4. Open Banking Client Registration
TPP
Primary technical
Contact(PTC)
OpenBanking Directory
Developer Portal
TPP Client
Option A:
Dynamic Client
Registration Endpoint
Option B:
Developer Web Portal
Open Banking Client Registration Overview(Option A, B)
1 Login
2 Download SSA
3A. Automated
Client Registration
4A. OAuth Client Registration
request w/SSA
5A. Response with
Client Credentials
5B. SSO Response
4B. SSO
Request6B. Download Client Credentials
3B. Manual Client
Registration(Login to Portal)
ASPSP
5. Software Statement Assertion (SSA)
The SSA is a JSON Web Token (JWT) containing client metadata about an
instance of TPP client software. The JWT is issued and signed by the
OpenBanking Directory.
Sample SSA
https://docs.google.com/document/d/1jNkJFixqciZKwx3SAPbwUVMXZdlR3Zt4zHbY4tB9pPQ/edit
7. Automated Client Registration
OBIE Directory
TPP PTC
TPP Client
Dynamic Client
Registration Endpoint
Download the SSA
Login to OBIE Directory Onboard through automated flow
ASPSP
Validate SSA and
onboard TPP
Client Registration
request with SSA
Client
credentials
Client credentials
8. Client Registration Endpoint
• If an ASPSP supports automated client registration, the ASPSP MUST
operate an [RFC7591] compliant registration endpoint.
• The client registration endpoint MUST be protected by transport-layer
security
9. Flow of Automated Client Registration with
WSO2 Open Banking
:TPP :APIM :OB Directory
Validate Request
Create Application
Subscribe API
Generate Keys
Register
SSA
Register
Credentials
10. Configurations
• Upload the Open Banking directory root and issuing certificates to the client truststore in both
API Manager and Identity Server.
• A new message formatter and message builder should be added to the axis2 xml config file in
<AM_HOME>/repository/conf/axis2 folder. This is to support the content type application/jwt.
• To store any of the properties coming from SSA, need to add the server level configuration to
api-manager.xml which resides in <AM_HOME>/repository/conf in folder
10
11. Configurations
• Following parameters need to be added to the open banking.xml file in the
<AM_HOME>/repository/conf/finance folder
• Supported authentication methods for the token endpoint
• The connection and read timeout values for retrieving the remote jwks to validate the ssa
and request jwt signatures during tpp registration
• The endpoint urls are to access the rest APIs of API manager in order to create the
application, service provider and generate keys for the application.
• Enable validations for the policy,client,terms of service,logo uris
• Enable validations for the hostnames of policy,client,terms of service, logo uris match with
the hostname of redirect uri
• APIs that need to be subscribed
11
14. Manual Client Registration
• In this mechanism, TPP uses OB directory as a federated Identity
Provider to log in to the API store using Single Sign On (SSO).
• The TPP need to be registered with OB Directory as an AISP or PISP
for a successful login
• The authorization code grant is used in OIDC flow when using the
federated IDP
15. Manual Client Registration
OBIE Directory
TPP PTC
Developer Web
Portal of the
ASPSP
Download the SSA
Login to OBIE Directory
Login to developer portal
ASPSP
SSO Request
Login details Client
credentials
SSO Response
Download client credentials
16. Flow of Manual Client Registration with WSO2
Open Banking
• User login to APIM store
• User get redirected to OB directory login
• User logs in using OB credentials
• Second factor authentication using PING ID mobile app
• User gets logged in to the APIM store
• User pastes a valid SSA and clicks on add to create the application
17. Configurations
● Create an IDP with the configurations for OB directory
● Create a service provider
● Update config changes in site.json which resides in
<OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder.
● Include the attributes which need to be stored in api manager xml
● Update the key store with OB root and issuer certificates
19. Dynamic Client Registration v3.1/v3.2
● DCR v3.1 & v3.2 are a supersede of the Open Banking OpenID Connect
(OIDC) Dynamic Client Registration Profile.
● Dynamic Client Registration v3.1 Specification
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937066600/Dynamic+Client+Registrati
on+-+v3.1
● Dynamic Client Registration v3.2 Specification
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1078034771/Dynamic+Client+Registra
tion+-+v3.2
20. Changes compared to v1.0.0-rc2
1. Software Statement
A Software Statement may be issued by any actor that is trusted by the authorization server.
According to the spec these actors can be but is not limited to:
• The TPP itself
• The Directory solution provided by OBIE
• Another Directory service provider
2. Authentication
Authentication section have two parts for authentication of different types of requests.
• POST operation - TLS Mutual Authentication
• GET, PUT and DELETE operations - client credentials grant
21. Changes Compared to v1.0.0-rc2
3. Endpoints
HTTP Operation Endpoint Mandatory ? Grant Type
POST POST /register Conditional NA
GET GET /register/{ClientId} Optional Client Credentials
PUT PUT /register/{ClientId} Optional Client Credentials
DELETE DELETE /register/{ClientId} Optional Client Credentials
22. DCR v3.1 with WSO2 Open Banking
● For DCR v3.1, a separate API is written to expose via APIM
● All the APIs invoked are routed to the internal API which is written in APIM
through the insequence in gateway level.
23. Architecture for DCR v3.1 in WSO2 Open Banking
Gateway
Insequence
API Service DAO
IS
DB
APIM
POST
GET
PUT
DELETE
Generate Access Token
Calls to APIM
1 - Request Admin Credentials
2 - Create Admin Stub
3 - Create User
4 - Get all Applications
5 - Create Application
6 - Generate Keys
24. Release Details for DCR v3.1
• Will be available before the september deadline
25. WSO2 Documentation for TPP Onboarding
• For more information refer the WSO2 documentation
TPP Onboarding