OBIE Directory Integration - A Technical Deep Dive
0 likes592 views
The document provides a detailed technical overview of the Open Banking OpenID dynamic client registration specification, including both automated and manual client registration processes. It discusses the software statement assertion (SSA), client registration endpoints, and necessary configurations for WSO2 Open Banking. Additionally, it outlines the changes introduced in dynamic client registration versions 3.1 and 3.2, including the roles of various actors and authentication methods.
![Client Registration Endpoint
• If an ASPSP supports automated client registration, the ASPSP MUST
operate an [RFC7591] compliant registration endpoint.
• The client registration endpoint MUST be protected by transport-layer
security](https://image.slidesharecdn.com/obiedirectoryintegration-atechnicaldeepdive-190621062242/85/OBIE-Directory-Integration-A-Technical-Deep-Dive-8-320.jpg)
OBIE Directory Integration - A Technical Deep Dive
- 1. OBIE Directory Integration A Technical Deep Dive Ashirwada Dayarathne Software Engineer WSO2 Open Banking 1
- 2. Agenda • The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 • Software Statement Assertion (SSA) • Automated Client Registration • Manual Client Registration • Dynamic Client Registration v3.1
- 3. The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 Automated Client Registration Manual Client Registration Dynamic Client Registration
- 4. Open Banking Client Registration TPP Primary technical Contact(PTC) OpenBanking Directory Developer Portal TPP Client Option A: Dynamic Client Registration Endpoint Option B: Developer Web Portal Open Banking Client Registration Overview(Option A, B) 1 Login 2 Download SSA 3A. Automated Client Registration 4A. OAuth Client Registration request w/SSA 5A. Response with Client Credentials 5B. SSO Response 4B. SSO Request6B. Download Client Credentials 3B. Manual Client Registration(Login to Portal) ASPSP
- 5. Software Statement Assertion (SSA) The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory. Sample SSA https://docs.google.com/document/d/1jNkJFixqciZKwx3SAPbwUVMXZdlR3Zt4zHbY4tB9pPQ/edit
- 7. Automated Client Registration OBIE Directory TPP PTC TPP Client Dynamic Client Registration Endpoint Download the SSA Login to OBIE Directory Onboard through automated flow ASPSP Validate SSA and onboard TPP Client Registration request with SSA Client credentials Client credentials
- 8. Client Registration Endpoint • If an ASPSP supports automated client registration, the ASPSP MUST operate an [RFC7591] compliant registration endpoint. • The client registration endpoint MUST be protected by transport-layer security
- 9. Flow of Automated Client Registration with WSO2 Open Banking :TPP :APIM :OB Directory Validate Request Create Application Subscribe API Generate Keys Register SSA Register Credentials
- 10. Configurations • Upload the Open Banking directory root and issuing certificates to the client truststore in both API Manager and Identity Server. • A new message formatter and message builder should be added to the axis2 xml config file in <AM_HOME>/repository/conf/axis2 folder. This is to support the content type application/jwt. • To store any of the properties coming from SSA, need to add the server level configuration to api-manager.xml which resides in <AM_HOME>/repository/conf in folder 10
- 11. Configurations • Following parameters need to be added to the open banking.xml file in the <AM_HOME>/repository/conf/finance folder • Supported authentication methods for the token endpoint • The connection and read timeout values for retrieving the remote jwks to validate the ssa and request jwt signatures during tpp registration • The endpoint urls are to access the rest APIs of API manager in order to create the application, service provider and generate keys for the application. • Enable validations for the policy,client,terms of service,logo uris • Enable validations for the hostnames of policy,client,terms of service, logo uris match with the hostname of redirect uri • APIs that need to be subscribed 11
- 12. DCR Sample Request & Response https://docs.google.com/document/d/1nRMQi4QRGfC1-aKpLfJ6472WbomMHHDXDvLV LOihDpY/edit?usp=sharing
- 13. Manual Client Registration v1.0.0-rc2 Integration with OBIE flow
- 14. Manual Client Registration • In this mechanism, TPP uses OB directory as a federated Identity Provider to log in to the API store using Single Sign On (SSO). • The TPP need to be registered with OB Directory as an AISP or PISP for a successful login • The authorization code grant is used in OIDC flow when using the federated IDP
- 15. Manual Client Registration OBIE Directory TPP PTC Developer Web Portal of the ASPSP Download the SSA Login to OBIE Directory Login to developer portal ASPSP SSO Request Login details Client credentials SSO Response Download client credentials
- 16. Flow of Manual Client Registration with WSO2 Open Banking • User login to APIM store • User get redirected to OB directory login • User logs in using OB credentials • Second factor authentication using PING ID mobile app • User gets logged in to the APIM store • User pastes a valid SSA and clicks on add to create the application
- 17. Configurations ● Create an IDP with the configurations for OB directory ● Create a service provider ● Update config changes in site.json which resides in <OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder. ● Include the attributes which need to be stored in api manager xml ● Update the key store with OB root and issuer certificates
- 19. Dynamic Client Registration v3.1/v3.2 ● DCR v3.1 & v3.2 are a supersede of the Open Banking OpenID Connect (OIDC) Dynamic Client Registration Profile. ● Dynamic Client Registration v3.1 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937066600/Dynamic+Client+Registrati on+-+v3.1 ● Dynamic Client Registration v3.2 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1078034771/Dynamic+Client+Registra tion+-+v3.2
- 20. Changes compared to v1.0.0-rc2 1. Software Statement A Software Statement may be issued by any actor that is trusted by the authorization server. According to the spec these actors can be but is not limited to: • The TPP itself • The Directory solution provided by OBIE • Another Directory service provider 2. Authentication Authentication section have two parts for authentication of different types of requests. • POST operation - TLS Mutual Authentication • GET, PUT and DELETE operations - client credentials grant
- 21. Changes Compared to v1.0.0-rc2 3. Endpoints HTTP Operation Endpoint Mandatory ? Grant Type POST POST /register Conditional NA GET GET /register/{ClientId} Optional Client Credentials PUT PUT /register/{ClientId} Optional Client Credentials DELETE DELETE /register/{ClientId} Optional Client Credentials
- 22. DCR v3.1 with WSO2 Open Banking ● For DCR v3.1, a separate API is written to expose via APIM ● All the APIs invoked are routed to the internal API which is written in APIM through the insequence in gateway level.
- 23. Architecture for DCR v3.1 in WSO2 Open Banking Gateway Insequence API Service DAO IS DB APIM POST GET PUT DELETE Generate Access Token Calls to APIM 1 - Request Admin Credentials 2 - Create Admin Stub 3 - Create User 4 - Get all Applications 5 - Create Application 6 - Generate Keys
- 24. Release Details for DCR v3.1 • Will be available before the september deadline
- 25. WSO2 Documentation for TPP Onboarding • For more information refer the WSO2 documentation TPP Onboarding