the type of exception- either Temporary or Permanent. Additionally, the Operator may provide any relevant comments.

After all the biometric data has been properly captured or any exceptions have been noted, the Continue button will be activated. The Operator can then proceed by clicking on the Continue button, which will redirect them to the Preview page. The Preview page will display the following information:

Application ID
Timestamp of Registration
Demographic data collected
Documents submitted
Biometric data recorded

From the Preview page, the Operator can navigate back to previous screens to make any necessary adjustments to the entered or captured data. Once the Operator has verified the accuracy of the entered data, they can proceed by clicking on the Continue button, which will direct them to the Operator Authentication page.

On the Operator Authentication page, operators are required to input their credentials (username and password) that were used during the login process.

Upon successful verification of the credentials, the packet will be uploaded to the server and the operator will be redirected to the Acknowledgment screen. This screen includes the following information:

Application ID
Timestamp of Registration
Demographic data captured
Documents uploaded
Biometric data captured
Print option
QR code for the Application ID
Option to initiate a new registration process.

Pending Approval:

Upon successful verification of the credentials, the acknowledgment will be displayed, and the Application will be moved to the “Pending Approval” section. This feature will only be available for the User who has a Supervisor’s role assigned to him.

Once the packet is created by the Operator, as an additional check, the Supervisor will have to go through each application to make sure the details filled are coherent.

Step 1: The user goes to the “Pending Approval” section from the Operational Tasks section. The user will be taken to the page where they can see the list of all the Applications created by the Operator. All of these Applications will be “Pending”.

Step 2: The Supervisor then clicks on the Application ID one by one. At this stage, the Supervisor can either Approve the Application or he can Reject it. If the Supervisor decides to reject it, they also will have to mandatorily mention the reason for rejection.

Step 3: Once the Application has been Approved or Rejected, the Supervisor will have to authenticate himself by clicking on the “Submit” button and thereby entering their Username and Password. The User can also bulk submit the Applications. The only pre-requisite is that the packet has to be in Approved or Rejected status (pending Applications cannot be submitted for uploading). Once they have successfully authenticated, the Application will be removed from the “Pending Approval” section and will be moved to the “Manage Application” Section.

Step 4: Once the Application is either Approved or Rejected by the Supervisor and is submitted, those packets can be uploaded to the server from the “Manage Application” section or can be exported to their local device storage.

Manual Application upload/export

Once the Application is either Approved or Rejected by the Supervisor, those packets can be uploaded to the server from the “Manage Application” section.

Step 1: The user selects the packets they want to upload (bulk upload can also be done). Once selected, the user clicks on the “Upload” button, after which the packet syncs and gets uploaded if there is internet connectivity.

In case of a lack of internet connectivity, the User can also export the packet to their local device storage. They can also bulk export the packets by choosing the Applications and clicking on the Export button.

On choosing to upload, the packet is uploaded to the Registration Processor. Once the packet has been successfully processed, a unique identification number (UIN) is generated.

Print- The operator can click on this option to obtain a physical copy of the acknowledgment.
New Registration- The operator can initiate another registration by clicking on this option.

In summary, the user (Operator/ Supervisor) can follow the aforementioned steps to register an individual by capturing demographic data, documents, and biometric data to generate their UIN.

Operator Onboarding: To begin the Onboarding process, the Operator is required to follow the steps outlined below. The operator, to log in to the Android Registration Client, will have to onboard himself. This functionality will be available on first-time online login only.

a. On logging in for the first time, the Operator will be taken to the screen where they will have the following two options:

Get onboard: This flow is present for the system to verify the Operator’s biometrics with their registered biometrics. This is to enable local deduplication. To get onboarded the operator must not be assigned "default" role.
Skip to home: This flow is to dodge “Operator’s Onboarding”. If the user selects this, they will be taken to the “Homepage” after which the user can get started with Resident registration. One of the prerequisites of this flow is to have the “Default” role mapped to the center.

Steps to Onboard Operator’s Biometrics:
a. The user will be taken to the Biometrics Capture Homepage where he will be able to see all the below biometrics:
1. Face capture
2. Iris capture
3. Left-hand finger capture
4. Right-hand finger capture
5. Thumb capture

b. The user will then have to capture all the above-listed biometrics one by one. c. Steps to capture the biometrics are given here. d. Once all the biometrics are duly captured, the below acknowledgment message will be displayed on the screen.

Dashboard: The Operator can access the dashboard where he can view the following:
1. Packets created: This will show the total number of packets created from the time the Android Registration Client was installed.
2. Packets Synced: This will show the total number of packets synced from the time the Android Registration Client was installed.
3. Packets Uploaded: This will show the total number of packets uploaded from the time the Android Registration Client was installed.
4. User details:
  1. User ID: This will show the list of User IDs of the Users mapped to the device.
  2. Username: This will show the list of usernames of the Users mapped to the device.
  3. Status: This will show the status of Users mapped to the device. This can take values such as onboarded, active, inactive, etc.

In summary, the aforementioned steps can be followed by the user (Operator/ Supervisor) to onboard themselves, update their biometrics, or view the Dashboard.

Update UIN

In a scenario where the Resident wants to update their data, they can do so by letting the Operator know their UIN along with the data that needs to be updated. Residents can update their demographic details, documents, and biometrics using this feature.

Step 1: Go to “Update UIN” from the Homepage

Step 2: Enter the UIN of the Resident and choose the data to be updated.

Step 3: Enter the data that the Resident wants to update. It could demographic data, documents, and biometrics.

Step 4: Once all the required data is filled, the User will be taken to the Preview screen (data can still be modified) and then to the Acknowledgment screen (data cannot be updated hereafter).

Step 5: The user will then have to authenticate himself using his Username and Password. Once the authentication is successful, the packet will be uploaded to the server.

Logout: Using this feature, once the user is done with their registration and other activities, they can logout. If no background tasks are running, the user will be immediately logged out. If there are tasks (like sync) running in the background, the user will be notified about the same. From here if the User wants to cancel the logout, the background activities will keep running where whereas if the user chooses to logout, they will be logged out and the background activities will be terminated.

Update operators biometrics

This feature will be used by the operators to update their biometrics. They can follow the below steps for the same:

a. The user will be taken to the Biometrics Capture Homepage where he will be able to see all the below biometrics:

Face capture
Iris capture
Left-hand finger capture
Right-hand finger capture
Thumb capture

b. The user will then have to capture all the above-listed biometrics one by one.

c. Steps to capture the biometrics are given here.

d. Once all the biometrics are duly captured, the below acknowledgment message will be displayed on the screen.

Handles Feature Authentication:

Assumption: The Handles feature is enabled, and the email ID is designated as a Handle during registration.

Scenarios: A resident attempts to log into the Resident Portal using their Handle (i.e., email ID).

Step 1: Open the Resident Portal and navigate to "UIN Services."

Step 2: The resident will be taken to the eSignet login page.

Step 3: Choose the option to “Login using OTP”

Step 4: Enter the attributes marked as Handle (email ID in this case) and click on “Get OTP”. OTP will be sent to registered email ID and/or mobile number

Step 5: Enter the OTP received over the registered email ID and/or mobile number

Step 6: Select/De-select the Claims based on preference.

And click on the “Allow” button.

Step 7: You have now successfully authenticated and logged into Resident Portal via eSignet using handles (email ID in this case).

Forgot Password

In a scenario where the Operator has forgotten their password, this feature enables the Operator to set a new password to be able to login using the new password and continue with registration tasks.

Step 1: Run Android Registration Client on your system to land on the Login page.

Step 2: Click on Forgot Password option, You will then be redirected to the keycloak Login page.

Step 3: Click on Forgot Password option on the Keycloak login page.

Step 4: Enter your Keycloak Username and click on Submit.

Step 5: You will then receive an email over registered email Id to reset the password. This email contains a link to set a new password.

Step 6: On clicking on the link to set a new password, you (Operator) will be taken to the keycloak page where you can enter the new password. On successfully entering the password twice, the password will be changed. This password can now be used to log into Android Registration Client (when in online mode). In offline mode, the User will still be able to login using the older password until the system goes online and syncs atleast once after resetting the password.

AID QR code scan

This feature enables the Operator to scan the QR code of the AID (Application ID) QR code generated during pre-registration. On successful scan, the Operator will be able to fetch the pre-registration data and pre-fill the registration form with the available data.

Step 1: Log into Android Registration Client, start new registration to land onto the "Demographic Details" Page.

Step 2: On the "Demographic Details" page, click on the scan button next to "Fetch Data" option. On clicking on the scan button, camera will open up.

Step 3: You can then scan the QR code generated during Applicantʼs pre-registration.

Step 4: On scanning, the Application ID field will be pre-filled with the AID. Along with that, other details, as filled during pre-registration, like Name, age, gender, documents etc. will also be auto filled.

The pre-filled data can also be edited based on the your (Operator) or Residentʼs preference.

Lost UIN:

In a scenario where a Resident has lost their UIN, they can go to a registration center to retrieve their lost UIN. Below are the steps for the same:

Step 1: You (Operator) have to Launch Android Registration Client and login using valid credentials.

Step 2: Click on "Lost UIN" option on the home page.

Step 3: You (Operator) will then have to select the Data Entry Language and the Preferred Language of Communication.

Step 4 You can then ask and inform the Residents about the Consent and click on "Informed" button.

Step 5 You can fill the demographic details of the Resident. This is an optional step.

Step 6 You will have to capture all the biometrics of the Resident. This is a mandatory step.

Step 7: Once you (Operator) have duly captured the biometrics of the Resident, you can then proceed by clicking on the Continue button, which will redirect you to the Preview page. The Preview page will display the following information:

Application ID
Timestamp of Registration
Demographic data collected (if any) Biometric data recorded

From the Preview page, you (Operator) have the the ability to navigate back to previous screens in order to make any necessary adjustments to the entered or captured data. Once you have verified the accuracy of the entered data, you can proceed by clicking on the Continue button, which will direct them to the Operator Authentication page.

Step 8: On the Operator Authentication page, you (operator) are required to input your credentials (username and password) that were used during the login process.

Step 9: Once that is done successfully, the packet is uploaded to the server and you (operator) will be redirected to the Acknowledgment screen. This screen includes the following information:

Application ID
Timestamp of Registration
Demographic data captured (if any)
Biometric data captured
Print option
QR code for the Application ID
Option to go to the Homepage

Reset password:

In a scenario where the you (Operator) wish to set a new password, you can set a new password using this feature post which you will be able to login using the new password and continue with registration tasks.

Step 1: Launch Android Registration Client and login using valid credentials.

Step 2: Click on the "Profile" Icon on the Home page

Step 3: On the Profile page, click on the "Reset Password" option.

Step 4: On clicking on the "Reset Password" option, You will be redirected to the Keycloak Login page.

Step 5: You can then login using Keycloak credentials.

Step 6: Once you have logged in, you will be taken to the Password section where you can set a New Password.

Once the password is reset, new password can be used to log into Android Registration Client (when in online mode).

Note: In offline mode, you will still be able to login using the older password until the system goes online and syncs atleast once after resetting the password.

Auto Logout

The Auto Logout feature enhances application security by automatically logging out users after a defined period of inactivity. This helps protect sensitive data and ensures that only authorized users maintain access to the Android Registration Client.

How it works:

The system continuously monitors user activity, such as touches or navigation events within the application. When inactivity exceeds a configurable threshold, the following sequence occurs:

Step 1: A warning message is displayed on the screen after the idle period, notifying the user of the impending automatic logout. The warning dialog shows a countdown timer indicating the remaining time before automatic logout occurs.

Step 2: During the warning period, the user has two options:

Click the "STAY LOGGED IN" button to dismiss the warning and continue the session normally.
Click the "LOG OUT" button to immediately log out of the application.

Step 3: If the user remains inactive and does not interact with the warning dialog (by clicking either button) during the warning period, the application automatically logs them out.

Step 4: Upon automatic logout, the feature securely clears all authentication states and session data, ensuring that no sensitive information remains accessible.

Note: The inactivity threshold and warning period duration are configurable settings that can be adjusted based on security requirements and operational needs.

Biometrics Correction

The Biometric Correction feature enables operators to update and correct the biometric information of applicants, ensuring accurate association with their Unique Identification Number (UIN). When a resident's biometric data does not meet the required threshold during the registration process, the system generates an Additional Info Request ID. This ID is sent to the resident via notification, allowing them to schedule an appointment and update their biometric information at a registration centre.

Step 1: Create a packet with a lower biometric threshold.

Step 2: You receive a notification with additional Info request ID.

Step 3: Select the biometric correction feature from Home page.

Step 4: Add an additional request ID and give valid biometrics.

Step 5: Preview for the given details.

Step 6: Authenticate the operator.

Step 7: You will receive an acknowledgment of your application.

Step 8: Approve the packet from the pending approvals.

Step 9: Upload the packet.

This is the process to create a biometric correction packet. After this, the data will be updated, and a UIN will be generated.

GPS Location

This feature enables the Operator to automatically capture GPS location (latitude and longitude) when creating any packet through Android Registration Client. The GPS location is captured at the point of packet creation and attached as metadata to the packet, ensuring that the Operator's location is tracked for audit and verification purposes.

Step 1: Log into Android Registration Client using your login credentials.

Step 2: Start creating a packet for any of the following: New Registration, Lost UIN, Update UIN, or Applicant Correction.

Step 3: When you initiate packet creation, the system will automatically capture your current GPS coordinates (latitude and longitude) from the device. If this is the first time accessing location, you will be prompted to grant location permission. You can choose between "Precise" or "Approximate" location accuracy and select the permission duration (While using the app, Only this time, or Don't allow). This happens in the background without any additional action required from you once permission is granted.

Step 4: The captured GPS location will be attached to the packet as metadata when you submit the packet. The metadata includes latitude, longitude, and timestamp of when the location was captured.

Note: If the device's location services are disabled or GPS is unavailable, the system will log a warning but will not block packet creation. The packet will be created with a flag indicating "No GPS data available" in the metadata.

Settings

Scheduled Jobs Settings

The Manage Scheduled Jobs feature allows admin and supervisor users to view, manage, and trigger scheduled sync/batch jobs directly from the Scheduled Jobs Settings screen within the Android Registration Client.

This feature provides visibility into system jobs (e.g., syncs, cleanup, updates) and enables supervisors to modify their scheduling configuration (cron expressions) on the local device.

This feature is useful to provide a centralised interface for administrators to monitor, update, and manually trigger scheduled jobs to ensure smooth and timely system operations.

The Scheduled Jobs Settings screen displays a list or grid of all configured jobs.

Each job entry includes:

Job Name (e.g., Registration Packet Deletion Job)
Next Run Time (calculated from cron expression)
Last Run Time (from job execution logs)
Cron Expression (editable field for supervisors)
Manual Trigger Button (Run Now)

Each job's schedule is defined using a CRON expression.

Steps to find the Scheduled jobs feature:

Step 1: Click the settings button on the home page.

Step 2: It will redirect to the settings page as referred in the image below. The first tab is the scheduled job, here you can access.

Global Config Settings

This feature enables authorized users (Supervisors) to view and manage global configurations in a single Global Config Settings screen. The feature displays server values fetched from masterdata and allows supervisors to override these values locally on the device. Local configuration changes apply only to the current device and do not affect server-side configurations or other devices.

Step 1: Log into Android Registration Client using your login credentials (Supervisor role).

Step 2: From the home page, click on the "Settings" button. The Settings screen will display with various options.

Step 3: On the Settings screen, click on the "Global Configuration Settings" tab. On clicking, the Global Config Settings page will open and display all configurations with their server values and local values.

Step 4: On the Global Config Settings page, you will see a table with three columns: Key, Server Value, and Local Value. The Server Value column shows the value set from the server (read-only). The Local Value column shows the current local value for that configuration key.

For configurations listed in the permitted configuration keys list, you can edit the Local Value by clicking on the Local Value field and entering the new value.

Step 5: Once you have made changes to one or more Local Values, click on the "Submit" button. On clicking Submit, a confirmation dialog will appear showing the number of configurations to be updated.

Step 6: Click "Confirm" in the dialog to save the changes. The system will save the configuration changes, display a success message, and automatically restart the app to apply the changes.

The updated Local Values will apply only to the current device where the Android Registration Client is running. The Server Value will remain unchanged and unaffected by local edits.

Device Settings

This feature enables authorized users (Supervisors and Officers) to view and monitor all devices/peripherals connected to the Android Registration Client tablet. On opening the Device Settings page, the system will automatically scan for connected devices and display device information including device name, device ID, and connection status.

Step 1: Log into Android Registration Client using your login credentials (Supervisor or Officer role).

Step 2: From the home page, click on the "Settings" button. The Settings screen will display with various options.

Step 3: On the Settings screen, click on the "Device Settings" tab. On clicking, the Device Settings page will open and automatically scan for connected devices.

On scanning, the connected devices will be displayed in a grid layout. For each device, you will see the Device ID, Device Name, and Connection Status.

If no devices are detected, you can click on the "Scan Now" button to manually trigger a device scan. The device list will refresh automatically based on scan results.

Configuration Guide

Overview

The following guide outlines some important properties that can be customized for a given installation. Please note that this list is not exhaustive but serves as a checklist for reviewing properties that are likely to differ from the default settings. For a complete list of properties, refer to the files listed below.

Configuration files

Resident Service uses the following configuration files:

application-default.properties
resident-default.properties
resident-ui-share-credential-schema.json
resident-ui-update-demographics-schema.json
resident-ui-personalized-card-schema.json

Resident Services dependent modules configuration files

Changes are done only in the below config files for dependent modules.

id-repository-default.properties

id-authentication-default.properties

mosip-vid-policy.json

registration-default.properties

Changes done in the MOSIP config repo

Please go to the Files changes section and refer to removed and added properties.

Database

Properties used for configuring the database.

mosip.resident.database.hostname=postgres-postgresql.postgres
mosip.resident.database.port=5432
javax.persistence.jdbc.driver=org.postgresql.Driver
javax.persistence.jdbc.url=jdbc:postgresql://${mosip.resident.database.hostname}:${mosip.resident.database.port}/mosip_resident
javax.persistence.jdbc.user=residentuser
javax.persistence.jdbc.password=******

Token generation

resident.appid=resident
resident.clientId=******
resident.secretKey=******
token.request.issuerUrl=${mosip.keycloak.issuerUrl}

URL pattern for logging filter. For example, "/callback/*" .Defaults to "/*".

logging.level.root=INFO
logging.level.io.mosip.resident.batch=INFO
logging.level.io.mosip.resident.filter=DEBUG
resident.logging.filter.enabled=false
resident.logging.filter.url.pattern=/*

Rest template logger filter

This will print the request details such as URL, headers, and body for debugging purposes. The default is false.

logging.level.io.mosip.resident.config.LoggingInterceptor=DEBUG
resident.rest.template.logging.interceptor.filter.enabled=false

DB calls logger filter

This will print the repository method calls for debugging purposes. The default is false.

logging.level.io.mosip.resident.aspect.DatabaseLoggingAspect=DEBUG
resident.db.logging.aspect.enabled=false

Micrometer metrics for DB response time & rest template API call response time

resident.db.metrics.aspect.enabled=true
resident.rest.template.metrics.interceptor.filter.enabled=true

Websub topic subscription and WebsubCallbackRequestDecoratorFilter

subscriptions-delay-on-startup_millisecs=120000
re-subscription-interval-in-seconds=43200
resident.websub.request.decorator.filter.enabled=true

Partner details

mosip.ida.partner.type=******
ida.online-verification-partner-id=******
idrepo-dummy-online-verification-partner-id=******
resident.share-credential.partner.type=******
resident.authentication-request.partner.type=******
resident.order-physical-card.partner.type=******

DB properties to skip automatic table creation in startup

hibernate.show_sql=false
hibernate.hbm2ddl.auto=none
hibernate.temp.use_jdbc_metadata_defaults=false
hibernate.jdbc.lob.non_contextual_creation = true
spring.jpa.properties.hibernate.temp.use_jdbc_metadata_defaults=false

Allowed Authentication types and default unlock duration

These are the authentication types allowed for a resident and default unlock duration.

auth.types.allowed=otp-email,otp-phone,demo,bio-FINGER,bio-IRIS,bio-FACE
resident.auth-type.default.unlock.duration.seconds=100

Template type codes for allowed Auth-type list (auth.types.allowed)-

Templates type codes for authentication types

resident.otp-email.template.property.attribute.list=mosip.otp-email.template.property
resident.otp-phone.template.property.attribute.list=mosip.otp-phone.template.property
resident.demo.template.property.attribute.list=mosip.demo.template.property
resident.bio-FINGER.template.property.attribute.list=mosip.bio-finger.template.property
resident.bio-IRIS.template.property.attribute.list=mosip.bio-iris.template.property
resident.bio-FACE.template.property.attribute.list=mosip.bio-face.template.property

Template type codes for Auth-type status-

Templates type codes for authentication types status

resident.UNLOCKED.template.property.attribute.list=mosip.unlocked.template.property
resident.LOCKED.template.property.attribute.list=mosip.locked.template.property

Validation properties

Below are the properties used for validation purpose.

mosip.id.validation.identity.phone=^([6-9]{1})([0-9]{9})$
mosip.id.validation.identity.email=^[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-zA-Z]{2,})$
resident.grievance-redressal.alt-email.chars.limit=128
resident.grievance-redressal.alt-phone.chars.limit=64
resident.grievance-redressal.comments.chars.limit=1024
resident.share-credential.purpose.chars.limit=1024
mosip.resident.eid.length=16
mosip.resident.eventid.searchtext.length=${mosip.resident.eid.length}
resident.message.allowed.special.char.regex=^[A-Za-z0-9 .,-]+$
resident.purpose.allowed.special.char.regex=^[A-Za-z0-9 .,-]+$
resident.id.allowed.special.char.regex=^[0-9]+$
resident.document.validation.transaction-id.regex=^[0-9]{10}$
resident.document.validation.document-id.regex=^[A-Za-z0-9-]{20,}$
resident.validation.is-numeric.regex=^[0-9]+$
resident.otp.validation.transaction-id.regex=^[0-9]{10}$
resident.validation.event-id.regex=^[0-9]{${mosip.resident.eid.length}}$

Security

mosip.security.csrf-enable:false
mosip.security.secure-cookie:false

Keycloak authentication client

token.request.appid=resident
token.request.clientId=******
token.request.secretKey=******

Keycloak authentication allowed audience

auth.server.admin.allowed.audience=mosip-resident-client,mosip-reg-client,${mosip.iam.module.clientID}

Mapping Identity json to map with the applicant id json

registration.processor.identityjson=identity-mapping.json

Machine creation and search configs

Properties used for machine specification and center

resident.update-uin.machine-name-prefix = resident_machine_
resident.update-uin.machine-spec-id = RESIDENT-1
resident.update-uin.machine-zone-code = MOR
resident.center.id=10007
resident.machine.id=10045

Auth Adapter rest template authentication configs

mosip.iam.adapter.appid=resident
mosip.iam.adapter.clientid=******
mosip.iam.adapter.clientsecret=******

Exclusion list of URL patterns that should not be part of authentication and authorization

Property used to define the endpoints that should not be part of authentication.

mosip.service.end-points=/**/req/otp,/**/proxy/**/*,/**/validate-otp,/**/channel/verification-status,/**/req/credential/**,/**/req/card/*,/**/req/auth-history,/**/rid/check-status,/**/req/auth-lock,/**/req/auth-unlock,/**/req/update-uin,/**/req/print-uin,/**/req/euin,/**/credential/types,/**/req/policy/**,/**/aid/status,/**/individualId/otp,/**/mock/**,/**/callback/**,/**/download-card,/**/download/registration-centers-list/**,/**/download/supporting-documents/**,/**/vid/policy,/**/vid,/vid/**,/**/download/nearestRegistrationcenters/**,/**/authorize/admin/validateToken,/**/logout/user,/**/aid-stage/**

Configuration for google re-captcha

mosip.resident.captcha.enable=true
mosip.resident.captcha.id.validate=mosip.resident.captcha.id.validate
mosip.resident.captcha.sitekey=******
mosip.resident.captcha.secretkey=******
mosip.resident.captcha.resourse.url=http://resident-captcha.resident/resident/v1/captcha/validatecaptcha
mosip.resident.captcha.recaptcha.verify.url=https://www.google.com/recaptcha/api/siteverify

Comma separated values of property keys to be exposed to UI

This property is used to define the keys of the properties to be exposed to UI.

resident.ui.propertyKeys=mosip.mandatory-languages,mosip.optional-languages,mosip.utc-datetime-pattern,mosip.iam.adapter.clientid,resident.datetime.pattern,mosip.resident.api.id.otp.request,mosip.resident.api.id.auth,mosip.resident.api.version.otp.request,mosip.resident.api.version.auth,mosip-prereg-host,mosip-prereg-ui-url,auth.types.allowed,resident.view.history.serviceType.filters,resident.view.history.status.filters,resident.auth-type.default.unlock.duration.seconds,mosip.resident.grievance.url,mosip.api.public.host,mosip.resident.captcha.sitekey,mosip.resident.captcha.secretkey,mosip.webui.auto.logout.idle,mosip.webui.auto.logout.ping,mosip.webui.auto.logout.timeout,mosip.resident.download.registration.centre.file.name.convention,mosip.resident.download.supporting.document.file.name.convention,mosip.resident.download.personalized.card.naming.convention,mosip.resident.ack.manage_my_vid.name.convention,mosip.resident.ack.secure_my_id.name.convention,mosip.resident.ack.personalised_card.name.convention,mosip.resident.ack.update_my_data.name.convention,mosip.resident.ack.share_credential.name.convention,mosip.resident.ack.order_physical_card.name.convention,mosip.resident.ack.name.convention,mosip.resident.uin.card.name.convention,mosip.resident.vid.card.name.convention,mosip.resident.download.service.history.file.name.convention,mosip.resident.download.nearest.registration.centre.file.name.convention,auth.internal.id,auth.internal.version,mosip.registration.processor.print.id,mosip.registration.processor.application.version,vid.create.id,mosip.resident.create.vid.version,resident.vid.version,resident.vid.version.new,resident.revokevid.version,resident.revokevid.version.new,resident.vid.id,resident.vid.id.generate,resident.vid.policy.id,resident.vid.get.id,auth.type.status.id,resident.authlock.id,resident.checkstatus.id,resident.checkstatus.version,resident.euin.id,resident.printuin.id,resident.uin.id,resident.rid.id,resident.updateuin.id,resident.authunlock.id,resident.authhistory.id,resident.authLockStatusUpdateV2.id,resident.authLockStatusUpdateV2.version,resident.service.history.id,resident.service.history.version,resident.document.upload.id,resident.document.get.id,resident.document.get.version,resident.document.list.id,resident.document.list.version,resident.service.pin.status.id,resident.service.pin.status.version,resident.service.unpin.status.id,resident.service.unpin.status.version,resident.document.delete.id,resident.document.delete.version,resident.contact.details.update.id,resident.contact.details.send.otp.id,mosip.resident.service.status.check.id,mosip.resident.service.status.check.version,resident.service.unreadnotificationlist.id,resident.service.event.id,resident.service.event.version,resident.identity.info.id,resident.identity.info.version,resident.share.credential.id,resident.share.credential.version,mosip.resident.request.response.version,vid.revoke.id,resident.revokevid.id,mosip.resident.revokevid.id,mosip.resident.grievance.ticket.request.id,mosip.resident.grievance.ticket.request.version,resident.channel.verification.status.id,resident.channel.verification.status.version,resident.event.ack.download.id,resident.event.ack.download.version,resident.download.card.eventid.id ,resident.download.card.eventid.version,mosip.resident.request.vid.card.id,mosip.resident.request.vid.card.version,mosip.credential.request.service.id,mosip.credential.request.service.version,mosip.resident.checkstatus.individualid.id,mosip.resident.checkstatus.individualid.version,mosip.resident.download.personalized.card.id,mosip.resident.transliteration.transliterate.id,resident.ui.properties.id,resident.ui.properties.version,resident.nearby.centers.distance.meters,resident.ui.notification.update.interval.seconds,mosip.kernel.otp.expiry-time,resident.grievance-redressal.alt-email.chars.limit,resident.grievance-redressal.alt-phone.chars.limit,resident.grievance-redressal.comments.chars.limit,resident.share-credential.purpose.chars.limit,mosip.resident.eventid.searchtext.length,mosip.kernel.uin.length,mosip.kernel.vid.length,mosip.kernel.rid.length,mosip.resident.eid.length,mosip.kernel.otp.default-length,resident.message.allowed.special.char.regex,resident.purpose.allowed.special.char.regex,resident.id.allowed.special.char.regex,resident.version.new,mosip.resident.identity.auth.internal.id,resident.validation.event-id.regex,resident.document.validation.transaction-id.regex,resident.document.validation.document-id.regex,resident.validation.is-numeric.regex,resident.otp.validation.transaction-id.regex,,mosip.resident.captcha.enable,resident.download.reg.centers.list.id,resident.download.nearest.reg.centers.id,resident.download.supporting.documents.id,resident.send.card.id,resident.pinned.eventid.id,resident.unpinned.eventid.id,resident.auth.proxy.partners.id,resident.events.eventid.id,resident.notification.id,resident.profile.id,resident.notification.click.id,mosip.credential.store.id,resident.vids.id,mosip.resident.zoom,mosip.resident.maxZoom,mosip.resident.minZoom

Auth allowed urls

auth.allowed.urls=https://${mosip.resident.host}/,https://${mosip.resident.host}/resident-ui/,https://${mosip.resident.host}/resident-ui/**

MOSIP eSignet config

When enabling MOSIP eSignet comment Mock Keycloak config, vise versa.

mosip.iam.module.clientID=******
mosip.iam.module.clientsecret=
mosip.iam.base.url=https://${mosip.esignet.host}/v1/esignet
mosip.iam.authorization_endpoint=https://${mosip.esignet.host}/authorize
mosip.iam.token_endpoint=${mosip.iam.base.url}/oauth/v2/token
mosip.iam.userinfo_endpoint=${mosip.iam.base.url}/oidc/userinfo
mosip.iam.certs_endpoint=${mosip.iam.base.url}/oauth/.well-known/jwks.json
auth.server.admin.issuer.uri=${mosip.iam.base.url}
auth.server.admin.issuer.domain.validate=true
auth.server.admin.oidc.userinfo.url=${mosip.iam.userinfo_endpoint}
mosip.iam.module.token.endpoint.private-key-jwt.auth.enabled=true
mosip.iam.module.token.endpoint.private-key-jwt.expiry.seconds=7200
mosip.resident.oidc.userinfo.jwt.signed=true

Auth Adapter ValidateTokenHelper

This property will directly apply the certs URL without the need for constructing the path from the issuer URL. This is useful to keep a different certs URL for integrating with MOSIP IDP for offline token validation.

auth.server.admin.oidc.certs.url=${mosip.iam.certs_endpoint}
mosip.iam.logout.offline=true
auth.server.admin.validate.url=
mosip.resident.oidc.userinfo.jwt.verify.enabled=false

mosip.iam.module.redirecturi=${mosip.api.internal.url}/resident/v1/login-redirect/
mosip.iam.module.login_flow.name=authorization_code
mosip.iam.module.login_flow.scope=openid profile Manage-Identity-Data Manage-VID Manage-Authentication Manage-Service-Requests Manage-Credentials
mosip.iam.module.login_flow.claims={"userinfo":{"name":{"essential":true},"picture":{"essential":true},"email":{"essential":true},"phone_number":{"essential":true},"individual_id":{"essential":true}}}
mosip.iam.module.login_flow.response_type=code
mosip.iam.module.admin_realm_id=mosip

User-info claim attributes

Used in open-id-connect based login with UIN/VID in MOSIP-IDP

mosip.resident.identity.claim.individual-id=individual_id
mosip.resident.identity.claim.ida-token=ida_token

Scopes

Used for login purposes

mosip.scope.resident.getinputattributevalues=Manage-Identity-Data
mosip.scope.resident.patchrevokevid=Manage-VID
mosip.scope.resident.postgeneratevid=Manage-VID
mosip.scope.resident.getvids=Manage-VID
mosip.scope.resident.getAuthTransactions=Manage-Service-Requests
mosip.scope.resident.postAuthTypeUnlock=Manage-Authentication
mosip.scope.resident.postAuthTypeStatus=Manage-Authentication
mosip.scope.resident.getAuthLockStatus=Manage-Authentication
mosip.scope.resident.patchUpdateUin=Manage-Identity-Data
mosip.scope.resident.getServiceAuthHistoryRoles=Manage-Service-Requests
mosip.scope.resident.postSendPhysicalCard=Manage-Credentials
mosip.scope.resident.getUnreadServiceList=Manage-Service-Requests
mosip.scope.resident.getNotificationCount=
mosip.scope.resident.getNotificationClick=Manage-Service-Requests
mosip.scope.resident.getupdatedttimes=Manage-Service-Requests
mosip.scope.resident.postRequestDownloadPersonalizedCard=Manage-Credentials
mosip.scope.resident.postRequestShareCredWithPartner=Manage-Credentials
mosip.scope.resident.postUnPinStatus=Manage-Service-Requests
mosip.scope.resident.postPinStatus=Manage-Service-Requests
mosip.scope.resident.getDownloadCard=Manage-Credentials
mosip.scope.resident.postPersonalizedCard=Manage-Credentials
mosip.scope.resident.getOrderRedirect=Manage-Credentials

Key manager encryption/decryption configuration

Properties used to define application and reference id.

APPLICATION_Id=RESIDENT
PARTNER_REFERENCE_Id=mpartner-default-resident
mosip.resident.keymanager.application-name=RESIDENT
mosip.resident.keymanager.reference-id=resident_document
mosip.datashare.application.id=PARTNER
mosip.datashare.reference.id=mparter-default-euin
mosip.resident.oidc.keymanager.reference.id=IDP_USER_INFO
mosip.resident.sign.pdf.application.id=KERNEL
mosip.resident.sign.pdf.reference.id=SIGN

Object Store configuration

To configure the 'Object Store Configuration', update the 'Object Store URL' and other properties as below:

object.store.s3.url=

mosip.resident.object.store.account-name=resident
mosip.resident.object.store.bucket-name=resident
mosip.resident.object.store.adapter-name=s3Adapter
object.store.s3.use.account.as.bucketname=true
object.store.s3.accesskey=******
object.store.s3.secretkey=******
object.store.s3.url=http://minio.minio:9000
object.store.s3.region=${s3.region}
object.store.s3.readlimit=10000000

Virus Scanner configuration

Property used whether to enable virus scanner flag

mosip.resident.virus-scanner.enabled=true

VID Policy URL

Property used to get the vid policy json

mosip.resident.vid-policy-url=${config.server.file.storage.uri}mosip-vid-policy.json

Resident UI Schema JSON file

Property used to get the UI schema json

resident-ui-schema-file-name-prefix=resident-ui
resident-ui-schema-file-url=${config.server.file.storage.uri}${resident-ui-schema-file-name-prefix}
resident-ui-schema-file-source-prefix=url:${resident-ui-schema-file-url}

Identity Mapping JSON file

Property used to get the identity mapping json

identity-mapping-file-name=identity-mapping.json
identity-mapping-file-url=${config.server.file.storage.uri}${identity-mapping-file-name} 
identity-mapping-file-source=url:${identity-mapping-file-url}

Credential Data format MVEL file name

This property is used to get the data format from MVEL file

resident-data-format-mvel-file-name=credentialdata.mvel
resident-data-format-mvel-file-url=${config.server.file.storage.uri}${resident-data-format-mvel-file-name} 
resident-data-format-mvel-file-source=url:${resident-data-format-mvel-file-url}

WebSub Topic and callback properties for auth-type status event

Below websub properties used for authentication type status event

resident.websub.authtype-status.secret=******
resident.websub.authtype-status.topic=AUTH_TYPE_STATUS_UPDATE_ACK
resident.websub.callback.authtype-status.relative.url=${server.servlet.context-path}/callback/authTypeCallback
resident.websub.callback.authtype-status.url=${mosip.api.internal.url}${resident.websub.callback.authtype-status.relative.url}

WebSub Topic and callback properties for auth-transaction status event

Below websub properties used for authentication transaction status event

resident.websub.authTransaction-status.secret=******
resident.websub.authTransaction-status.topic=AUTHENTICATION_TRANSACTION_STATUS
resident.websub.callback.authTransaction-status.relative.url=${server.servlet.context-path}/callback/authTransaction
resident.websub.callback.authTransaction-status.url=${mosip.api.internal.url}${resident.websub.callback.authTransaction-status.relative.url}

WebSub Topic and callback properties for credential status event

Below websub properties used for credential status event

resident.websub.credential-status.secret=******
resident.websub.credential-status.topic=CREDENTIAL_STATUS_UPDATE
resident.websub.callback.credential-status.relative.url=${server.servlet.context-path}/callback/credentialStatusUpdate
resident.websub.callback.credential-status.url=${mosip.api.internal.url}${resident.websub.callback.credential-status.relative.url}

WebSub Topic and callback properties for regproc complete workflow event

Below websub properties used for regproc complete workflow event

resident.websub.regproc.workflow.complete.secret=*****
mosip.regproc.workflow.complete.topic=REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT
resident.websub.callback.regproc.workflow.complete.relative.url=${server.servlet.context-path}/callback/regprocworkflow
resident.websub.callback.regproc.workflow.complete.url=${mosip.api.internal.url}${resident.websub.callback.regproc.workflow.complete.relative.url}

TokenId generator

mosip.kernel.tokenid.uin.salt=******
mosip.kernel.tokenid.partnercode.salt=******

Mask functions

Properties used to get the data format from MVEL file.

resident.email.mask.function=maskEmail
resident.phone.mask.function=maskPhone
resident.data.mask.function=convertToMaskData

Batch job configuration for credential status update

mosip.resident.update.service.status.job.enabled=false
mosip.resident.update.service.status.job.initial-delay=60000
#Interval for checking the credential status for async requests. Note, this is done as a fallback though credential status update is hanlded in resident service via websub notification.
mosip.resident.update.service.status.job.interval.millisecs=600000

Template type codes for email subject

resident.template.email.subject.request-received.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-request-received-email-subject
resident.template.email.subject.success.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-success-email-subject
resident.template.email.subject.failure.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-failure-email-subject

resident.template.email.subject.request-received.ORDER_PHYSICAL_CARD=order-a-physical-card-request-received-email-subject
resident.template.email.subject.success.ORDER_PHYSICAL_CARD=order-a-physical-card-success-email-subject
resident.template.email.subject.failure.ORDER_PHYSICAL_CARD=order-a-physical-card-failure-email-subject

resident.template.email.subject.request-received.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-request-received-email-subject
resident.template.email.subject.success.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-success-email-subject
resident.template.email.subject.failure.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-failure-email-subject

resident.template.email.subject.request-received.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-request-received-email-subject
resident.template.email.subject.success.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-success-email-subject
resident.template.email.subject.failure.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-failure-email-subject

resident.template.email.subject.request-received.UPDATE_MY_UIN=update-demo-data-request-received-email-subject
resident.template.email.subject.success.UPDATE_MY_UIN=update-demo-data-success-email-subject
resident.template.email.subject.failure.UPDATE_MY_UIN=update-demo-data-failure-email-subject
resident.template.email.subject.regproc-success.UPDATE_MY_UIN=update-demo-data-regproc-success-email-subject
resident.template.email.subject.regproc-failure.UPDATE_MY_UIN=update-demo-data-regproc-failure-email-subject
resident.template.email.subject.cancelled.UPDATE_MY_UIN=update-demo-data-discarded-email-subject

resident.template.email.subject.request-received.GENERATE_VID=gen-or-revoke-vid-request-received-email-subject
resident.template.email.subject.success.GENERATE_VID=gen-or-revoke-vid-success-email-subject
resident.template.email.subject.failure.GENERATE_VID=gen-or-revoke-vid-failure-email-subject

resident.template.email.subject.request-received.REVOKE_VID=gen-or-revoke-vid-request-received-email-subject
resident.template.email.subject.success.REVOKE_VID=gen-or-revoke-vid-success-email-subject
resident.template.email.subject.failure.REVOKE_VID=gen-or-revoke-vid-failure-email-subject

resident.template.email.subject.request-received.VID_CARD_DOWNLOAD=vid-card-download-request-received-email-subject
resident.template.email.subject.success.VID_CARD_DOWNLOAD=vid-card-download-success-email-subject
resident.template.email.subject.failure.VID_CARD_DOWNLOAD=vid-card-download-failure-email-subject

resident.template.email.subject.request-received.GET_MY_ID=get-my-uin-card-request-received-email-subject
resident.template.email.subject.success.GET_MY_ID=get-my-uin-card-success-email-subject
resident.template.email.subject.failure.GET_MY_ID=get-my-uin-card-failure-email-subject

resident.template.email.subject.request-received.VALIDATE_OTP=verify-my-phone-email-request-received-email-subject
resident.template.email.subject.success.VALIDATE_OTP=verify-my-phone-email-success-email-subject
resident.template.email.subject.failure.VALIDATE_OTP=verify-my-phone-email-failure-email-subject

resident.template.email.subject.success.SEND_OTP=receive-otp-mail-subject

Template type codes for email content

resident.template.email.content.request-received.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-request-received-email-content
resident.template.email.content.success.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-success-email-content
resident.template.email.content.failure.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-failure-email-content

resident.template.email.content.request-received.ORDER_PHYSICAL_CARD=order-a-physical-card-request-received-email-content
resident.template.email.content.success.ORDER_PHYSICAL_CARD=order-a-physical-card-success-email-content
resident.template.email.content.failure.ORDER_PHYSICAL_CARD=order-a-physical-card-failure-email-content

resident.template.email.content.request-received.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-request-received-email-content
resident.template.email.content.success.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-success-email-content
resident.template.email.content.failure.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-failure-email-content

resident.template.email.content.request-received.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-request-received-email-content
resident.template.email.content.success.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-success-email-content
resident.template.email.content.failure.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-failure-email-content

resident.template.email.content.request-received.UPDATE_MY_UIN=update-demo-data-request-received-email-content
resident.template.email.content.success.UPDATE_MY_UIN=update-demo-data-success-email-content
resident.template.email.content.failure.UPDATE_MY_UIN=update-demo-data-failure-email-content
resident.template.email.content.regproc-success.UPDATE_MY_UIN=update-demo-data-regproc-success-email-content
resident.template.email.content.regproc-failure.UPDATE_MY_UIN=update-demo-data-regproc-failure-email-content
resident.template.email.content.cancelled.UPDATE_MY_UIN=update-demo-data-discarded-email-content

resident.template.email.content.request-received.GENERATE_VID=gen-or-revoke-vid-request-received-email-content
resident.template.email.content.success.GENERATE_VID=gen-or-revoke-vid-success-email-content
resident.template.email.content.failure.GENERATE_VID=gen-or-revoke-vid-failure-email-content

resident.template.email.content.request-received.REVOKE_VID=gen-or-revoke-vid-request-received-email-content
resident.template.email.content.success.REVOKE_VID=gen-or-revoke-vid-success-email-content
resident.template.email.content.failure.REVOKE_VID=gen-or-revoke-vid-failure-email-content

resident.template.email.content.request-received.VID_CARD_DOWNLOAD=vid-card-download-request-received-email-content
resident.template.email.content.success.VID_CARD_DOWNLOAD=vid-card-download-success-email-content
resident.template.email.content.failure.VID_CARD_DOWNLOAD=vid-card-download-failure-email-content

resident.template.email.content.request-received.GET_MY_ID=get-my-uin-card-request-received-email-content
resident.template.email.content.success.GET_MY_ID=get-my-uin-card-success-email-content
resident.template.email.content.failure.GET_MY_ID=get-my-uin-card-failure-email-content

resident.template.email.content.request-received.VALIDATE_OTP=verify-my-phone-email-request-received-email-content
resident.template.email.content.success.VALIDATE_OTP=verify-my-phone-email-success-email-content
resident.template.email.content.failure.VALIDATE_OTP=verify-my-phone-email-failure-email-content

resident.template.email.content.success.SEND_OTP=receive-otp-mail-content

Template type codes for SMS content

resident.template.sms.request-received.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-request-received_SMS
resident.template.sms.success.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-success_SMS
resident.template.sms.failure.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-failure_SMS

resident.template.sms.request-received.ORDER_PHYSICAL_CARD=order-a-physical-card-request-received_SMS
resident.template.sms.success.ORDER_PHYSICAL_CARD=order-a-physical-card-success_SMS
resident.template.sms.failure.ORDER_PHYSICAL_CARD=order-a-physical-card-failure_SMS

resident.template.sms.request-received.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-request-received_SMS
resident.template.sms.success.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-success_SMS
resident.template.sms.failure.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-failure_SMS

resident.template.sms.request-received.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-request-received_SMS
resident.template.sms.success.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-success_SMS
resident.template.sms.failure.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-failure_SMS

resident.template.sms.request-received.UPDATE_MY_UIN=update-demo-data-request-received_SMS
resident.template.sms.success.UPDATE_MY_UIN=update-demo-data-success_SMS
resident.template.sms.failure.UPDATE_MY_UIN=update-demo-data-failure_SMS
resident.template.sms.regproc-success.UPDATE_MY_UIN=update-demo-data-regproc-success_SMS
resident.template.sms.regproc-failure.UPDATE_MY_UIN=update-demo-data-regproc-failure_SMS
resident.template.sms.cancelled.UPDATE_MY_UIN=update-demo-data-discarded-SMS

resident.template.sms.request-received.GENERATE_VID=gen-or-revoke-vid-request-received_SMS
resident.template.sms.success.GENERATE_VID=gen-or-revoke-vid-success_SMS
resident.template.sms.failure.GENERATE_VID=gen-or-revoke-vid-failure_SMS

resident.template.sms.request-received.REVOKE_VID=gen-or-revoke-vid-request-received_SMS
resident.template.sms.success.REVOKE_VID=gen-or-revoke-vid-success_SMS
resident.template.sms.failure.REVOKE_VID=gen-or-revoke-vid-failure_SMS

resident.template.sms.request-received.VID_CARD_DOWNLOAD=vid-card-download-request-received_SMS
resident.template.sms.success.VID_CARD_DOWNLOAD=vid-card-download-success_SMS
resident.template.sms.failure.VID_CARD_DOWNLOAD=vid-card-download-failure_SMS

resident.template.sms.request-received.GET_MY_ID=get-my-uin-card-request-received_SMS
resident.template.sms.success.GET_MY_ID=get-my-uin-card-success_SMS
resident.template.sms.failure.GET_MY_ID=get-my-uin-card-failure_SMS

resident.template.sms.request-received.VALIDATE_OTP=verify-my-phone-email-request-received_SMS
resident.template.sms.success.VALIDATE_OTP=verify-my-phone-email-success_SMS
resident.template.sms.failure.VALIDATE_OTP=verify-my-phone-email-failure_SMS

resident.template.sms.success.SEND_OTP=receive-otp

Template type codes for purpose (success) content

resident.template.purpose.success.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-positive-purpose
resident.template.purpose.success.ORDER_PHYSICAL_CARD=order-a-physical-card-positive purpose
resident.template.purpose.success.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-positive-purpose
resident.template.purpose.success.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-positive-purpose
resident.template.purpose.success.UPDATE_MY_UIN=update-demo-data-positive-purpose
resident.template.purpose.success.GENERATE_VID=gen-or-revoke-vid-positive-purpose
resident.template.purpose.success.REVOKE_VID=gen-or-revoke-vid-positive-purpose
resident.template.purpose.success.GET_MY_ID=get-my-uin-card-positive-purpose
resident.template.purpose.success.VALIDATE_OTP=verify-my-phone-email-positive-purpose
resident.template.purpose.success.VID_CARD_DOWNLOAD=vid-card-download-positive-purpose

Template type codes for purpose (in-progress/failure) content

resident.template.purpose.failure.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-negative-purpose
resident.template.purpose.failure.ORDER_PHYSICAL_CARD=order-a-physical-card-negative purpose
resident.template.purpose.failure.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-negative-purpose
resident.template.purpose.failure.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-negative-purpose
resident.template.purpose.failure.UPDATE_MY_UIN=update-demo-data-negative-purpose
resident.template.purpose.failure.GENERATE_VID=gen-or-revoke-vid-negative-purpose
resident.template.purpose.failure.REVOKE_VID=gen-or-revoke-vid-negative-purpose
resident.template.purpose.failure.GET_MY_ID=get-my-uin-card-negative-purpose
resident.template.purpose.failure.VALIDATE_OTP=verify-my-phone-email-negative-purpose
resident.template.purpose.failure.VID_CARD_DOWNLOAD=vid-card-download-negative-purpose
resident.template.purpose.failure.AUTHENTICATION_REQUEST=authentication-request-negative-purpose

Template type codes for purpose (Cancelled) content

resident.template.purpose.cancelled.UPDATE_MY_UIN=update-demo-data-cancelled-purpose

Template type codes for purpose(Identity updated) content

resident.template.purpose.regproc-success.UPDATE_MY_UIN=update-demo-data-regproc-success-purpose

Template type codes for summary (success) content

resident.template.summary.success.DOWNLOAD_PERSONALIZED_CARD=cust-and-down-my-card-success-summary
resident.template.summary.success.ORDER_PHYSICAL_CARD=order-a-physical-card-success-summary
resident.template.summary.success.SHARE_CRED_WITH_PARTNER=share-cred-with-partner-success-summary
resident.template.summary.success.AUTH_TYPE_LOCK_UNLOCK=lock-unlock-auth-success-summary
resident.template.summary.success.UPDATE_MY_UIN=update-demo-data-success-summary
resident.template.summary.success.GENERATE_VID=gen-or-revoke-vid-success-summary
resident.template.summary.success.REVOKE_VID=gen-or-revoke-vid-success-summary
resident.template.summary.success.GET_MY_ID=get-my-uin-card-success-summary
resident.template.summary.success.VALIDATE_OTP=verify-my-phone-email-success-summary
resident.template.summary.success.VID_CARD_DOWNLOAD=vid-card-download-positive-summary
resident.template.summary.success.AUTHENTICATION_REQUEST=authentication-request-positive-summary

Template type code for summary (cancelled) content

resident.template.summary.cancelled.UPDATE_MY_UIN=update-demo-data-cancelled-summary

Template type code for summary (regproc-success) content

resident.template.summary.regproc-success.UPDATE_MY_UIN=update-demo-data-regproc-success-summary

Template type codes for acknowledgement PDFs

resident.template.ack.share-cred-with-partner=acknowledgement-share-cred-with-partner
resident.template.ack.manage-my-vid=acknowledgement-manage-my-vid
resident.template.ack.order-a-physical-card=acknowledgement-order-a-physical-card
resident.template.ack.download-a-personalized-card=acknowledgement-download-a-personalized-card
resident.template.ack.update-demographic-data=acknowledgement-update-demographic-data
resident.template.ack.verify-email-id-or-phone-number=acknowledgement-verify-email-id-or-phone-number
resident.template.ack.secure-my-id=acknowledgement-secure-my-id
resident.template.ack.authentication.request=acknowledgment-authentication-request
resident.template.ack.get.my.id=acknowledgment-get-my-id
resident.template.ack.vid.card.download=acknowledgment-vid-card-download

Template type codes for supporting documents, service history, registration centers and vid card

resident.template.support-docs-list=supporting-docs-list
mosip.resident.service.history.template.type.code=service-history-type
resident.template.registration.centers.list=registration-centers-list
mosip.resident.vid.card.template.property=vid-card-type

Template required properties

resident.template.date.pattern=dd-MM-yyyy
resident.template.time.pattern=HH:mm:ss
resident.ui.track-service-request-url=https://${mosip.resident.host}/#/uinservices/trackservicerequest?eid=

View history filters

resident.view.history.serviceType.filters=ALL,AUTHENTICATION_REQUEST,SERVICE_REQUEST,DATA_UPDATE_REQUEST,ID_MANAGEMENT_REQUEST,DATA_SHARE_REQUEST
resident.view.history.status.filters=ALL,SUCCESS,IN_PROGRESS,FAILED,CANCELED

Maximum data to download in a PDF

resident.service-history.download.max.count=100
resident.registration-centers.download.max.count=100

The Registration centers will be searched based on the distance value in meters from the Geo location identified

resident.nearby.centers.distance.meters=2000

Page size in Bell Icon Notification list and view history

resident.notifications.default.page.size=100
resident.view-history.default.page.size=10

auth.validate.id-token=true
idToken=id_token
auth.token.header=Authorization
mosip.resident.access_token.auth_mode.claim-name=acr
mosip.resident.oidc.id_token.ida_token.claim-name=sub
mosip.resident.oidc.auth_token.expiry.claim-name=exp
mosip.resident.oidc.userinfo.encryption.enabled=false
mosip.client.assertion.reference.id=
mosip.include.payload=true
mosip.include.certificate=true
mosip.include.cert.hash=false

Rectangle coordinates for PDF signed data

mosip.resident.service.uincard.lowerleftx=73
mosip.resident.service.uincard.lowerlefty=100
mosip.resident.service.uincard.upperrightx=300
mosip.resident.service.uincard.upperrighty=300
mosip.resident.service.uincard.signature.reason="Digitally Signed"

File name for the downloaded PDFs

mosip.resident.download.registration.centre.file.name.convention=Registration_centers_{timestamp}
mosip.resident.download.supporting.document.file.name.convention=Supporting_documents_{timestamp}
mosip.resident.download.personalized.card.naming.convention=Personalised_card_{eventId}_{timestamp}
mosip.resident.ack.manage_my_vid.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.secure_my_id.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.personalised_card.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.update_my_data.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.share_credential.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.order_physical_card.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.uin.card.name.convention=UIN_{eventId}_{timestamp}
mosip.resident.vid.card.name.convention=VID_{eventId}_{timestamp}
mosip.resident.download.service.history.file.name.convention=View_history_{timestamp}
mosip.resident.download.nearest.registration.centre.file.name.convention=Registration_centers_{timestamp}
mosip.resident.download.card.naming.convention=Get_my_UIN_{timestamp}

mosip.resident.request.credential.credentialType=vercred
mosip.resident.request.credential.credentialType=euin
mosip.resident.request.credential.isEncrypt=true
mosip.resident.request.credential.encryption.key=******

mosip.digital.card.credential.type=PDFCard
mosip.credential.issuer=******

Claim names

mosip.resident.name.token.claim-name=name
mosip.resident.photo.token.claim-photo=picture
mosip.resident.individual.id.claim.name=individual_id
mosip.resident.email.token.claim-email=email
mosip.resident.phone.token.claim-phone=phone_number

Value based properties

otpChannel.email=email
otpChannel.mobile=phone
mosip.idrepo.vid.reactive-status=ACTIVE
resident.dateofbirth.pattern=yyyy/MM/dd
mosip.resident.photo.attribute.name=photo
mosip.resident.order.card.payment.enabled=true
resident.update.preferred.language.by.name=true
resident.documents.category=individualBiometrics
mosip.resident.schema.attribute-name=attributeName
mosip.resident.applicant.name.property=applicantName
mosip.resident.authentication.mode.property=authenticationMode
resident.attribute.names.without.documents.required=preferredLanguage,email,phone
resident.additional.identity.attribute.to.fetch=UIN,email,phone,dateOfBirth,fullName,photo

OTP Flooding

Configure Time limit for OTP Flooding scenario (in minutes).

otp.request.flooding.duration=1
otp.request.flooding.max-count=10

Maximum file size and types for uploading document

mosip.max.file.upload.size.in.bytes=2306867
mosip.allowed.extension=pdf,jpeg,png,jpg

Reg-proc packet status codes

resident.success.packet-status-code.list=PROCESSED,SUCCESS,UIN_GENERATED
resident.in-progress.packet-status-code.list=PROCESSING,REREGISTER,RESEND,RECEIVED,UPLOAD_PENDING,AWAITING_INFORMATION,REPROCESS
resident.failure.packet-status-code.list=REJECTED,FAILED,REPROCESS_FAILED

Reg-proc packet transaction type codes

resident.REQUEST_RECEIVED.packet-transaction-type-code.list=PACKET_RECEIVER,VIRUS_SCAN,SECUREZONE_NOTIFICATION,UPLOAD_PACKET,VALIDATE_PACKET,PACKET_CLASSIFICATION
resident.VALIDATION_STAGE.packet-transaction-type-code.list=CMD_VALIDATION,OPERATOR_VALIDATION,QUALITY_CLASSIFIER,SUPERVISOR_VALIDATION,INTRODUCER_VALIDATION,BIOMETRIC_AUTHENTICATION,EXTERNAL_INTEGRATION
resident.VERIFICATION_STAGE.packet-transaction-type-code.list=DEMOGRAPHIC_VERIFICATION,MANUAL_ADJUDICATION,VERIFICATION,BIOGRAPHIC_VERIFICATION
resident.UIN_GENERATION_STAGE.packet-transaction-type-code.list=UIN_GENERATOR,BIOMETRIC_EXTRACTION,NOTIFICATION,FINALIZATION,PACKET_REPROCESS
resident.CARD_READY_TO_DOWNLOAD.packet-transaction-type-code.list=PRINT_SERVICE,PRINT_POSTAL_SERVICE,PRINT

Sequence order of reg-proc transaction type codes

sequence-order=Request received, Validation stage, Verification stage, Uin generation stage, Card ready to download

Synchronous events

resident.request.success.status.list.AUTHENTICATION_REQUEST=AUTHENTICATION_SUCCESSFUL,Y
resident.request.failed.status.list.AUTHENTICATION_REQUEST=AUTHENTICATION_FAILED,N
resident.request.cancelled.status.list.AUTHENTICATION_REQUEST=

resident.request.new.status.list.DOWNLOAD_PERSONALIZED_CARD=NEW
resident.batchjob.process.success.status.list.DOWNLOAD_PERSONALIZED_CARD=CARD_DOWNLOADED
resident.request.failed.status.list.DOWNLOAD_PERSONALIZED_CARD=FAILED
resident.request.cancelled.status.list.DOWNLOAD_PERSONALIZED_CARD=

resident.request.new.status.list.GET_MY_ID=NEW
resident.request.in-progress.status.list.GET_MY_ID=OTP_REQUESTED
resident.request.success.status.list.GET_MY_ID=CARD_DOWNLOADED,OTP_VERIFIED
resident.request.failed.status.list.GET_MY_ID=FAILED
resident.request.cancelled.status.list.GET_MY_ID=

resident.request.new.status.list.BOOK_AN_APPOINTMENT=
resident.request.success.status.list.BOOK_AN_APPOINTMENT=
resident.request.failed.status.list.BOOK_AN_APPOINTMENT=
resident.request.cancelled.status.list.BOOK_AN_APPOINTMENT=

resident.request.new.status.list.GENERATE_VID=NEW
resident.request.success.status.list.GENERATE_VID=VID_GENERATED
resident.request.failed.status.list.GENERATE_VID=FAILED
resident.request.cancelled.status.list.GENERATE_VID=

resident.request.new.status.list.REVOKE_VID=NEW
resident.request.success.status.list.REVOKE_VID=VID_REVOKED
resident.request.failed.status.list.REVOKE_VID=FAILED
resident.request.cancelled.status.list.REVOKE_VID=

resident.request.new.status.list.SEND_OTP=
resident.request.success.status.list.SEND_OTP=
resident.request.failed.status.list.SEND_OTP=
resident.request.cancelled.status.list.SEND_OTP=

resident.request.new.status.list.VALIDATE_OTP=OTP_REQUESTED
resident.request.success.status.list.VALIDATE_OTP=OTP_VERIFIED
resident.request.failed.status.list.VALIDATE_OTP=OTP_VERIFICATION_FAILED
resident.request.cancelled.status.list.VALIDATE_OTP=

resident.request.new.status.list.DEFAULT=
resident.request.success.status.list.DEFAULT=
resident.request.failed.status.list.DEFAULT=
resident.request.cancelled.status.list.DEFAULT=

Asyc Request Types

resident.async.request.types=VID_CARD_DOWNLOAD,ORDER_PHYSICAL_CARD,SHARE_CRED_WITH_PARTNER,UPDATE_MY_UIN

Asynchronous events

resident.request.new.status.list.SHARE_CRED_WITH_PARTNER=NEW
resident.request.in-progress.status.list.SHARE_CRED_WITH_PARTNER=ISSUED
resident.request.success.status.list.SHARE_CRED_WITH_PARTNER=RECEIVED,DATA_SHARED_SUCCESSFULLY,STORED
resident.request.failed.status.list.SHARE_CRED_WITH_PARTNER=FAILED
resident.request.notification.status.list.SHARE_CRED_WITH_PARTNER=FAILED,RECEIVED,DATA_SHARED_SUCCESSFULLY,STORED

resident.request.new.status.list.ORDER_PHYSICAL_CARD=NEW
resident.request.in-progress.status.list.ORDER_PHYSICAL_CARD=PAYMENT_CONFIRMED,ISSUED,PRINTING,IN_TRANSIT
resident.request.success.status.list.ORDER_PHYSICAL_CARD=CARD_DELIVERED
resident.request.failed.status.list.ORDER_PHYSICAL_CARD=FAILED,PAYMENT_FAILED
resident.request.notification.status.list.ORDER_PHYSICAL_CARD=PAYMENT_CONFIRMED,ISSUED,PRINTING,IN_TRANSIT,CARD_DELIVERED,FAILED,PAYMENT_FAILED,CARD_DELIVERED

resident.request.new.status.list.UPDATE_MY_UIN=NEW
resident.request.in-progress.status.list.UPDATE_MY_UIN=PROCESSING,PAUSED,RESUMABLE,REPROCESS,PAUSED_FOR_ADDITIONAL_INFO
resident.request.success.status.list.UPDATE_MY_UIN=PROCESSED,DATA_UPDATED,STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED
resident.request.failed.status.list.UPDATE_MY_UIN=FAILED,REJECTED,REPROCESS_FAILED
resident.request.notification.status.list.UPDATE_MY_UIN=PROCESSED,DATA_UPDATED,STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED,FAILED,REJECTED,REPROCESS_FAILED

resident.request.new.status.list.AUTH_TYPE_LOCK_UNLOCK=NEW
resident.request.in-progress.status.list.AUTH_TYPE_LOCK_UNLOCK=
resident.request.success.status.list.AUTH_TYPE_LOCK_UNLOCK=COMPLETED
resident.request.failed.status.list.AUTH_TYPE_LOCK_UNLOCK=FAILED
resident.request.notification.status.list.AUTH_TYPE_LOCK_UNLOCK=COMPLETED,FAILED

resident.request.new.status.list.VID_CARD_DOWNLOAD=NEW
resident.request.in-progress.status.list.VID_CARD_DOWNLOAD=ISSUED
resident.request.success.status.list.VID_CARD_DOWNLOAD=STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED
resident.request.failed.status.list.VID_CARD_DOWNLOAD=FAILED
resident.request.notification.status.list.VID_CARD_DOWNLOAD=STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED,FAILED

Attributes name based template type codes

Define property name in below format- resident.<attribute name>.template.property.attribute.list

resident.PHONE.template.property.attribute.list=mosip.phone.template.property
resident.EMAIL.template.property.attribute.list=mosip.email.template.property
resident.GENERATE_VID.template.property.attribute.list=mosip.generated.template.property
resident.REVOKE_VID.template.property.attribute.list=mosip.revoked.template.property

Template type codes for event status code

resident.event.status.SUCCESS.template.property=mosip.event.status.success.template
resident.event.status.FAILED.template.property=mosip.event.status.failed.template
resident.event.status.IN_PROGRESS.template.property=mosip.event.status.inprogress.template
resident.event.status.CANCELED.template.property=mosip.event.status.cancelled.template

Template type codes for event types

Define property name in below format- resident.event.type.<eventType>.template.property

resident.event.type.AUTHENTICATION_REQUEST.template.property=mosip.event.type.AUTHENTICATION_REQUEST
resident.event.type.SHARE_CRED_WITH_PARTNER.template.property=mosip.event.type.SHARE_CRED_WITH_PARTNER
resident.event.type.DOWNLOAD_PERSONALIZED_CARD.template.property=mosip.event.type.DOWNLOAD_PERSONALIZED_CARD
resident.event.type.ORDER_PHYSICAL_CARD.template.property=mosip.event.type.ORDER_PHYSICAL_CARD
resident.event.type.GET_MY_ID.template.property=mosip.event.type.GET_MY_ID
resident.event.type.UPDATE_MY_UIN.template.property=mosip.event.type.UPDATE_MY_UIN
resident.event.type.GENERATE_VID.template.property=mosip.event.type.GENERATE_VID
resident.event.type.REVOKE_VID.template.property=mosip.event.type.REVOKE_VID
resident.event.type.AUTH_TYPE_LOCK_UNLOCK.template.property=mosip.event.type.AUTH_TYPE_LOCK_UNLOCK
resident.event.type.VID_CARD_DOWNLOAD.template.property=mosip.event.type.VID_CARD_DOWNLOAD
resident.event.type.SEND_OTP.template.property=mosip.event.type.SEND_OTP
resident.event.type.VALIDATE_OTP.template.property=mosip.event.type.VALIDATE_OTP
resident.event.type.DEFAULT.template.property=mosip.event.type.DEFAULT

Template type codes for service types

Define property name in below format- resident.service-type.<serviceType>.template.property

resident.service-type.AUTHENTICATION_REQUEST.template.property=mosip.service.type.AUTHENTICATION_REQUEST
resident.service-type.SERVICE_REQUEST.template.property=mosip.service.type.SERVICE_REQUEST
resident.service-type.DATA_UPDATE_REQUEST.template.property=mosip.service.type.DATA_UPDATE_REQUEST
resident.service-type.ID_MANAGEMENT_REQUEST.template.property=mosip.service.type.ID_MANAGEMENT_REQUEST
resident.service-type.DATA_SHARE_REQUEST.template.property=mosip.service.type.DATA_SHARE_REQUEST
resident.service-type.ASYNC.template.property=mosip.service.type.ASYNC

Template type codes for id-authentication request types description

Define property name in below format- resident.id-auth.request-type.<authTypeCode>.<statusCode>.descr

resident.id-auth.request-type.OTP-REQUEST.SUCCESS.descr=mosip.ida.auth-request.OTP-REQUEST.Y.descr
resident.id-auth.request-type.OTP-AUTH.SUCCESS.descr=mosip.ida.auth-request.OTP-AUTH.Y.descr
resident.id-auth.request-type.DEMO-AUTH.SUCCESS.descr=mosip.ida.auth-request.DEMO-AUTH.Y.descr
resident.id-auth.request-type.FINGERPRINT-AUTH.SUCCESS.descr=mosip.ida.auth-request.FINGERPRINT-AUTH.Y.descr
resident.id-auth.request-type.IRIS-AUTH.SUCCESS.descr=mosip.ida.auth-request.IRIS-AUTH.Y.descr
resident.id-auth.request-type.FACE-AUTH.SUCCESS.descr=mosip.ida.auth-request.FACE-AUTH.Y.descr
resident.id-auth.request-type.STATIC-PIN-AUTH.SUCCESS.descr=mosip.ida.auth-request.STATIC-PIN-AUTH.Y.descr
resident.id-auth.request-type.STATIC-PIN-STORAGE.SUCCESS.descr=mosip.ida.auth-request.STATIC-PIN-STORAGE.Y.descr
resident.id-auth.request-type.EKYC-AUTH.SUCCESS.descr=mosip.ida.auth-request.EKYC-AUTH.Y.descr
resident.id-auth.request-type.KYC-AUTH.SUCCESS.descr=mosip.ida.auth-request.KYC-AUTH.Y.descr
resident.id-auth.request-type.KYC-EXCHANGE.SUCCESS.descr=mosip.ida.auth-request.KYC-EXCHANGE.Y.descr
resident.id-auth.request-type.IDENTITY-KEY-BINDING.SUCCESS.descr=mosip.ida.auth-request.IDENTITY-KEY-BINDING.Y.descr
resident.id-auth.request-type.TOKEN-REQUEST.SUCCESS.descr=mosip.ida.auth-request.TOKEN-REQUEST.Y.descr
resident.id-auth.request-type.TOKEN-AUTH.SUCCESS.descr=mosip.ida.auth-request.TOKEN-AUTH.Y.descr
resident.id-auth.request-type.UNKNOWN.SUCCESS.descr=mosip.ida.auth-request.UNKNOWN.Y.descr
resident.id-auth.request-type.OTP-REQUEST.FAILED.descr=mosip.ida.auth-request.OTP-REQUEST.N.descr
resident.id-auth.request-type.OTP-AUTH.FAILED.descr=mosip.ida.auth-request.OTP-AUTH.N.descr
resident.id-auth.request-type.DEMO-AUTH.FAILED.descr=mosip.ida.auth-request.DEMO-AUTH.N.descr
resident.id-auth.request-type.FINGERPRINT-AUTH.FAILED.descr=mosip.ida.auth-request.FINGERPRINT-AUTH.N.descr
resident.id-auth.request-type.IRIS-AUTH.FAILED.descr=mosip.ida.auth-request.IRIS-AUTH.N.descr
resident.id-auth.request-type.FACE-AUTH.FAILED.descr=mosip.ida.auth-request.FACE-AUTH.N.descr
resident.id-auth.request-type.STATIC-PIN-AUTH.FAILED.descr=mosip.ida.auth-request.STATIC-PIN-AUTH.N.descr
resident.id-auth.request-type.STATIC-PIN-STORAGE.FAILED.descr=mosip.ida.auth-request.STATIC-PIN-STORAGE.N.descr
resident.id-auth.request-type.EKYC-AUTH.FAILED.descr=mosip.ida.auth-request.EKYC-AUTH.N.descr
resident.id-auth.request-type.KYC-AUTH.FAILED.descr=mosip.ida.auth-request.KYC-AUTH.N.descr
resident.id-auth.request-type.KYC-EXCHANGE.FAILED.descr=mosip.ida.auth-request.KYC-EXCHANGE.N.descr
resident.id-auth.request-type.IDENTITY-KEY-BINDING.FAILED.descr=mosip.ida.auth-request.IDENTITY-KEY-BINDING.N.descr
resident.id-auth.request-type.TOKEN-REQUEST.FAILED.descr=mosip.ida.auth-request.TOKEN-REQUEST.N.descr
resident.id-auth.request-type.TOKEN-AUTH.FAILED.descr=mosip.ida.auth-request.TOKEN-AUTH.N.descr
resident.id-auth.request-type.UNKNOWN.FAILED.descr=mosip.ida.auth-request.UNKNOWN.N.descr

Template type codes for authentication modes (authTypeCode)

Define property name in below format- resident.auth-type-code.<authTypeCode>.code

resident.auth-type-code.OTP-REQUEST.code=mosip.auth-type-code.OTP-REQUEST
resident.auth-type-code.OTP-AUTH.code=mosip.auth-type-code.OTP-AUTH
resident.auth-type-code.DEMO-AUTH.code=mosip.auth-type-code.DEMO-AUTH
resident.auth-type-code.FINGERPRINT-AUTH.code=mosip.auth-type-code.FINGERPRINT-AUTH
resident.auth-type-code.IRIS-AUTH.code=mosip.auth-type-code.IRIS-AUTH
resident.auth-type-code.FACE-AUTH.code=mosip.auth-type-code.FACE-AUTH
resident.auth-type-code.STATIC-PIN-AUTH.code=mosip.auth-type-code.STATIC-PIN-AUTH
resident.auth-type-code.STATIC-PIN-STORAGE.code=mosip.auth-type-code.STATIC-PIN-STORAGE
resident.auth-type-code.EKYC-AUTH.code=mosip.auth-type-code.EKYC-AUTH
resident.auth-type-code.KYC-AUTH.code=mosip.auth-type-code.KYC-AUTH
resident.auth-type-code.KYC-EXCHANGE.code=mosip.auth-type-code.KYC-EXCHANGE
resident.auth-type-code.IDENTITY-KEY-BINDING.code=mosip.auth-type-code.IDENTITY-KEY-BINDING
resident.auth-type-code.TOKEN-REQUEST.code=mosip.auth-type-code.TOKEN-REQUEST
resident.auth-type-code.TOKEN-AUTH.code=mosip.auth-type-code.TOKEN-AUTH
resident.auth-type-code.PWD.code=mosip.auth-type-code.PWD
resident.auth-type-code.PIN.code=mosip.auth-type-code.PIN
resident.auth-type-code.OTP.code=mosip.auth-type-code.OTP
resident.auth-type-code.Wallet.code=mosip.auth-type-code.Wallet
resident.auth-type-code.L1-bio-device.code=mosip.auth-type-code.L1-bio-device

Flag to retrieve UIN or VID

Below property will retrieve VID when requested. Default is false so, UIN will be retrieved. Endpoints using below property- /individualId/otp, /aid/status.

resident.flag.use-vid-only=true

Class name of the referenceValidator

Commenting or removing this property will disable reference validator.

mosip.kernel.idobjectvalidator.referenceValidator=io.mosip.kernel.idobjectvalidator.impl.IdObjectReferenceValidator

Request time validation

For validating request time as per before & after time limit (in seconds) in contact-details/update API.

resident.future.time.limit=60
resident.past.time.limit=60

Date time formatting styles

The java.time.format.FormatStyle enum to use for date time formatting based on locale. Allowed values with examples are:

FULL ('Tuesday, April 12, 1952 AD' or '3:30:42pm PST')
LONG('January 12, 1952')
MEDIUM ('Jan 12, 1952')
SHORT ('12.13.52' or '3:30pm')

Current value is MEDUIM. For more details refer to the enum.

resident.date.time.formmatting.style=MEDIUM
resident.date.time.replace.special.chars={" ": "_", "," : "", ":" : "."}

Cache expiration time (in milliseconds)

resident.cache.expiry.time.millisec.templateCache=86400000
resident.cache.expiry.time.millisec.partnerCache=86400000
resident.cache.expiry.time.millisec.getValidDocumentByLangCode=86400000
resident.cache.expiry.time.millisec.getLocationHierarchyLevelByLangCode=86400000
resident.cache.expiry.time.millisec.getImmediateChildrenByLocCodeAndLangCode=86400000
resident.cache.expiry.time.millisec.getLocationDetailsByLocCodeAndLangCode=86400000
resident.cache.expiry.time.millisec.getCoordinateSpecificRegistrationCenters=86400000
resident.cache.expiry.time.millisec.getApplicantValidDocument=86400000
resident.cache.expiry.time.millisec.getRegistrationCentersByHierarchyLevel=86400000
resident.cache.expiry.time.millisec.getRegistrationCenterByHierarchyLevelAndTextPaginated=86400000
resident.cache.expiry.time.millisec.getRegistrationCenterWorkingDays=86400000
resident.cache.expiry.time.millisec.getLatestIdSchema=86400000
resident.cache.expiry.time.millisec.getGenderCodeByGenderTypeAndLangCode=86400000
resident.cache.expiry.time.millisec.getDocumentTypesByDocumentCategoryAndLangCode=86400000
resident.cache.expiry.time.millisec.getDynamicFieldBasedOnLangCodeAndFieldName=86400000
resident.cache.expiry.time.millisec.getCenterDetails=86400000
resident.cache.expiry.time.millisec.getImmediateChildrenByLocCode=86400000
resident.cache.expiry.time.millisec.getLocationHierarchyLevels=86400000
resident.cache.expiry.time.millisec.getAllDynamicFieldByName=86400000
resident.cache.expiry.time.millisec.getNameValueFromIdentityMapping=86400000

Separators

Usage: resident.attribute.separator.<attribute>=<separator string>

resident.attribute.separator.fullAddress=,

Thread properties

Async thread for audit calls. Limit the number of async threads created in Resident services. This count is divided into 4 thread groups configured in 'io.mosip.resident.config.Config' class.

mosip.resident.async-core-pool-size=100
mosip.resident.async-max-pool-size=100

Logo property

This property is used in all downloaded PDF files.

mosip.pdf.header.logo.url=https://mosip.io/images/mosipn-logo.png

Map (zoom in & out)

These properties are used in reg-center feature for map zoom in & out.

mosip.resident.zoom=14
mosip.resident.maxZoom=18
mosip.resident.minZoom=5

Transliteration workaround properties

Transliteration work around property since eng to fra directly is not supported in icu4j.This can be added for any other unsupported language also.

For example, resident-transliteration-workaround-for-<fromLanguageCode>-<toLanguageCode> = fromLanguageCode-intermediateLanguageCode-toLanguageCode.

For this, intermediate language code transliteration should work in both ways.

resident-transliteration-workaround-for-eng-fra=eng-hin,hin-fra
resident-transliteration-workaround-for-eng-spa=eng-hin,hin-spa

Reg-processer-credential-partner-policy-url

This is a policy url to fetch delimeter to download card after updating uin.

mosip.resident.reg-processer-credential-partner-policy-url=${config.server.file.storage.uri}registration-processor-credential-partners.json

The request IDs used in Resident REST APIs

mosip.resident.api.id.otp.request=mosip.identity.otp.internal
mosip.resident.api.id.auth=mosip.identity.auth.internal
auth.internal.id=mosip.identity.auth.internal
mosip.registration.processor.print.id=mosip.registration.print
vid.create.id=mosip.vid.create
resident.vid.id=mosip.resident.vid
resident.vid.id.generate=mosip.resident.vid.generate
resident.vid.policy.id=mosip.resident.vid.policy
resident.vid.get.id=mosip.resident.vid.get
auth.type.status.id=mosip.identity.authtype.status.update
resident.authlock.id=mosip.resident.authlock
resident.checkstatus.id=mosip.resident.checkstatus
resident.euin.id=mosip.resident.euin
resident.printuin.id=mosip.resident.printuin
resident.uin.id=mosip.resident.uin
resident.rid.id=mosip.resident.rid
resident.updateuin.id=mosip.resident.updateuin
resident.authunlock.id=mosip.resident.authunlock
resident.authhistory.id=mosip.resident.authhistory
resident.authLockStatusUpdateV2.id=mosip.resident.auth.lock.unlock
resident.service.history.id=mosip.service.history.get
resident.document.upload.id=mosip.resident.document.upload
resident.document.get.id=mosip.resident.document.get
resident.document.list.id=mosip.resident.document.list
resident.service.pin.status.id=mosip.resident.pin.status
resident.service.unpin.status.id=mosip.resident.unpin.status
resident.document.delete.id=mosip.resident.document.delete
resident.contact.details.update.id=mosip.resident.contact.details.update.id
resident.contact.details.send.otp.id=mosip.resident.contact.details.send.otp.id
mosip.resident.service.status.check.id=mosip.registration.external.status
resident.service.unreadnotificationlist.id=mosip.resident.service.history.unread
resident.service.event.id=mosip.resident.event.status
resident.identity.info.id=mosip.resident.identity.info
resident.share.credential.id=mosip.resident.share.credential
vid.revoke.id=mosip.vid.update
resident.revokevid.id=mosip.resident.vidstatus
mosip.resident.revokevid.id=mosip.resident.vid.revoke
mosip.resident.grievance.ticket.request.id=mosip.resident.grievance.ticket.request
resident.channel.verification.status.id=mosip.resident.channel.verification.status
resident.event.ack.download.id=mosip.resident.event.ack.download
resident.download.card.eventid.id =mosip.resident.download.card.eventid
mosip.resident.request.vid.card.id=mosip.resident.request.vid.card
mosip.credential.request.service.id=mosip.credential.request.service.id
mosip.resident.checkstatus.individualid.id=mosip.resident.check-stage-status
mosip.resident.download.personalized.card.id=mosip.resident.download.personalized.card
mosip.resident.transliteration.transliterate.id=mosip.resident.transliteration.transliterate
resident.ui.properties.id=resident.ui.properties
mosip.resident.identity.auth.internal.id=mosip.identity.auth.internal
mosip.resident.user.profile.id=mosip.resident.profile
resident.download.reg.centers.list.id=mosip.resident.download.reg.centers.list
resident.download.nearest.reg.centers.id=mosip.resident.download.nearest.reg.centers
resident.download.supporting.documents.id=mosip.resident.download.supporting.documents
resident.send.card.id=mosip.resident.send.card
resident.pinned.eventid.id=mosip.resident.pinned.eventid
resident.unpinned.eventid.id=mosip.resident.unpinned.eventid
resident.auth.proxy.partners.id=mosip.resident.auth.proxy.partners
resident.events.eventid.id=mosip.resident.events.eventid
resident.notification.id=mosip.resident.notification.get
resident.profile.id=mosip.resident.profile.get
resident.notification.click.id=mosip.resident.notification.click
mosip.credential.store.id=mosip.credential.store
resident.vids.id=mosip.resident.vids.get
mosip.resident.download.uin.card=mosip.resident.download.uin.card
mosip.registration.processor.registration.sync.id=mosip.registration.sync
id.repo.update=mosip.id.update
mosip.resident.get.pending.drafts=mosip.resident.get.pending.drafts
mosip.resident.discard.pending.drafts=mosip.resident.discard.pending.drafts

The request versions used in Resident REST APIs

mosip.resident.api.version.otp.request=1.0
mosip.resident.api.version.auth=1.0
auth.internal.version=1.0
mosip.registration.processor.application.version=1.0
mosip.resident.create.vid.version=v1
resident.vid.version=v1
resident.vid.version.new=1.0
resident.revokevid.version=v1
resident.revokevid.version.new=1.0
resident.version.new=1.0
resident.checkstatus.version=v1
resident.authLockStatusUpdateV2.version=1.0
resident.service.history.version=1.0
resident.document.get.version=1.0
resident.document.list.version=1.0
resident.service.pin.status.version=v1
resident.service.unpin.status.version=v1
resident.document.delete.version=1.0
mosip.resident.service.status.check.version=1.0
resident.service.event.version=1.0
resident.identity.info.version=1.0
resident.share.credential.version=1.0
mosip.resident.request.response.version=1.0
mosip.resident.grievance.ticket.request.version=1.0
resident.channel.verification.status.version=1.0
resident.event.ack.download.version=1.0
resident.download.card.eventid.version=1.0
mosip.resident.request.vid.card.version=1.0
mosip.credential.request.service.version=1.0
mosip.resident.checkstatus.individualid.version=1.0
resident.ui.properties.version=1.0
mosip.resident.get.pending.drafts.version=1.0
mosip.resident.discard.pending.drafts.version=1.0

Auth Services API calls

IDA_INTERNAL=${mosip.ida.internal.url}/idauthentication/v1/internal
INTERNALAUTH=${IDA_INTERNAL}/auth
INTERNALAUTHTRANSACTIONS=${IDA_INTERNAL}/authTransactions
KERNELENCRYPTIONSERVICE=${IDA_INTERNAL}/getCertificate
OTP_GEN_URL=${IDA_INTERNAL}/otp
KERNELAUTHMANAGER=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey

Credential Req & service calls

CREDENTIAL_STATUS_URL=${mosip.idrepo.credrequest.generator.url}/v1/credentialrequest/get/
CREDENTIAL_REQ_URL=${mosip.idrepo.credrequest.generator.url}/v1/credentialrequest/requestgenerator
CREDENTIAL_CANCELREQ_URL=${mosip.idrepo.credrequest.generator.url}/v1/credentialrequest/cancel/
CREDENTIAL_TYPES_URL=${mosip.idrepo.credential.service.url}/v1/credentialservice/types

IdRepo identity Service calls

IDREPO_IDENTITY=${mosip.idrepo.identity.url}/idrepository/v1/identity
IDREPOSITORY=${IDREPO_IDENTITY}/
IDREPOGETIDBYUIN=${IDREPO_IDENTITY}/idvid
IDREPOGETIDBYRID=${IDREPO_IDENTITY}/idvid
IDREPO_IDENTITY_URL=${IDREPO_IDENTITY}/idvid/{id}
GET_RID_BY_INDIVIDUAL_ID=${IDREPO_IDENTITY}/rid/{individualId}
IDREPO_IDENTITY_UPDATE_COUNT=${IDREPO_IDENTITY}/{individualId}/update-counts
AUTHTYPESTATUSUPDATE=${IDREPO_IDENTITY}/authtypes/status
IDREPO_IDENTITY_GET_DRAFT_UIN=${IDREPO_IDENTITY}/draft/uin/{UIN}
IDREPO_IDENTITY_DISCARD_DRAFT=${IDREPO_IDENTITY}/draft/discard/

IdRepo vid Service calls

IDREPO_VID=${mosip.idrepo.vid.url}/idrepository/v1/vid
CREATEVID=${IDREPO_VID}
GETUINBYVID=${IDREPO_VID}
IDAUTHCREATEVID=${IDREPO_VID}
IDAUTHREVOKEVID=${IDREPO_VID}
RETRIEVE_VIDS=${IDREPO_VID}/uin/

Key manager API calls

KEYMANAGER=${mosip.kernel.keymanager.url}/v1/keymanager
ENCRYPTURL=${KEYMANAGER}/encrypt
DECRYPT_API_URL=${KEYMANAGER}/decrypt
mosip.resident.keymanager.encrypt-uri=${KEYMANAGER}/encrypt
mosip.resident.keymanager.decrypt-uri=${KEYMANAGER}/decrypt
PACKETSIGNPUBLICKEY=${KEYMANAGER}/tpmsigning/publickey
mosip.keymanager.jwt.sign.end.point=${KEYMANAGER}/jwtSign
PDFSIGN=${KEYMANAGER}/pdf/sign

Master Data api calls

MASTER=${mosip.kernel.masterdata.url}/v1/masterdata
TEMPLATES=${MASTER}/templates
MACHINEDETAILS=${MASTER}/machines
MACHINESEARCH=${MASTER}/machines/search
MACHINECREATE=${MASTER}/machines
CENTERDETAILS=${MASTER}/registrationcenters
VALID_DOCUMENT_BY_LANGCODE_URL=${MASTER}/validdocuments/{langCode}
LOCATION_HIERARCHY_LEVEL_BY_LANGCODE_URL=${MASTER}/locationHierarchyLevels/{langcode}
LOCATION_HIERARCHY=${MASTER}/locationHierarchyLevels
IMMEDIATE_CHILDREN_BY_LOCATIONCODE_AND_LANGCODE_URL=${MASTER}/locations/immediatechildren/{locationcode}/{langcode}
LOCATION_INFO_BY_LOCCODE_AND_LANGCODE_URL=${MASTER}/locations/info/{locationcode}/{langcode}
IMMEDIATE_CHILDREN_BY_LOCATION_CODE=${MASTER}/locations/immediatechildren
REGISTRATION_CENTER_FOR_LOCATION_CODE_URL=${MASTER}/registrationcenters/{langcode}/{hierarchylevel}/names
REGISTRATION_CENTER_BY_LOCATION_TYPE_AND_SEARCH_TEXT_PAGINATED_URL=${MASTER}/registrationcenters/page/{langcode}/{hierarchylevel}/{name}
COORDINATE_SPECIFIC_REGISTRATION_CENTERS_URL=${MASTER}/getcoordinatespecificregistrationcenters/{langcode}/{longitude}/{latitude}/{proximitydistance}
APPLICANT_VALID_DOCUMENT_URL=${MASTER}/applicanttype/{applicantId}/languages
WORKING_DAYS_BY_REGISTRATION_ID=${MASTER}/workingdays/{registrationCenterID}/{langCode}
LATEST_ID_SCHEMA_URL =${MASTER}/idschema/latest
TEMPLATES_BY_LANGCODE_AND_TEMPLATETYPECODE_URL=${MASTER}/templates/{langcode}/{templatetypecode}
DYNAMIC_FIELD_BASED_ON_LANG_CODE_AND_FIELD_NAME=${MASTER}/dynamicfields/{fieldName}/{langcode}
DYNAMIC_FIELD_BASED_ON_FIELD_NAME=${MASTER}/dynamicfields/{fieldName}
DOCUMENT_TYPE_BY_DOCUMENT_CATEGORY_AND_LANG_CODE=${MASTER}/documenttypes/{documentcategorycode}/{langcode}

Notification service

SMSNOTIFIER=${mosip.kernel.notification.url}/v1/notifier/sms/send
EMAILNOTIFIER=${mosip.kernel.notification.url}/v1/notifier/email/send
[email protected]
resident.notification.message=Notification has been sent to the provided contact detail(s)

Partner manager service URLs

PMS_PARTNER_MANAGER=${mosip.pms.partnermanager.url}/v1/partnermanager
POLICY_REQ_URL=${PMS_PARTNER_MANAGER}/partners/{partnerId}/credentialtype/{credentialType}/policies
PARTNER_API_URL=${PMS_PARTNER_MANAGER}/partners
PARTNER_DETAILS_NEW_URL=${PMS_PARTNER_MANAGER}/partners/v2
mosip.pms.pmp.partner.rest.uri=${PMS_PARTNER_MANAGER}/partners?partnerType=${mosip.ida.partner.type}

Reg-proc service calls

REGPROCPRINT=http://regproc-group7.regproc/registrationprocessor/v1/print/uincard
SYNCSERVICE=${mosip.regproc.status.service.url}/registrationprocessor/v1/registrationstatus/sync
PACKETRECEIVER=${mosip.packet.receiver.url}/registrationprocessor/v1/packetreceiver/registrationpackets
GET_RID_STATUS=${mosip.regproc.transaction.service.url}/registrationprocessor/v1/registrationtransaction/search/{rid}
REGISTRATIONSTATUSSEARCH=${mosip.regproc.status.service.url}/registrationprocessor/v1/registrationstatus/externalstatus/search

Resident API calls

mosip.service-context=${server.servlet.context-path}
RESIDENT_SERVICE=${mosip.resident.url}${mosip.service-context}
RESIDENT_REQ_CREDENTIAL_URL=${RESIDENT_SERVICE}/req/credential/status/
GET_ORDER_STATUS_URL=${RESIDENT_SERVICE}/mock/print-partner/check-order-status
mosip.resident.download-card.url=${mosip.api.public.url}${mosip.service-context}/download-card/event/{eventId}
mosip.resident.grievance.url=${mosip.api.public.url}${mosip.service-context}/mock/external/grievance/redressel?name={name}&emailId={email}&phoneNo={phone}&eventId={eventId}

Other service calls

MIDSCHEMAURL=${mosip.kernel.syncdata.url}/v1/syncdata/latestidschema
DIGITAL_CARD_STATUS_URL=${mosip.digitalcard.service.url}/v1/digitalcard/
RIDGENERATION=${mosip.kernel.ridgenerator.url}/v1/ridgenerator/generate/rid
otp-generate.rest.uri=${mosip.kernel.otpmanager.url}/v1/otpmanager/otp/generate
mosip.resident.service.mock.pdf.url=https://uidai.gov.in/images/New_eAadhaar1.pdf
mosip.kernel.masterdata.audit-url=${mosip.kernel.auditmanager.url}/v1/auditmanager/audits

Identity Mapping json

Below config is used to get identity mapping and get remaining update count for the Identity Attributes .

This is used in Resident in Update UIN feature to show remaining update count for the Identity Attribute.

{
	"identity": {
		"IDSchemaVersion": {
			"value": "IDSchemaVersion"
		},
		"selectedHandles" : {
			"value" : "selectedHandles"
		},
		"name": {
			"value": "fullName"
		},
		"gender": {
			"value": "gender"
		},
		"dob": {
			"value": "dateOfBirth"
		},
		"age": {
			"value": "age"
		},
		"introducerRID": {
			"value": "introducerRID"
		},
		"introducerUIN": {
			"value": "introducerUIN"
		},
		"introducerVID": {
			"value": "introducerVID"
		},
		"introducerName": {
			"value": "introducerName"
		},
		"phone": {
			"value": "phone"
		},
		"phoneNumber": {
			"value": "phone"
		},
		"email": {
			"value": "email"
		},
		"emailId": {
			"value": "email"
		},
		"uin": {
			"value": "UIN"
		},
		"vid": {
			"value": "VID"
		},
		"individualBiometrics": {
			"value": "individualBiometrics"
		},
		"introducerBiometrics": {
			"value": "introducerBiometrics"
		},
		"individualAuthBiometrics": {
			"value": "individualAuthBiometrics"
		},
		"officerBiometricFileName": {
			"value": "officerBiometricFileName"
		},
		"supervisorBiometricFileName": {
			"value": "supervisorBiometricFileName"
		},
		"residenceStatus": {
			"value": "residenceStatus"
		},
		"preferredLanguage": {
			"value": "preferredLang"
		},
		"locationHierarchyForProfiling": {
			"value": "zone,postalCode"
		},
		"addressLine1": {
			"value": "addressLine1"
		},
		"addressLine2": {
			"value": "addressLine2"
		},
		"addressLine3": {
			"value": "addressLine3"
		},
		"location1": {
			"value": "city"
		},
		"location2": {
			"value": "region"
		},
		"location3": {
			"value": "province"
		},
		"postalCode": {
			"value": "postalCode"
		},
		"location4": {
			"value": "zone"
		},
		"fullAddress": {
			"value": "addressLine1,addressLine2,addressLine3,city,region,province,postalCode"
		},
		"bestTwoFingers": {
			"value": "bestTwoFingers"
		},
		"birthdate": {
			"value": "dateOfBirth"
		},
		"picture": {
			"value": "face"
		},
		"phone_number": {
			"value": "phone"
		},
		"address": {
			"value": "addressLine1,addressLine2,addressLine3,city,region,province,postalCode"
		},

		"individual_id": {
			"value": "individual_id"
		},
		"attributes": {
		   "value": "fln,ad1,ad2,ad3,cit,reg,pro,poc,cph,em,ph,gen,dob"
		},  
		"street_address": {
			"value": "addressLine1,addressLine2,addressLine3"
		},
		"locality": {
			"value": "city"
		},
		"region": {
			"value": "region"
		},
		"postal_code": {
			"value": "postalCode"
		},
		"country": {
			"value": "province"
		},
		"password": {
			"value": "password"
		}
	},
	"metaInfo": {
		"value": "metaInfo"
	},
	"audits": {
		"value": "audits"
	},
	"documents": {
		"poa": {
			"value": "proofOfAddress"
		},
		"poi": {
			"value": "proofOfIdentity"
		},
		"por": {
			"value": "proofOfRelationship"
		},
		"pob": {
			"value": "proofOfDateOfBirth"
		},
		"poe": {
			"value": "proofOfException"
		}
	},
	"attributeUpdateCountLimit": {
		"fullName": 2,
		"gender": 4,
		"dateOfBirth": 3
	}
}

Mvel File config

This file contains Mvel method definitions for masking attributes, getting passwords, and formatting attributes.

This is used in Resident for downloading PDF cards and for masking attributes in the share credential feature and personalize card feature.

MOSIP Docs 1.2.0

MOSIP

Welcome !🌍

What is MOSIP?

Our Mission & Objectives

Why MOSIP?

Explore Key Areas

Overview

What is a Foundational Identity?

What is MOSIP?

Privacy and Security

MOSIP Modules

MOSIP Ecosystem

MOSIP's Offerings

Building a National ID System Using MOSIP

License

Principles

Inclusion

Privacy and Security

Security by design

Privacy by intent

Security

MOSIP Security Practices

Internal Practices

Platform Design

Development and Release Practices

Operational Practices

Data Protection

Registration data flow

Datashare

Zero-knowledge encryption

Encryption and sharing by Credential Service

Decryption by IDA

ID authentication flow

Technology

Architecture

Architecture Overview

High Level Functional Architecture

Digital ID DPI Framework

Sandbox Details

Collab

Synergy

Standards & Specifications

1. Why Standards Matters?

2. Our Adherence to Global Standards

1. Biometric Standards for Secure Identity Verification

2. Security & Cryptography Standards for Data Protection

3. Open Standards for Seamless Interoperability

4. MOSIP Standards

MOSIP Standards

Inji

About Inji

eSignet

ID Lifecycle Management

Overview

Identity Issuance

Pre-registration

Overview

Introduction

Pre-registration process

Create an application

Book an appointment

Receiving acknowledgement notifications

Download of pre-registration data at registration centers

Pre-registration module

Services

Pre-registration portal

Build and deploy

Configurations

Developer Guide

API

Source code

Develop

UI Specifications

Overview

Test

Pre-registration Collab Guide

Overview

Pre-requisites

Step-by-Step Process