ID Repository contains the records of identity of an individual, and provides API based mechanism to store, retrieve and update identity details by other MOSIP modules. ID Repository is used by Registration Processor, ID Authentication and Resident Services.
ID Repository module consists of the following components:
Identity service
VID service
Credential service
Credential Request Generator service
Credential Feeder
Salt generator
Stores, updates, retrieves identity information.
Also, retrieves and updates UIN status.
Identity service uses Biometric SDK (server) to extract templates from provided biometric data.
Above is the entity relationship diagram illustrated for Identity service. NOTE: The numbers do not signify sequence of operations or control flow. Arrows indicate the data flow.
Key Manager encrypts/decrypts data.
Credential request generator issues credentials for new/updated UIN data.
Object Store stores/retrieves biometrics and demographic documents.
All demographic data of UIN and references to biometric and demographic files stored in object store are stored in mosip_idrepo
DB.
Partner management service retrieves online verification partners to issue credentials.
Audit logs are logged into Audit Manager.
Biometric SDK extracts the templates for input biometric data.
Auth Adapter integrates with KeyCloak for authentication.
Masterdata service retreives Identity schema based on input schema version.
WebSub publishes events related to UIN updation and auth type status updates.
Kernel ID generator generates UIN.
VID service fetches the list of VIDs associated with UIN to issue credential of update UIN and to create and activate draft VID.
VID Service provides functionality to create/update Virtual IDs mapped against an UIN. It also provides the facility to update status of VID. VIDs are created based on the VID policy defined in the configuration.
Key Manager encrypts/decrypts data.
Credential request generator issues credentials for new/updated UIN data. 3 All VID related data is stored in mosip_idmap
DB.
Partner management service retrieves online verification partners to issue credentials.
Audit logs are logged into Audit Manager.
Auth Adapter integrates with KeyCloak for authentication.
WebSub publish events related to VID updation.
Kernel ID generator generates VID.
Identity service checks the status of UIN to create VID.
Key Manager encrypts/decrypts data and also used to sign data.
WebSub subscribes to get notifications related to credential status from IDA.
DataShare creates datashare url for sharable attributes.
Identity service retrieves identity data for UIN/VID.
Partner management service retrieves policies related to credential type and also retrieves policy for bio-extraction.
Auth Adapter integrates with KeyCloak for authentication.
A credential can be defined as any document, object, or data structure that vouches for the identity of a person through some method of trust and authentication. Simply put, a credential is the thing that a person presents—in person or remotely—to say "this is who I am." The types of credentials issued in an ID system vary along multiple dimensions, depending on whether they are physical (i.e., they must be physically carried by a person in order to use them), or digital (i.e., they are machine readable and therefore can be used in a digital environment).
A credential type essentially maps to partner and data share policy.
Default credential types provided as part of sandbox deployment are given below:
auth
: Represents individual's data shared with Online Verification Partners (further used for Authentication and eKYC).
qrcode
: qrcode type is used for qrcode partners to issue qrcode related credential data.
euin
: It is used to issue credential data to partners who wish to download euin card using euin policy.
reprint
: Reprint auth type is used for issuing credential information to reprint partners.
vercred
: To issue verifiable credentials to partners, vercred credential type is used.
These types are defined in partner_policy_credential_type
table of mosip_pms
database.
New credential types may be defined as per needs of a country.
This service creates request for credential issuance.
Key Manager encrypts/decrypts data.
Auth Adapter integrates with KeyCloak for authentication.
This job will feed the existing UIN/ VID identity information to newly deployed IDA instance.
This is a one-time job that populates salts that are used to hash and encrypt data for Identity and VID services. This job must be executed before deploying these services. The following tables are populated:
uin_hash_salt
in mosip_idrepo
DB.
uin_encrypt_salt
in mosip_idmap
DB.
In MOSIP sandbox, the job is run here.
To know more about the developer setups, read:
Refer API Documentation.
UIN / VID are system-generated unique identifiers provided to Residents. Residents are allowed to authenticate themselves using either UIN / VID.
What if residents are given the flexibility to create their handle (username) and use their unique handle to authenticate?
Handles can include resident's phone number, e-mail ID, or any linked functional ID / sectoral ID.
The handle can also be a custom username created through the resident portal.
Countries that have an established user base can now register users onto a relying portal using their distinctive identifiers referred to as handles. These handles are tailored to meet the specific requirements of each country, enabling users to easily access digital services and receive prompt benefits from both the government and private sector. This approach eliminates the need for users to remember a new or system generated IDs.
The implementation of custom handles involves below steps:
Mark the fields that can be used as user handles. A new attribute is introduced in identity schema, handle which accepts boolean value. More than one field in the identity schema can be marked as handle.
With phone as an example:
{"fieldCategory": "phone number", "format": "none", "type": "string", "fieldType": "default", "requiredOn" : "", **"handle" : true**},
When the user registers, collected user data should contain selectedHandles, as more than one field can be marked as handle, user can choose amongst the handle fields to use. User can also choose all of them. Client UI’s collecting user data during registration can decide to provide this option to the user or it can also set selected handles to default values as decided by the country. selectedHandles
is also a field in schema, identity
.
"selectedHandles" : {"fieldCategory": "none","format": "none","type": "array","items" : { "type" : "string" },"fieldType": "default" }
When the collected identity object is sent to the ID repository, it validates the data and accepts the handle provided it is unique amongst the registered handles.
Note: If duplicated, a request to register the user is rejected.
Once identity is successfully processed and stored in an ID-repository, identity credentials are issued to IDA to store user credentials for each ID (UIN & VID) as well for each selected handle.
ID-repository can be configured to disable issuance of user credential to IDA for both UIN or VID using below properties.
mosip.idrepo.identity.disable-uin-based-credential-request=true
If the system is configured to use more than one functional ID as a handle and if two different functional ID systems followed the same format /pattern to generate an ID, handles collision may occur.
Collision between two different functional IDs will result in denying the creation / updating of a handle for a resident.
Solution: Every handle stored is postfixed with handle type and the handle type is chosen based on the handle field ID in the identity schema. On every authenticate request, IDA will expect handle postfixed with handle_type as input.
Property mentioned below is introduced in ID repository to postfix handle type on every creation of identity.
mosip.identity.fieldid.handle-postfix.mapping={'phone':'@phone'}
Property mentioned below is introduced in Id-authentication-default.properties
file to validate the handle value based on the postfix provided in the inidivdualId
input.
mosip.ida.handle-types.regex={ '@phone' : '^\\+91[1-9][0-9]{7,9}@phone$' }
Implementing custom handles provides a user-friendly approach to user authentication without burdening end users with the need to remember additional or system generated complex IDs.
Identity Service stores, updates, retrieves identity information.
Also, retrieves and updates UIN status.
The documentation here will guide you through the prerequisites required for the developer' setup.
Below are a list of tools required in ID Repository Services (Identity Service) setup:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)
Follow the steps below to set up ID Repository- Identity Services on your local system:
1. Download lombok.jar
and settings.xml
from here.
2. Unzip Apache Maven and move the unzipped folder in C:\Program Files
and settings.xml
to "conf" folder C:\Program Files\apache-maven-3.8.4\conf
.
3. Install Eclipse, open the lombok.jar
file and wait for some time until it completes the scan for Eclipse IDE and then click Install/Update
.
4. Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse
to see if the lombok.jar
is added. By doing this, you don't have to add the dependency of lombok
in your pom.xml
file separately as it is auto-configured by Eclipse.
5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs
.
For the code setup, clone the repository and follow the guidelines mentioned in the Code Contributions.
Open the project folder where pom.xml
is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true
to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish
.
After successful importing of project, update the project by right-click on Project → Maven → Update Project
.
1. For the environment setup, you need an external JAR that is available here with different versions. (E.g.: You can download kernel-auth-adapter.jar
and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close
).
2. Clone mosip-config repository.
3. Create an empty folder inside the mosip-config
with sandbox-local
name and then copy and paste all config files inside sandbox-local
folder except .gitignore, README and LICENSE
.
4. As Id Repository is using two properties files, id-repository-default
and application-default
, you will have to configure them according to your environment. The same files are available here for reference.
Properties to be updated:
application-default.properties
mosip.mosip.resident.client.secret = <current_password>
.
db.dbuser.password=<password>
.
mosip.kernel.xsdstorage-uri=file:///home/user/Desktop/tspl/mosip-config/sandbox-local/
(i.e. sandbox-local
folder location).
Comment this out auth.server.admin.issuer.internal.uri
in application-default.properties
file because you already have this auth.server.admin.issuer.uri
, and hence there is no need of auth.server.admin.issuer.internal.uri
.
mosip.identity.mapping-file=<Path_to_identity_mapping_json_file>
. (For Example: file:///home/user/Desktop/tspl/mosip-config/sandbox-local/identity-mapping.json
)
id-repository-default.properties
mosip.idrepo.db.url
mosip.idrepo.db.port
Comment out all the lines containing mosip.biometric.sdk.providers.finger
, mosip.biometric.sdk.providers.face
and mosip.biometric.sdk.providers.iris
.
Comment out this property mosip.kernel.idobjectvalidator.referenceValidator
.
mosip.idrepo.mosip-config-url=file:///home/user/Desktop/tspl/mosip-config/sandbox-local/
(i.e. sandbox-local
folder location).
5. To run the server, two files are required- kernel-config-server.jar and config-server-start.bat.
6. Put both the files in the same folder and change the location attribute to sandbox-local
folder in config-server-start.bat
file and also check the version of kernel-config-server.jar
towards the end of the command.
Example:
java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:C:\Users\myDell\mosipProject\mosip-config\sandbox-local -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 kernel-config-server-1.2.0-20201016.134941-57.jar
.
7. Run the server by opening the config-server-start.bat
file.
The server should now be up and running.
Below are the configurations to be done in Eclipse:
1. Open Eclipse and run the project for one time as Java application
, so that it will create a Java application which you can see in debug configurations and then change its name. (e.g.: project name with environment - "Identity-Service-dev").
2. Open the arguments and pass this -Ddomain.url=dev.mosip.net -Dapplication.base.url=http://localhost:8090 -Dspring.profiles.active=default -Dspring.cloud.config.uri=http://localhost:51000/config -Dspring.cloud.config.label=master
in VM arguments.
3. Here, the domain URL represents the environment on which you are working (eg., it can be dev2.mosip.net
or qa3.mosip.net
).
4. Click Apply and then debug it (starts running).
For API documentation, refer here.
The APIs can be tested with the help of Swagger-UI.
Swagger is an interface description language for describing restful APIs expressed using JSON. You can access Swagger-UI of identity-services for localhost from http://localhost:8090/idrepository/v1/identity/swagger-ui/index.html?configUrl=/idrepository/v1/identity/v3/api-docs/swagger-config#/
.
This service creates request for credential issuance.
Keymanager encrypts/decrypts data.
Auth Adapter integrates with Keycloak for authentication.
The documentation here will guide you through the prerequisites required for the developer' setup.
Below are a list of tools required in ID Repository (Credential Request Generator Service) setup:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git
Notepad++ (optional)
lombok.jar (file)
settings.xml (document)
Follow the steps below to set up ID Repository Services on your local system:
1. Download lombok.jar
and settings.xml
from here.
2. Unzip Apache Maven and move the unzipped folder in C:\Program Files
and settings.xml
to "conf" folder C:\Program Files\apache-maven-3.8.4\conf
.