Invalid_grant and aud claim is not valid during OpenID4VCI issuance

Support
1

I’m running a local INJI PoC with docker-compose to integrate inji with a local keycloak instances. I’m using this images in the docker-compose:

  • image: mosipid/inji-certify-with-plugins:0.11.0
  • image: mosipid/mimoto:0.17.0
  • image: mosipid/inji-web:0.12.0

And in other container I’m running a keycloak instances.

I have two blockers/erros:

  1. Mimoto → Keycloak token exchange: invalid_grant: Code not valid.
    I aligned everything to http://localhost:3001/redirect (INJI-Web, issuer redirect, Keycloak Valid Redirect URIs). Still happens intermittently.

  2. Mimoto → Certify: Certify rejects the access token with aud claim is not valid.”
    Token aud = ["http://localhost:8091", "<realm>/protocol/openid-connect/token", "account"].
    Certify allowed-audiences currently includes the first two. Should account be added, or should we remove it from the token? Is Certify’s check strict-subset or “contains any”?

I’m attach the files configs, the docker-compose and a file with the docker logs to clarify you.

version: '3.8'

services:
  database:
    image: 'postgres:latest'
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
    volumes:
      - ./certify_init.sql:/docker-entrypoint-initdb.d/certify_init.sql
    networks:
      - network
    ports:
      - "5433:5432"

  certify:
    image: mosipid/inji-certify-with-plugins:0.11.0
    user: root
    ports:
      - 8090:8090
    extra_hosts:
      - "keycloak.local:host-gateway"
    environment:
      - container_user=mosip
      - active_profile_env=default, csvdp-farmer
      - SPRING_CONFIG_NAME=certify
      - SPRING_CONFIG_LOCATION=/home/mosip/config/
      - enable_certify_artifactory=false
      - download_hsm_client=false
      - mosipbox_public_url=http://certify-nginx:80
    volumes:
      - ./config/certify-default.properties:/home/mosip/config/certify-default.properties
      - ./config/certify-csvdp-farmer.properties:/home/mosip/config/certify-csvdp-farmer.properties
      - ./config/certify-mock-mdl.properties:/home/mosip/config/certify-mock-mdl.properties
      - ./data/CERTIFY_PKCS12:/home/mosip/CERTIFY_PKCS12
      # This can be disabled if one uses plugins included in inji-certify-with-plugins docker image.
      - ./loader_path/certify/:/home/mosip/additional_jars/
      # modify the below file to change the identity fields in the VC
      - ./config/farmer_identity_data.csv:/home/mosip/config/farmer_identity_data.csv
    networks:
      - network
    depends_on:
      - database

  certify-nginx:
    image: nginx:stable
    ports:
      - 8091:80
    volumes:
      - ./certify-nginx.conf:/etc/nginx/conf.d/default.conf
    networks:
      - network
    depends_on:
      - certify


  mimoto-service:
    container_name: 'Mimoto-Service'
    image: mosipid/mimoto:0.17.0
    user: root
    ports:
      - '8099:8099'
    extra_hosts:
      - "keycloak.local:host-gateway"
    environment:
      - container_user=mosip
      - active_profile_env=default
      - SPRING_CONFIG_NAME=mimoto
      - SPRING_CONFIG_LOCATION=/home/mosip/
    networks:
      - network
    volumes:
      - ./config/mimoto-default.properties:/home/mosip/mimoto-default.properties
      - ./config/mimoto-issuers-config.json:/home/mosip/mimoto-issuers-config.json
      - ./config/mimoto-trusted-verifiers.json:/home/mosip/mimoto-trusted-verifiers.json
      - ./certs/oidckeystore.p12:/home/mosip/certs/oidckeystore.p12

  inji-web:
    container_name: 'inji-web'
    image: mosipid/inji-web:0.12.0
    ports:
      - '3001:3004'
    environment:
      - DEFAULT_LANG=en
      - MIMOTO_HOST=http://localhost:3001/v1/mimoto
    volumes:
      - ./config/mimoto-default.properties:/home/mosip/mimoto-default.properties
      - ./config/mimoto-issuers-config.json:/home/mosip/mimoto-issuers-config.json
      - ./config/mimoto-trusted-verifiers.json:/home/mosip/mimoto-trusted-verifiers.json
      - ./config/credential-template.html:/home/mosip/credential-template.html
      - ./nginx.conf:/etc/nginx/conf.d/default.conf
    depends_on:
      - mimoto-service
    networks:
      - network

networks:
  network:
    name: mosip_network
    external: true

volumes:
  cache:
    driver: local
2 
certify logs:

{"@timestamp":"2025-09-11T01:40:51.185Z","@version":"1","message":"Access token validation failed","logger_name":"io.mosip.certify.filter.AccessTokenValidationFilter","thread_name":"http-nio-8090-exec-2","level":"ERROR","level_value":40000,"stack_trace":"org.springframework.security.oauth2.jwt.JwtValidationException: An error occurred while attempting to decode the Jwt: The aud claim is not valid\n\tat org.springframework.security.oauth2.jwt.NimbusJwtDecoder.validateJwt(NimbusJwtDecoder.java:193)\n\tat org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:139)\n\tat io.mosip.certify.filter.AccessTokenValidationFilter.doFilterInternal(AccessTokenValidationFilter.java:89)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)\n\tat org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)\n\tat org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)\n\tat org.springframework.security.web.ObservationFilterChainDecorator$FilterObservation$SimpleFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:479)\n\tat org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:340)\n\tat org.springframework.security.web.ObservationFilterChainDecorator.lambda$wrapSecured$0(ObservationFilterChainDecorator.java:82)\n\tat org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:128)\n\tat org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)\n\tat org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)\n\tat org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)\n\tat org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)\n\tat org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)\n\tat org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)\n\tat 

mimoto logs
2025-09-11T02:01:55.102Z ERROR 1 --- [mimoto] [nio-8099-exec-9] [68c22d928667936429ba930b597533f0-34b77903c2198ef8] io.mosip.mimoto.util.RestApiClient       : RestApiClient::postApi()::error uri: http://certify-nginx:80/v1/certify/issuance/credential⁠ 401 : "{"error":"invalid_token","error_description":"invalid_token"}" {}


org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 : "{"error":"invalid_token","error_description":"invalid_token"}"

	at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:106) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:183) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:137) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:942) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:891) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:790) ~[spring-web-6.1.4.jar!/:6.1.4]

	at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:507) ~[spring-web-6.1.4.jar!/:6.1.4]

	at io.mosip.mimoto.util.RestApiClient.postApi(RestApiClient.java:185) ~[!/:0.17.0]

	at io.mosip.mimoto.service.impl.CredentialServiceImpl.downloadCredential(CredentialServiceImpl.java:143) ~[!/:0.17.0]

	at io.mosip.mimoto.service.impl.CredentialServiceImpl.downloadCredentialAsPDF(CredentialServiceImpl.java:132) ~[!/:0.17.0]

	at io.mosip.mimoto.controller.CredentialsController.downloadCredentialAsPDF(CredentialsController.java:65) ~[!/:0.17.0]

	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source) ~[na:na]

	at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[na:na]
3

mimoto-issuers-confing

{
  "issuers": [
    {
      "credential_issuer": "Farmer",
      "issuer_id": "Farmer",
      "protocol": "OpenId4VCI",
      "display": [
        {
          "name": "Agriculture Department",
          "logo": {
            "url": "https://mosip.github.io/inji-config/logos/agro-vertias-logo.png",
            "alt_text": "agri-logo"
          },
          "title": "Agriculture Department",
          "description": "Download Farmers Credentials",
          "language": "en"
        }
      ],
      "client_id": "wallet-demo",
      "redirect_uri": "http://localhost:3001/redirect",
      "token_endpoint": "http://localhost:8099/v1/mimoto/get-token/Farmer",
      "authorization_audience": "http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/token",
      "proxy_token_endpoint": "http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/token",
      "client_alias": "wallet-demo-client",
      "qr_code_type": "EmbeddedVC",
      "enabled": "true",
      "wellknown_endpoint": "http://certify-nginx:80/.well-known/openid-credential-issuer",
      "credential_issuer_host": "http://certify-nginx:80/v1/certify/issuance"
    },
    {
      "issuer_id": "MockMdl",
      "credential_issuer": "MockMdl",
      "protocol": "OpenId4VCI",
      "display": [
        {
          "name": "Transport Department",
          "logo": {
            "url": "https://api.collab.mosip.net/inji/mosip-logo.png",
            "alt_text": "mosip-logo"
          },
          "title": "Transport Department",
          "description": "Download Mobile Driving License",
          "language": "en"
        }
      ],
      "client_id": "wallet-demo",
      "redirect_uri": "io.mosip.residentapp.inji://oauthredirect",
      "token_endpoint": "http://localhost:8099/v1/mimoto/get-token/MockMdl",
      "authorization_audience": "http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/token",
      "proxy_token_endpoint": "http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/token",
      "client_alias": "wallet-demo-client",
      "qr_code_type": "EmbeddedVC",
      "enabled": "true",
      "wellknown_endpoint": "http://certify-nginx:80/.well-known/openid-credential-issuer",
      "credential_issuer_host": "http://certify-nginx:80/v1/certify/issuance"
    }    
  ]
}

mimoto-default.properties

server.port=8099
server.servlet.context-path=/v1/mimoto
health.config.enabled=false
mosip.service.end-points=/**/*

mosipbox.public.url=http://localhost:${server.port}
mosip.api.public.url=http://localhost:${server.port}
mosip.resident.url=https://api.collab.mosip.net/v1/resident
# mosip.esignet.host=https://esignet.collab.mosip.net
mosip.esignet.host=http://keycloak.local:8080/realms/inji-poc-2
keycloak.external.url=https://iam.collab.mosip.net/
mosip.kernel.authmanager.url=http://authmanager.kernel/
mosip.websub.url=http://websub.websub/

# START inji-default.properties

mosip.inji.allowedAuthType=demo,otp,bio-Finger,bio-Iris,bio-Face
mosip.inji.allowedEkycAuthType=demo,otp,bio-Finger,bio-Iris,bio-Face
mosip.inji.allowedInternalAuthType=otp,bio-Finger,bio-Iris,bio-Face
mosip.inji.faceSdkModelUrl=https://api.collab.mosip.net/inji
# maximum number of retry for downloading vc
mosip.inji.vcDownloadMaxRetry=10
# pool interval in milli seconds
mosip.inji.vcDownloadPoolInterval=6000
# validate binding audience url to be sent in token
mosip.inji.audience=ida-binding
# issuer to be sent in token
mosip.inji.issuer=residentapp
# warning screen domain name
mosip.inji.warningDomainName=${mosip.api.public.url}
#timeout for vc download api via openid4vci flow in milliseconds
mosip.inji.openId4VCIDownloadVCTimeout=30000
# inji documentation url
mosip.inji.aboutInjiUrl=https://docs.mosip.io/inji/inji-mobile-wallet/overview
# minimum storage space required for making audit entry in MB
mosip.inji.minStorageRequiredForAuditEntry=2
# minimum storage space required for downloading / receiving vc in MB
mosip.inji.minStorageRequired=2

# END inji-default.properties


# START bootstrap.properties

spring.cloud.config.uri=http://inji-web:3004/
spring.cloud.config.name=mimoto,inji
spring.application.name=mimoto
config.server.file.storage.uri=http://inji-web:3004/

management.endpoint.health.show-details=always
management.endpoints.web.exposure.include=info,health,refresh

openapi.info.title=${spring.application.name}
openapi.info.description=${spring.application.name}
openapi.info.version=1.0
openapi.info.license.name=Mosip
openapi.info.license.url=https://docs.mosip.io/platform/license
openapi.service.servers[0].url=${mosip.api.public.url}${server.servlet.context-path}
openapi.service.servers[0].description=${spring.application.name}
openapi.group.name=${openapi.info.title}
openapi.group.paths[0]=/**
springdoc.swagger-ui.disable-swagger-default-url=true
springdoc.swagger-ui.tagsSorter=alpha
springdoc.swagger-ui.operationsSorter=alpha

# END bootstrap.properties

# MOSIP

public.url=${mosip.api.public.url}/v1/mimoto
mosip.resident.base.url=${mosip.resident.url}/resident/v1
idp.binding.base.url=https://${mosip.esignet.host}/v1/esignet/binding
mosip.iam.adapter.disable-self-token-rest-template=true

RESIDENT_OTP=${mosip.resident.base.url}/req/otp
RESIDENT_CREDENTIAL_REQUEST=${mosip.resident.base.url}/req/credential
RESIDENT_CREDENTIAL_REQUEST_STATUS=${RESIDENT_CREDENTIAL_REQUEST}/status
RESIDENT_VID=${mosip.resident.base.url}/vid
RESIDENT_AUTH_LOCK=${mosip.resident.base.url}/req/auth-lock
RESIDENT_AUTH_UNLOCK=${mosip.resident.base.url}/req/auth-unlock
RESIDENT_INDIVIDUALID_OTP=${mosip.resident.base.url}/individualId/otp
RESIDENT_AID_GET_INDIVIDUALID=${mosip.resident.base.url}/aid/status
BINDING_OTP=${idp.binding.base.url}/binding-otp
WALLET_BINDING=${idp.binding.base.url}/wallet-binding


# Resident App
credential.template=template.json
credential.sample=sample_credential.json
credential.data.path=data
safetynet.api.key=
safetynet.api.url=https://www.googleapis.com/androidcheck/v1/attestations/verify?key=${safetynet.api.key}

registration.processor.print.textfile=registration-processor-print-text-file.json

# Websub
mosip.event.hubUrl=${mosip.websub.url}/hub/
mosip.event.hub.subUrl=${mosip.event.hubUrl}
mosip.event.hub.pubUrl=${mosip.event.hubUrl}


# MOSIP partner
mosip.partner.id=mpartner-default-mobile
mosip.event.callBackUrl=${public.url}/credentialshare/callback/notify
mosip.event.topic=${mosip.partner.id}/CREDENTIAL_ISSUED
mosip.event.secret=Kslk30SNF2AChs2


mosip.partner.crypto.p12.filename=keystore.p12
mosip.partner.crypto.p12.password=1234cryptopwd
mosip.partner.crypto.p12.alias=partner
mosip.partner.encryption.key=${mosip.partner.crypto.p12.password}
mosip.partner.prependThumbprint=true


mosip.datashare.partner.id=mpartner-default-resident
mosip.datashare.policy.id=mpolicy-default-resident


csrf.disabled=true
# Delayed websub subscription. Default is 5 seconds in ms.
mosip.event.delay-millisecs=5000
# Websub re-subscription workaround for losing subscribed topic when MOSIP websub update or restart. Default is 5 minutes in ms.
websub-resubscription-delay-millisecs=86400000

#-------------TOKEN GENERATION----------------
#Token generation request id
token.request.id=io.mosip.registration.processor
#Token generation app id
token.request.appid=regproc
#Token generation username
token.request.username=registrationprocessor
#Token generation password
token.request.password=abc123
#Token generation version
token.request.version=1.0
#Token generation Client Id
token.request.clientId=mosip-regproc-client
#Token generation secret key
token.request.secretKey=abc123
#Token generation issuer url
token.request.issuerUrl=${keycloak.internal.url}/auth/realms/mosip

#Audit Service
AUDIT=${mosip.kernel.auditmanager.url}/v1/auditmanager/audits
AUDIT_URL=${mosip.kernel.auditmanager.url}/v1/auditmanager/audits
KEYBASEDTOKENAPI=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey

#Master Data Services
# MASTER=http://kernel-masterdata-service/v1/masterdata
MASTER=${mosip.kernel.masterdata.url}/v1/masterdata
TEMPLATES=${MASTER}/templates

#Packet receiver application version
mosip.print.application.version=1.0
#Request Date Time format
mosip.print.datetime.pattern=yyyy-MM-dd'T'HH:mm:ss.SSS'Z'


#-------------Printing Service--------------------
mosip.print.service.id=mosip.print

#Audit request id
mosip.print.audit.id=mosip.applicanttype.getApplicantType
mosip.country.code=MOR

#Kernel Crypto signature
registration.processor.signature.isEnabled=true

# Language Supported By Platform - ISO
mosip.supported-languages=eng,ara,fra

mosip.template-language=eng
mosip.optional-languages=fra,ara
mosip.mandatory-languages=eng

# mosip.primary-language=eng
# mosip.secondary-language=ara

#----------------------- CBEFF Util--------------------------------------------------
# Cbeff URL where the files will be stored in git, change it accordingly in case of change of storage location.
# mosip.kernel.xsdstorage-uri=${spring.cloud.config.uri}/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label}/
mosip.kernel.xsdstorage-uri=https://raw.githubusercontent.com/mosip/mosip-config/develop/
# Cbeff XSD file name in config server
mosip.kernel.xsdfile=mosip-cbeff.xsd

#----------------------------- Applicant Type --------------------------------------------------
mosip.kernel.applicant.type.age.limit = 5

#----------------------------- Static PIN --------------------------------------------------
mosip.kernel.pin.length=6

#-----------------------------TOKEN-ID Properties---------------------------------
#length of the token id
mosip.kernel.tokenid.length=36

# log level
logging.level.root=WARN
logging.level.io.mosip=INFO
# logging.level.io.mosip.kernel.auth.defaultadapter.filter=INFO
logging.level.io.mosip.kernel.auth.defaultadapter=DEBUG
logging.level.org.springframework.http.client=DEBUG
logging.level.io.mosip.residentapp=INFO
logging.level.reactor.netty.http.client=INFO
# tomcat access logs
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.directory=/dev
server.tomcat.accesslog.prefix=stdout
server.tomcat.accesslog.buffered=false
server.tomcat.accesslog.suffix=
server.tomcat.accesslog.file-date-format=
server.tomcat.accesslog.pattern={"@timestamp":"%{yyyy-MM-dd'T'HH:mm:ss.SSS'Z'}t","level":"ACCESS","level_value":70000,"traceId":"%{X-B3-TraceId}i","statusCode":%s,"req.requestURI":"%U","bytesSent":%b,"timeTaken":%T,"appName":"${spring.application.name}"}
server.tomcat.accesslog.className=io.mosip.kernel.core.logger.config.SleuthValve
registration.processor.unMaskedUin.length=5

IDSchema.Version=1.0
registration.processor.identityjson=identity-mapping.json
registration.processor.demographic.identity=identity
CREATEDATASHARE=${mosip.datashare.url}/v1/datashare/create
DECRYPTPINBASSED=${mosip.kernel.keymanager.url}/v1/keymanager/decryptWithPin


#Auth Adapter rest template authentication configs
mosip.iam.adapter.appid=partner
mosip.iam.adapter.clientid=mpartner-default-mobile
mosip.iam.adapter.clientsecret=1234secret
auth.server.admin.issuer.uri=${keycloak.external.url}/auth/realms/

mosip.iam.adapter.issuerURL=${keycloak.internal.url}/auth/realms/mosip
mosip.authmanager.base-url=${mosip.kernel.authmanager.url}/v1/authmanager
mosip.authmanager.client-token-endpoint=${mosip.authmanager.base-url}/authenticate/clientidsecretkey
auth.server.admin.validate.url=${mosip.kernel.authmanager.url}/v1/authmanager/authorize/admin/validateToken


# in minutes
mosip.iam.adapter.validate-expiry-check-rate=1440

# in minutes
mosip.iam.adapter.renewal-before-expiry-interval=1440

#this should be false if you don?t use this restTemplate true if you do

mosip.iam.adapter.self-token-renewal-enable=true
mosip.auth.filter_disable=true
mosip.auth.adapter.impl.basepackage=io.mosip.kernel.auth.defaultadapter
mosip.kernel.auth.appids.realm.map={prereg:'mosip',ida:'mosip',registrationclient:'mosip',regproc:'mosip',partner:'mosip',resident:'mosip',admin:'mosip',crereq:'mosip',creser:'mosip',datsha:'mosip',idrepo:'mosip'}

vercred.type.vid=VID
mosip.idp.partner.id=mpartner-default-mobile
mosip.idp.partner.encryption.key=Aci9jg28B8mO_LDfDXo3ZTp5_HKgEMun2tYyHCa1e8k
wallet.binding.partner.id=mpartner-default-mimotokeybinding
wallet.binding.partner.api.key=1234walletbindingkey

#mosip notification otp channel config
mosip.notificationtype=SMS|EMAIL|PHONE

# Configurations related to openid4vc
mosip.openid.issuers=mimoto-issuers-config.json
mosip.openid.htmlTemplate=credential-template.html
mosip.oidc.client.assertion.type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
mosip.oidc.p12.filename=oidckeystore.p12
mosip.oidc.p12.password=xy4gh6swa2i
mosip.oidc.p12.path=certs/


#OpenId4VP related Configuration START

#File name for the mimoto trusted verifiers
mosip.openid.verifiers=mimoto-trusted-verifiers.json

#Inji Web Config
mosip.inji.web.url=http://localhost:3001
mosip.inji.web.redirect.url=http://localhost:3001/redirect
mosip.inji.qr.data.size.limit=10000
mosip.inji.qr.code.height=650
mosip.inji.qr.code.width=650

#OVP Config
mosip.inji.ovp.qrdata.pattern=INJI_OVP://https://injiweb.collab.mosip.net/authorize?response_type=vp_token&resource=%s&presentation_definition=%s
mosip.inji.ovp.redirect.url.pattern=%s#vp_token=%s&presentation_submission=%s
mosip.inji.ovp.error.redirect.url.pattern=%s?error=%s&error_description=%s

#DataShare Config
mosip.data.share.url=https://datashare-inji.collab.mosip.net
mosip.data.share.create.url=https://datashare-inji.collab.mosip.net/v1/datashare/create/static-policyid/static-subscriberid
mosip.data.share.create.retry.count=3
mosip.data.share.get.url.pattern=https://datashare-inji.collab.mosip.net/v1/datashare/get/static-policyid/static-subscriberid/*

#OpenId4VP related Configuration END

certify-default.properties

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.

## Application Name
spring.application.name=certify
spring.cloud.config.uri=http://localhost:8888

server.port=8090
server.servlet.path=/v1/certify

openapi.info.title=Certify Service
openapi.info.description=Rest Endpoints for operations related to certify
openapi.info.version=1.0
openapi.info.license.name=Mosip
openapi.info.license.url=https://docs.mosip.io/platform/license
mosipbox.public.url=http://certify:${server.port}
openapi.service.server.url=${mosipbox.public.url}${server.servlet.path}
openapi.service.server.description=Certify Service
springdoc.swagger-ui.disable-swagger-default-url=true
spring.mvc.servlet.path=${server.servlet.path}

spring.messages.basename=messages
spring.messages.encoding=UTF-8

spring.main.allow-bean-definition-overriding=true
spring.mvc.pathmatch.matching-strategy=ANT_PATH_MATCHER



## -------------------------------------- Authentication & Authorization -----------------------------------------------

mosip.certify.security.auth.post-urls={}
mosip.certify.security.auth.put-urls={}
mosip.certify.security.auth.get-urls={}

mosip.certify.security.ignore-csrf-urls=**/actuator/**,/favicon.ico,**/error,\
  **/swagger-ui/**,**/v3/api-docs/**,\
  **/issuance/**

mosip.certify.security.ignore-auth-urls=**/actuator/**,**/error,**/swagger-ui/**,\
  **/v3/api-docs/**, **/issuance/**,**/rendering-template/**, **/system-info/**


## ------------------------------------------ Discovery openid-configuration -------------------------------------------
mosip.certify.discovery.issuer-id=${mosipbox.public.url}${server.servlet.path}
mosip.certify.authorization.url=http://keycloak.local:8080/realms/inji-poc-2

##--------------change this later---------------------------------
mosip.certify.supported.jwt-proof-alg={'RS256','PS256', 'ES256'}
mosip.certify.plugin-mode=DataProvider


##----- These are reference to the oauth resource server providing jwk----------------------------------##
mosip.certify.cnonce-expire-seconds=40

mosip.certify.identifier=http://localhost:8091
mosip.certify.authn.filter-urls={ '${server.servlet.path}/issuance/credential', '${server.servlet.path}/issuance/vd11/credential', '${server.servlet.path}/issuance/vd12/credential' }
mosip.certify.authn.issuer-uri=http://keycloak.local:8080/realms/inji-poc-2
mosip.certify.authn.jwk-set-uri=http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/certs
# mosip.certify.authn.allowed-audiences={ '${mosipbox.public.url}${server.servlet.path}/issuance/credential', '${mosip.certify.authorization.url}/v1/esignet/vci/credential' }
mosip.certify.authn.allowed-audiences={ '${mosip.certify.identifier}', 'http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/token' }


#------------------------------------ Key-manager specific properties --------------------------------------------------
#Crypto asymmetric algorithm name
mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
#Crypto symmetric algorithm name
mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/NoPadding
#Keygenerator asymmetric algorithm name
mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA
#Keygenerator symmetric algorithm name
mosip.kernel.keygenerator.symmetric-algorithm-name=AES
#Asymmetric algorithm key length
mosip.kernel.keygenerator.asymmetric-key-length=2048
#Symmetric algorithm key length
mosip.kernel.keygenerator.symmetric-key-length=256
#Encrypted data and encrypted symmetric key separator
mosip.kernel.data-key-splitter=#KEY_SPLITTER#
#GCM tag length
mosip.kernel.crypto.gcm-tag-length=128
#Hash algo name
mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512
#Symmtric key length used in hash
mosip.kernel.crypto.hash-symmetric-key-length=256
#No of iterations in hash
mosip.kernel.crypto.hash-iteration=100000
#Sign algo name
mosip.kernel.crypto.sign-algorithm-name=RS256
#Certificate Sign algo name
mosip.kernel.certificate.sign.algorithm=SHA256withRSA

mosip.kernel.keymanager.hsm.config-path=CERTIFY_PKCS12/local.p12
mosip.kernel.keymanager.hsm.keystore-type=PKCS12
mosip.kernel.keymanager.hsm.keystore-pass=local

#Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE
#mosip.kernel.keymanager.hsm.keystore-type=PKCS11
# For PKCS11 provide Path of config file.
# For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only file path & file name.
# For Offline & JCE property can be left blank, specified value will be ignored.
#mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
# Passkey of keystore for PKCS11, PKCS12
# For Offline & JCE proer can be left blank. JCE password use other JCE specific properties.
#mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.certify.mock.security.pin}


mosip.kernel.keymanager.certificate.default.common-name=www.example.com
mosip.kernel.keymanager.certificate.default.organizational-unit=EXAMPLE-CENTER
mosip.kernel.keymanager.certificate.default.organization=IIITB
mosip.kernel.keymanager.certificate.default.location=BANGALORE
mosip.kernel.keymanager.certificate.default.state=KA
mosip.kernel.keymanager.certificate.default.country=IN

mosip.kernel.keymanager.softhsm.certificate.common-name=www.example.com
mosip.kernel.keymanager.softhsm.certificate.organizational-unit=Example Unit
mosip.kernel.keymanager.softhsm.certificate.organization=IIITB
mosip.kernel.keymanager.softhsm.certificate.country=IN

# Application Id for PMS master key.
mosip.kernel.partner.sign.masterkey.application.id=PMS
mosip.kernel.partner.allowed.domains=DEVICE

mosip.kernel.keymanager-service-validate-url=https://${mosip.hostname}/keymanager/validate
mosip.kernel.keymanager.jwtsign.validate.json=false
mosip.keymanager.dao.enabled=false
crypto.PrependThumbprint.enable=true

mosip.kernel.keymgr.hsm.health.check.enabled=true
mosip.kernel.keymgr.hsm.health.key.app-id=CERTIFY_SERVICE
mosip.kernel.keymgr.hsm.healthkey.ref-id=TRANSACTION_CACHE

mosip.kernel.keymgr.hsm.health.check.encrypt=true

mosip.certify.cache.security.secretkey.reference-id=TRANSACTION_CACHE

##----------------------------------------- Database properties --------------------------------------------------------

mosip.certify.database.hostname=database
mosip.certify.database.port=5432
spring.datasource.url=jdbc:postgresql://${mosip.certify.database.hostname}:${mosip.certify.database.port}/inji_certify?currentSchema=certify
spring.datasource.username=postgres
spring.datasource.password=postgres

spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.show-sql=false
spring.jpa.hibernate.ddl-auto=none
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true

## ---------------------------------------- Cache configuration --------------------------------------------------------
spring.cache.type=simple
spring.data.redis.host=cache
spring.data.redis.port=6379
spring.data.redis.password=redis

#spring.cache.type=simple
spring.cache.cache-names=${mosip.certify.cache.names}

management.health.redis.enabled=false

mosip.certify.access-token-expire-seconds=86400

mosip.certify.cache.names=userinfo,vcissuance
# Cache size setup is applicable only for 'simple' cache type.
# Cache size configuration will not be considered with 'Redis' cache type
mosip.certify.cache.size={'userinfo': 200, 'vcissuance' : 2000 }


# Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type
mosip.certify.cache.expire-in-seconds={'userinfo': ${mosip.certify.access-token-expire-seconds}, 'vcissuance': ${mosip.certify.access-token-expire-seconds}}

certify-csvdp-farmer.properties

## ------------------------------------------- Mock ID Integration properties ------------------------------------------------------------
mosip.certify.integration.scan-base-package=io.mosip.certify.mock.integration
mosip.certify.integration.audit-plugin=LoggerAuditService
mosip.certify.integration.vci-plugin=MockVCIssuancePlugin

## ------------------------------------------- Mock ID plugin related properties ------------------------------------------------------------
mosip.certify.mock.vciplugin.verification-method=${mosip.certify.authn.jwk-set-uri}
mosip.certify.mock.authenticator.get-identity-url=http://mock-identity-system:8082/v1/mock-identity-system/identity
mosip.certify.cache.security.algorithm-name=AES/ECB/PKCS5Padding
mosip.certify.cache.secure.individual-id=false
mosip.certify.cache.store.individual-id=true
mosip.certify.identifier=http://localhost:8091

#to be updated to GitHub pages url when one is running locally, otherwise it can be replaced with the certify service did url
mosip.certify.data-provider-plugin.issuer-uri=did:web:andresbu93.github.io:inji-farmer-poc:did
mosip.certify.data-provider-plugin.issuer-public-key-uri=did:web:andresbu93.github.io:inji-farmer-poc:did#key-0

mosip.certify.plugin-mode=DataProvider
mosip.certify.data-provider-plugin.id-field-prefix-uri=https://mosip.io/credential/
mosip.certify.integration.data-provider-plugin=MockCSVDataProviderPlugin
mosip.certify.data-provider-plugin.issuer.vc-sign-algo=Ed25519Signature2020
## CSV specific config
mosip.certify.mock.data-provider.csv.identifier-column=id
mosip.certify.mock.data-provider.csv.data-columns=id,fullName,mobileNumber,dateOfBirth,gender,state,district,villageOrTown,postalCode,landArea,landOwnershipType,primaryCropType,secondaryCropType,face,farmerID
mosip.certify.mock.data-provider.csv-registry-uri=/home/mosip/config/farmer_identity_data.csv
mosip.certify.data-provider-plugin.rendering-template-id=
mosip.certify.key-values={\
  'latest' : {\
              'credential_issuer': '${mosip.certify.identifier}',   \
              'authorization_servers': {'${mosip.certify.authorization.url}'}, \
              'credential_endpoint': '${mosipbox.public.url}${server.servlet.path}/issuance/credential', \
              'display': {{'name': 'Agricultural Department', 'locale': 'en'}},\
              'credential_configurations_supported' : { \
                 'FarmerProfileCredential' : {\
                    'format': 'ldp_vc',\
                    'scope' : 'mock_identity_vc_ldp',\
                    'cryptographic_binding_methods_supported': {'did:jwk'},\
                    'credential_signing_alg_values_supported': {'Ed25519Signature2020'},\
                    'proof_types_supported': {'jwt': {'proof_signing_alg_values_supported': {'RS256', 'PS256'}}},\
                    'credential_definition': {\
                    'type': {'VerifiableCredential','FarmerCredential'},\
                    'context': {'https://www.w3.org/2018/credentials/v1','https://mosip.github.io/inji-config/contexts/farmer.json'},\
                      'credentialSubject': {\
                            'fullName': {'display': {{'name': 'Full Name','locale': 'en'}}}, \
                            'mobileNumber': {'display': {{'name': 'Phone Number','locale': 'en'}}},\
                            'dateOfBirth': {'display': {{'name': 'Date of Birth','locale': 'en'}}},\
                            'gender': {'display': {{'name': 'Gender','locale': 'en'}}},\
                            'state': {'display': {{'name': 'State','locale': 'en'}}},\
                            'district': {'display': {{'name': 'District','locale': 'en'}}},\
                            'villageOrTown': {'display': {{'name': 'Village or Town','locale': 'en'}}},\
                            'postalCode': {'display': {{'name': 'Postal Code','locale': 'en'}}},\
                            'landArea': {'display': {{'name': 'Land Area','locale': 'en'}}},\
                            'landOwnershipType': {'display': {{'name': 'Land Ownership Type','locale': 'en'}}},\
                            'primaryCropType': {'display': {{'name': 'Primary Crop Name','locale': 'en'}}},\
                            'secondaryCropType': {'display': {{'name': 'Secondary Crop type','locale': 'en'}}},\
                            'farmerID': {'display': {{'name': 'Farmer ID','locale': 'en'}}}\
                     }},\
                    'display': {{'name': 'Farmer Profile Verifiable Credential', \
                                  'locale': 'en', \
                                  'logo': {'url': 'https://mosip.github.io/inji-config/logos/agro-vertias-logo.png','alt_text': 'a square logo of a Sunbird'},\
                                  'background_color': '#FDFAF9',\
                                  'background_image': { 'uri': 'https://mosip.github.io/inji-config/logos/agro-vertias-logo.png' }, \
                                  'text_color': '#7C4616'}},\
                    'order' : {'farmerID','fullName','mobileNumber','dateOfBirth','gender','state','district','villageOrTown','postalCode','landArea','landOwnershipType','primaryCropType','secondaryCropType'}\
  }}}}
4

Hi @Andres_Bello

Thank you for reaching out to us.

We are checking on your query. will revert back to you as soon as possible

Regards,

Likhitha R L
Team MOSIP

1 Like
5

Hi @Andres_Bello actually in 0.11.0 release of certify, it exepects all the things that are in token to be present in the aud also. Can you try adding the missing value in aud or removing it from the token?

6

I set up this value in mimoto-issuers-config:

mosip.certify.authn.allowed-audiences={ ‘http://localhost:8091’, ‘http://keycloak.local:8080/realms/inji-poc-2/protocol/openid-connect/token’, ‘account’ }

exactly matching the aud value that is present in the token. But I didn’t configure anything about the audience in Certify config files, Should I?

7

This config is already present in certify-default properties. You can try updating there. It is not needed in any file related to mimoto.

8

Hi @Andres_Bello, you can check certify-default.properties in the docker-compose/docker-compose-injistack/config folder of certify. There you will find this property:
mosip.certify.authn.allowed-audiences. It already has the value as:

mosip.certify.authn.allowed-audiences={ '${mosip.certify.domain.url}${server.servlet.path}/issuance/credential', '${mosip.certify.authorization.url}/v1/esignet/vci/credential' }

You will need to update this property.

Also there is a similar usecase where keycloak is configured as the auth server. You can refere those properties:
mosip.certify.authorization.url=
mosip.certify.authn.issuer-uri=${mosip.certify.authorization.url}
mosip.certify.authn.jwk-set-uri=${mosip.certify.authorization.url}/protocol/openid-connect/certs

And in the above mosip.certify.authn.allowed-audiences property, you can add those values which are required is required.

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.