Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
OBIE Directory Integration
A Technical Deep Dive
Ashirwada Dayarathne
Software Engineer
WSO2 Open Banking
1
Agenda
• The OpenBanking OpenID Dynamic Client Registration Specification -
v1.0.0-rc2
• Software Statement Assertion (SSA)...
The OpenBanking OpenID Dynamic Client
Registration Specification - v1.0.0-rc2
Automated Client
Registration
Manual Client
R...
Open Banking Client Registration
TPP
Primary technical
Contact(PTC)
OpenBanking Directory
Developer Portal
TPP Client
Opti...
Software Statement Assertion (SSA)
The SSA is a JSON Web Token (JWT) containing client metadata about an
instance of TPP c...
Dynamic Client Registration
v1.0.0-rc2
Automated Flow
Automated Client Registration
OBIE Directory
TPP PTC
TPP Client
Dynamic Client
Registration Endpoint
Download the SSA
Logi...
Client Registration Endpoint
• If an ASPSP supports automated client registration, the ASPSP MUST
operate an [RFC7591] com...
Flow of Automated Client Registration with
WSO2 Open Banking
:TPP :APIM :OB Directory
Validate Request
Create Application
...
Configurations
• Upload the Open Banking directory root and issuing certificates to the client truststore in both
API Manage...
Configurations
• Following parameters need to be added to the open banking.xml file in the
<AM_HOME>/repository/conf/finance ...
DCR Sample Request & Response
https://docs.google.com/document/d/1nRMQi4QRGfC1-aKpLfJ6472WbomMHHDXDvLV
LOihDpY/edit?usp=sh...
Manual Client Registration
v1.0.0-rc2
Integration with OBIE flow
Manual Client Registration
• In this mechanism, TPP uses OB directory as a federated Identity
Provider to log in to the AP...
Manual Client Registration
OBIE Directory
TPP PTC
Developer Web
Portal of the
ASPSP
Download the SSA
Login to OBIE Directo...
Flow of Manual Client Registration with WSO2
Open Banking
• User login to APIM store
• User get redirected to OB directory...
Configurations
● Create an IDP with the configurations for OB directory
● Create a service provider
● Update config changes i...
Dynamic Client Registration
v3.1/v3.2
Dynamic Client Registration v3.1/v3.2
● DCR v3.1 & v3.2 are a supersede of the Open Banking OpenID Connect
(OIDC) Dynamic ...
Changes compared to v1.0.0-rc2
1. Software Statement
A Software Statement may be issued by any actor that is trusted by th...
Changes Compared to v1.0.0-rc2
3. Endpoints
HTTP Operation Endpoint Mandatory ? Grant Type
POST POST /register Conditional...
DCR v3.1 with WSO2 Open Banking
● For DCR v3.1, a separate API is written to expose via APIM
● All the APIs invoked are ro...
Architecture for DCR v3.1 in WSO2 Open Banking
Gateway
Insequence
API Service DAO
IS
DB
APIM
POST
GET
PUT
DELETE
Generate ...
Release Details for DCR v3.1
• Will be available before the september deadline
WSO2 Documentation for TPP Onboarding
• For more information refer the WSO2 documentation
TPP Onboarding
THANK YOU
wso2.com
THANK YOU
wso2.com
Prochain SlideShare
Chargement dans…5
×

OBIE Directory Integration - A Technical Deep Dive

128 vues

Publié le

This deck will cover the OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2, software statement assertion (SSA), automated client registration, manual client registration, and dynamic client registration v3.1

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

OBIE Directory Integration - A Technical Deep Dive

  1. 1. OBIE Directory Integration A Technical Deep Dive Ashirwada Dayarathne Software Engineer WSO2 Open Banking 1
  2. 2. Agenda • The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 • Software Statement Assertion (SSA) • Automated Client Registration • Manual Client Registration • Dynamic Client Registration v3.1
  3. 3. The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 Automated Client Registration Manual Client Registration Dynamic Client Registration
  4. 4. Open Banking Client Registration TPP Primary technical Contact(PTC) OpenBanking Directory Developer Portal TPP Client Option A: Dynamic Client Registration Endpoint Option B: Developer Web Portal Open Banking Client Registration Overview(Option A, B) 1 Login 2 Download SSA 3A. Automated Client Registration 4A. OAuth Client Registration request w/SSA 5A. Response with Client Credentials 5B. SSO Response 4B. SSO Request6B. Download Client Credentials 3B. Manual Client Registration(Login to Portal) ASPSP
  5. 5. Software Statement Assertion (SSA) The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory. Sample SSA https://docs.google.com/document/d/1jNkJFixqciZKwx3SAPbwUVMXZdlR3Zt4zHbY4tB9pPQ/edit
  6. 6. Dynamic Client Registration v1.0.0-rc2 Automated Flow
  7. 7. Automated Client Registration OBIE Directory TPP PTC TPP Client Dynamic Client Registration Endpoint Download the SSA Login to OBIE Directory Onboard through automated flow ASPSP Validate SSA and onboard TPP Client Registration request with SSA Client credentials Client credentials
  8. 8. Client Registration Endpoint • If an ASPSP supports automated client registration, the ASPSP MUST operate an [RFC7591] compliant registration endpoint. • The client registration endpoint MUST be protected by transport-layer security
  9. 9. Flow of Automated Client Registration with WSO2 Open Banking :TPP :APIM :OB Directory Validate Request Create Application Subscribe API Generate Keys Register SSA Register Credentials
  10. 10. Configurations • Upload the Open Banking directory root and issuing certificates to the client truststore in both API Manager and Identity Server. • A new message formatter and message builder should be added to the axis2 xml config file in <AM_HOME>/repository/conf/axis2 folder. This is to support the content type application/jwt. • To store any of the properties coming from SSA, need to add the server level configuration to api-manager.xml which resides in <AM_HOME>/repository/conf in folder 10
  11. 11. Configurations • Following parameters need to be added to the open banking.xml file in the <AM_HOME>/repository/conf/finance folder • Supported authentication methods for the token endpoint • The connection and read timeout values for retrieving the remote jwks to validate the ssa and request jwt signatures during tpp registration • The endpoint urls are to access the rest APIs of API manager in order to create the application, service provider and generate keys for the application. • Enable validations for the policy,client,terms of service,logo uris • Enable validations for the hostnames of policy,client,terms of service, logo uris match with the hostname of redirect uri • APIs that need to be subscribed 11
  12. 12. DCR Sample Request & Response https://docs.google.com/document/d/1nRMQi4QRGfC1-aKpLfJ6472WbomMHHDXDvLV LOihDpY/edit?usp=sharing
  13. 13. Manual Client Registration v1.0.0-rc2 Integration with OBIE flow
  14. 14. Manual Client Registration • In this mechanism, TPP uses OB directory as a federated Identity Provider to log in to the API store using Single Sign On (SSO). • The TPP need to be registered with OB Directory as an AISP or PISP for a successful login • The authorization code grant is used in OIDC flow when using the federated IDP
  15. 15. Manual Client Registration OBIE Directory TPP PTC Developer Web Portal of the ASPSP Download the SSA Login to OBIE Directory Login to developer portal ASPSP SSO Request Login details Client credentials SSO Response Download client credentials
  16. 16. Flow of Manual Client Registration with WSO2 Open Banking • User login to APIM store • User get redirected to OB directory login • User logs in using OB credentials • Second factor authentication using PING ID mobile app • User gets logged in to the APIM store • User pastes a valid SSA and clicks on add to create the application
  17. 17. Configurations ● Create an IDP with the configurations for OB directory ● Create a service provider ● Update config changes in site.json which resides in <OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder. ● Include the attributes which need to be stored in api manager xml ● Update the key store with OB root and issuer certificates
  18. 18. Dynamic Client Registration v3.1/v3.2
  19. 19. Dynamic Client Registration v3.1/v3.2 ● DCR v3.1 & v3.2 are a supersede of the Open Banking OpenID Connect (OIDC) Dynamic Client Registration Profile. ● Dynamic Client Registration v3.1 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937066600/Dynamic+Client+Registrati on+-+v3.1 ● Dynamic Client Registration v3.2 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1078034771/Dynamic+Client+Registra tion+-+v3.2
  20. 20. Changes compared to v1.0.0-rc2 1. Software Statement A Software Statement may be issued by any actor that is trusted by the authorization server. According to the spec these actors can be but is not limited to: • The TPP itself • The Directory solution provided by OBIE • Another Directory service provider 2. Authentication Authentication section have two parts for authentication of different types of requests. • POST operation - TLS Mutual Authentication • GET, PUT and DELETE operations - client credentials grant
  21. 21. Changes Compared to v1.0.0-rc2 3. Endpoints HTTP Operation Endpoint Mandatory ? Grant Type POST POST /register Conditional NA GET GET /register/{ClientId} Optional Client Credentials PUT PUT /register/{ClientId} Optional Client Credentials DELETE DELETE /register/{ClientId} Optional Client Credentials
  22. 22. DCR v3.1 with WSO2 Open Banking ● For DCR v3.1, a separate API is written to expose via APIM ● All the APIs invoked are routed to the internal API which is written in APIM through the insequence in gateway level.
  23. 23. Architecture for DCR v3.1 in WSO2 Open Banking Gateway Insequence API Service DAO IS DB APIM POST GET PUT DELETE Generate Access Token Calls to APIM 1 - Request Admin Credentials 2 - Create Admin Stub 3 - Create User 4 - Get all Applications 5 - Create Application 6 - Generate Keys
  24. 24. Release Details for DCR v3.1 • Will be available before the september deadline
  25. 25. WSO2 Documentation for TPP Onboarding • For more information refer the WSO2 documentation TPP Onboarding
  26. 26. THANK YOU wso2.com THANK YOU wso2.com

×