SlideShare ist ein Scribd-Unternehmen logo

OBIE Directory Integration - A Technical Deep Dive

WSO2
WSO2

This deck will cover the OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2, software statement assertion (SSA), automated client registration, manual client registration, and dynamic client registration v3.1

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
OBIE Directory Integration A Technical Deep Dive Ashirwada Dayarathne Software Engineer WSO2 Open Banking 1
Agenda • The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 • Software Statement Assertion (SSA) • Automated Client Registration • Manual Client Registration • Dynamic Client Registration v3.1
The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 Automated Client Registration Manual Client Registration Dynamic Client Registration
Open Banking Client Registration TPP Primary technical Contact(PTC) OpenBanking Directory Developer Portal TPP Client Option A: Dynamic Client Registration Endpoint Option B: Developer Web Portal Open Banking Client Registration Overview(Option A, B) 1 Login 2 Download SSA 3A. Automated Client Registration 4A. OAuth Client Registration request w/SSA 5A. Response with Client Credentials 5B. SSO Response 4B. SSO Request6B. Download Client Credentials 3B. Manual Client Registration(Login to Portal) ASPSP
Software Statement Assertion (SSA) The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory. Sample SSA https://docs.google.com/document/d/1jNkJFixqciZKwx3SAPbwUVMXZdlR3Zt4zHbY4tB9pPQ/edit
Dynamic Client Registration v1.0.0-rc2 Automated Flow
Automated Client Registration OBIE Directory TPP PTC TPP Client Dynamic Client Registration Endpoint Download the SSA Login to OBIE Directory Onboard through automated flow ASPSP Validate SSA and onboard TPP Client Registration request with SSA Client credentials Client credentials
Client Registration Endpoint • If an ASPSP supports automated client registration, the ASPSP MUST operate an [RFC7591] compliant registration endpoint. • The client registration endpoint MUST be protected by transport-layer security
Flow of Automated Client Registration with WSO2 Open Banking :TPP :APIM :OB Directory Validate Request Create Application Subscribe API Generate Keys Register SSA Register Credentials
Configurations • Upload the Open Banking directory root and issuing certificates to the client truststore in both API Manager and Identity Server. • A new message formatter and message builder should be added to the axis2 xml config file in <AM_HOME>/repository/conf/axis2 folder. This is to support the content type application/jwt. • To store any of the properties coming from SSA, need to add the server level configuration to api-manager.xml which resides in <AM_HOME>/repository/conf in folder 10
Configurations • Following parameters need to be added to the open banking.xml file in the <AM_HOME>/repository/conf/finance folder • Supported authentication methods for the token endpoint • The connection and read timeout values for retrieving the remote jwks to validate the ssa and request jwt signatures during tpp registration • The endpoint urls are to access the rest APIs of API manager in order to create the application, service provider and generate keys for the application. • Enable validations for the policy,client,terms of service,logo uris • Enable validations for the hostnames of policy,client,terms of service, logo uris match with the hostname of redirect uri • APIs that need to be subscribed 11
DCR Sample Request & Response https://docs.google.com/document/d/1nRMQi4QRGfC1-aKpLfJ6472WbomMHHDXDvLV LOihDpY/edit?usp=sharing
Manual Client Registration v1.0.0-rc2 Integration with OBIE flow
Manual Client Registration • In this mechanism, TPP uses OB directory as a federated Identity Provider to log in to the API store using Single Sign On (SSO). • The TPP need to be registered with OB Directory as an AISP or PISP for a successful login • The authorization code grant is used in OIDC flow when using the federated IDP
Manual Client Registration OBIE Directory TPP PTC Developer Web Portal of the ASPSP Download the SSA Login to OBIE Directory Login to developer portal ASPSP SSO Request Login details Client credentials SSO Response Download client credentials
Flow of Manual Client Registration with WSO2 Open Banking • User login to APIM store • User get redirected to OB directory login • User logs in using OB credentials • Second factor authentication using PING ID mobile app • User gets logged in to the APIM store • User pastes a valid SSA and clicks on add to create the application
Configurations ● Create an IDP with the configurations for OB directory ● Create a service provider ● Update config changes in site.json which resides in <OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder. ● Include the attributes which need to be stored in api manager xml ● Update the key store with OB root and issuer certificates
Dynamic Client Registration v3.1/v3.2
Dynamic Client Registration v3.1/v3.2 ● DCR v3.1 & v3.2 are a supersede of the Open Banking OpenID Connect (OIDC) Dynamic Client Registration Profile. ● Dynamic Client Registration v3.1 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937066600/Dynamic+Client+Registrati on+-+v3.1 ● Dynamic Client Registration v3.2 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1078034771/Dynamic+Client+Registra tion+-+v3.2
Changes compared to v1.0.0-rc2 1. Software Statement A Software Statement may be issued by any actor that is trusted by the authorization server. According to the spec these actors can be but is not limited to: • The TPP itself • The Directory solution provided by OBIE • Another Directory service provider 2. Authentication Authentication section have two parts for authentication of different types of requests. • POST operation - TLS Mutual Authentication • GET, PUT and DELETE operations - client credentials grant
Changes Compared to v1.0.0-rc2 3. Endpoints HTTP Operation Endpoint Mandatory ? Grant Type POST POST /register Conditional NA GET GET /register/{ClientId} Optional Client Credentials PUT PUT /register/{ClientId} Optional Client Credentials DELETE DELETE /register/{ClientId} Optional Client Credentials
DCR v3.1 with WSO2 Open Banking ● For DCR v3.1, a separate API is written to expose via APIM ● All the APIs invoked are routed to the internal API which is written in APIM through the insequence in gateway level.
Architecture for DCR v3.1 in WSO2 Open Banking Gateway Insequence API Service DAO IS DB APIM POST GET PUT DELETE Generate Access Token Calls to APIM 1 - Request Admin Credentials 2 - Create Admin Stub 3 - Create User 4 - Get all Applications 5 - Create Application 6 - Generate Keys
Release Details for DCR v3.1 • Will be available before the september deadline
WSO2 Documentation for TPP Onboarding • For more information refer the WSO2 documentation TPP Onboarding
THANK YOU wso2.com THANK YOU wso2.com

Empfohlen

Migrating from Objective-C to Swift
Migrating from Objective-C to SwiftMigrating from Objective-C to Swift
Migrating from Objective-C to Swift
Dominique Stranz
 
Document your rest api using swagger - Devoxx 2015
Document your rest api using swagger - Devoxx 2015Document your rest api using swagger - Devoxx 2015
Document your rest api using swagger - Devoxx 2015
johannes_fiala
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
Bytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitBytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profit
Jérôme Kehrli
 
Web API Basics
Web API BasicsWeb API Basics
Web API Basics
LearnNowOnline
 
20 Facts about Swift programming language
20 Facts about Swift programming language20 Facts about Swift programming language
20 Facts about Swift programming language
Rohit Tirkey
 
Spring Cloud Function
Spring Cloud FunctionSpring Cloud Function
Spring Cloud Function
Sangpyo Hong
 
20210217_sitTokyo_SAP CAI でユーザに優しくしたい
20210217_sitTokyo_SAP CAI でユーザに優しくしたい20210217_sitTokyo_SAP CAI でユーザに優しくしたい
20210217_sitTokyo_SAP CAI でユーザに優しくしたい
Mino Kato
 

Empfohlen

Migrating from Objective-C to Swift
Migrating from Objective-C to SwiftMigrating from Objective-C to Swift
Migrating from Objective-C to Swift
Dominique Stranz
 
Document your rest api using swagger - Devoxx 2015
Document your rest api using swagger - Devoxx 2015Document your rest api using swagger - Devoxx 2015
Document your rest api using swagger - Devoxx 2015
johannes_fiala
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
Bytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitBytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profit
Jérôme Kehrli
 
Web API Basics
Web API BasicsWeb API Basics
Web API Basics
LearnNowOnline
 
20 Facts about Swift programming language
20 Facts about Swift programming language20 Facts about Swift programming language
20 Facts about Swift programming language
Rohit Tirkey
 
Spring Cloud Function
Spring Cloud FunctionSpring Cloud Function
Spring Cloud Function
Sangpyo Hong
 
20210217_sitTokyo_SAP CAI でユーザに優しくしたい
20210217_sitTokyo_SAP CAI でユーザに優しくしたい20210217_sitTokyo_SAP CAI でユーザに優しくしたい
20210217_sitTokyo_SAP CAI でユーザに優しくしたい
Mino Kato
 
Connecting Connect with Spring Boot
Connecting Connect with Spring BootConnecting Connect with Spring Boot
Connecting Connect with Spring Boot
Vincent Kok
 
レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?
レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?
レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?
Akira Inoue
 
What is APIGEE? What are the benefits of APIGEE?
What is APIGEE? What are the benefits of APIGEE?What is APIGEE? What are the benefits of APIGEE?
What is APIGEE? What are the benefits of APIGEE?
IQ Online Training
 
Sviluppare agenti conversazionali con Rasa
Sviluppare agenti conversazionali con RasaSviluppare agenti conversazionali con Rasa
Sviluppare agenti conversazionali con Rasa
Paolo Montrasio
 
2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
Eing Ong
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
WSO2
 
AWSで実現するクラウドネイティブなアプリ開発のポイント
AWSで実現するクラウドネイティブなアプリ開発のポイントAWSで実現するクラウドネイティブなアプリ開発のポイント
AWSで実現するクラウドネイティブなアプリ開発のポイント
Keisuke Nishitani
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
Apigee | Google Cloud
 
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los serviciosWSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2
 
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
Tatsuo Kudo
 
Hyperledger Indy tutorial
Hyperledger Indy tutorialHyperledger Indy tutorial
Hyperledger Indy tutorial
ssuser3993f3
 
Effective API Design
Effective API DesignEffective API Design
Effective API Design
Bansilal Haudakari
 
Rest in flask
Rest in flaskRest in flask
Rest in flask
Hamid Feizabadi
 
Solid principles, Design Patterns, and Domain Driven Design
Solid principles, Design Patterns, and Domain Driven DesignSolid principles, Design Patterns, and Domain Driven Design
Solid principles, Design Patterns, and Domain Driven Design
Irwansyah Irwansyah
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
apidays
 
API Management
API ManagementAPI Management
API Management
atSistemas
 
API Sandbox: Empowering Developer Experience (DX)
API Sandbox: Empowering Developer Experience (DX)API Sandbox: Empowering Developer Experience (DX)
API Sandbox: Empowering Developer Experience (DX)
Faisal Banaeamah
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Apigee | Google Cloud
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with Xtend
Holger Schill
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 

Weitere ähnliche Inhalte

Was ist angesagt?

2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
Eing Ong
 
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los serviciosWSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2
 

Was ist angesagt? (20)

Connecting Connect with Spring Boot
Connecting Connect with Spring BootConnecting Connect with Spring Boot
Connecting Connect with Spring Boot
 
レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?
レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?
レガシー Web からの脱却 ~ 開発者が次に目指すべき Web アプリの姿とは?
 
What is APIGEE? What are the benefits of APIGEE?
What is APIGEE? What are the benefits of APIGEE?What is APIGEE? What are the benefits of APIGEE?
What is APIGEE? What are the benefits of APIGEE?
 
Sviluppare agenti conversazionali con Rasa
Sviluppare agenti conversazionali con RasaSviluppare agenti conversazionali con Rasa
Sviluppare agenti conversazionali con Rasa
 
2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
 
AWSで実現するクラウドネイティブなアプリ開発のポイント
AWSで実現するクラウドネイティブなアプリ開発のポイントAWSで実現するクラウドネイティブなアプリ開発のポイント
AWSで実現するクラウドネイティブなアプリ開発のポイント
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los serviciosWSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
WSO2 API Manager y ESB la plataforma perfecta para evolucionar los servicios
 
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
 
Hyperledger Indy tutorial
Hyperledger Indy tutorialHyperledger Indy tutorial
Hyperledger Indy tutorial
 
Effective API Design
Effective API DesignEffective API Design
Effective API Design
 
Rest in flask
Rest in flaskRest in flask
Rest in flask
 
Solid principles, Design Patterns, and Domain Driven Design
Solid principles, Design Patterns, and Domain Driven DesignSolid principles, Design Patterns, and Domain Driven Design
Solid principles, Design Patterns, and Domain Driven Design
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
 
API Management
API ManagementAPI Management
API Management
 
API Sandbox: Empowering Developer Experience (DX)
API Sandbox: Empowering Developer Experience (DX)API Sandbox: Empowering Developer Experience (DX)
API Sandbox: Empowering Developer Experience (DX)
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
 
Code Generation idioms with Xtend
Code Generation idioms with XtendCode Generation idioms with Xtend
Code Generation idioms with Xtend
 

Ähnlich wie OBIE Directory Integration - A Technical Deep Dive

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
What’s New With WSO2 Open Banking?
What’s New With WSO2 Open Banking?What’s New With WSO2 Open Banking?
What’s New With WSO2 Open Banking?
WSO2
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 

Ähnlich wie OBIE Directory Integration - A Technical Deep Dive (20)

INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
MSB Deep Dive
MSB Deep DiveMSB Deep Dive
MSB Deep Dive
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
What’s New With WSO2 Open Banking?
What’s New With WSO2 Open Banking?What’s New With WSO2 Open Banking?
What’s New With WSO2 Open Banking?
 
Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Webinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECTWebinar: Embracing REST APIs through APPSeCONNECT
Webinar: Embracing REST APIs through APPSeCONNECT
 
apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by ...
apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by ...apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by ...
apidays LIVE Hong Kong 2021 - Next Stage for Open API at Banking Industry by ...
 
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
RPKI RTAs and RDAP Mirroring
RPKI RTAs and RDAP MirroringRPKI RTAs and RDAP Mirroring
RPKI RTAs and RDAP Mirroring
 

Mehr von WSO2

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

Mehr von WSO2 (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

OBIE Directory Integration - A Technical Deep Dive

  • 1. OBIE Directory Integration A Technical Deep Dive Ashirwada Dayarathne Software Engineer WSO2 Open Banking 1
  • 2. Agenda • The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 • Software Statement Assertion (SSA) • Automated Client Registration • Manual Client Registration • Dynamic Client Registration v3.1
  • 3. The OpenBanking OpenID Dynamic Client Registration Specification - v1.0.0-rc2 Automated Client Registration Manual Client Registration Dynamic Client Registration
  • 4. Open Banking Client Registration TPP Primary technical Contact(PTC) OpenBanking Directory Developer Portal TPP Client Option A: Dynamic Client Registration Endpoint Option B: Developer Web Portal Open Banking Client Registration Overview(Option A, B) 1 Login 2 Download SSA 3A. Automated Client Registration 4A. OAuth Client Registration request w/SSA 5A. Response with Client Credentials 5B. SSO Response 4B. SSO Request6B. Download Client Credentials 3B. Manual Client Registration(Login to Portal) ASPSP
  • 5. Software Statement Assertion (SSA) The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory. Sample SSA https://docs.google.com/document/d/1jNkJFixqciZKwx3SAPbwUVMXZdlR3Zt4zHbY4tB9pPQ/edit
  • 7. Automated Client Registration OBIE Directory TPP PTC TPP Client Dynamic Client Registration Endpoint Download the SSA Login to OBIE Directory Onboard through automated flow ASPSP Validate SSA and onboard TPP Client Registration request with SSA Client credentials Client credentials
  • 8. Client Registration Endpoint • If an ASPSP supports automated client registration, the ASPSP MUST operate an [RFC7591] compliant registration endpoint. • The client registration endpoint MUST be protected by transport-layer security
  • 9. Flow of Automated Client Registration with WSO2 Open Banking :TPP :APIM :OB Directory Validate Request Create Application Subscribe API Generate Keys Register SSA Register Credentials
  • 10. Configurations • Upload the Open Banking directory root and issuing certificates to the client truststore in both API Manager and Identity Server. • A new message formatter and message builder should be added to the axis2 xml config file in <AM_HOME>/repository/conf/axis2 folder. This is to support the content type application/jwt. • To store any of the properties coming from SSA, need to add the server level configuration to api-manager.xml which resides in <AM_HOME>/repository/conf in folder 10
  • 11. Configurations • Following parameters need to be added to the open banking.xml file in the <AM_HOME>/repository/conf/finance folder • Supported authentication methods for the token endpoint • The connection and read timeout values for retrieving the remote jwks to validate the ssa and request jwt signatures during tpp registration • The endpoint urls are to access the rest APIs of API manager in order to create the application, service provider and generate keys for the application. • Enable validations for the policy,client,terms of service,logo uris • Enable validations for the hostnames of policy,client,terms of service, logo uris match with the hostname of redirect uri • APIs that need to be subscribed 11
  • 12. DCR Sample Request & Response https://docs.google.com/document/d/1nRMQi4QRGfC1-aKpLfJ6472WbomMHHDXDvLV LOihDpY/edit?usp=sharing
  • 14. Manual Client Registration • In this mechanism, TPP uses OB directory as a federated Identity Provider to log in to the API store using Single Sign On (SSO). • The TPP need to be registered with OB Directory as an AISP or PISP for a successful login • The authorization code grant is used in OIDC flow when using the federated IDP
  • 15. Manual Client Registration OBIE Directory TPP PTC Developer Web Portal of the ASPSP Download the SSA Login to OBIE Directory Login to developer portal ASPSP SSO Request Login details Client credentials SSO Response Download client credentials
  • 16. Flow of Manual Client Registration with WSO2 Open Banking • User login to APIM store • User get redirected to OB directory login • User logs in using OB credentials • Second factor authentication using PING ID mobile app • User gets logged in to the APIM store • User pastes a valid SSA and clicks on add to create the application
  • 17. Configurations ● Create an IDP with the configurations for OB directory ● Create a service provider ● Update config changes in site.json which resides in <OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder. ● Include the attributes which need to be stored in api manager xml ● Update the key store with OB root and issuer certificates
  • 19. Dynamic Client Registration v3.1/v3.2 ● DCR v3.1 & v3.2 are a supersede of the Open Banking OpenID Connect (OIDC) Dynamic Client Registration Profile. ● Dynamic Client Registration v3.1 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937066600/Dynamic+Client+Registrati on+-+v3.1 ● Dynamic Client Registration v3.2 Specification https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1078034771/Dynamic+Client+Registra tion+-+v3.2
  • 20. Changes compared to v1.0.0-rc2 1. Software Statement A Software Statement may be issued by any actor that is trusted by the authorization server. According to the spec these actors can be but is not limited to: • The TPP itself • The Directory solution provided by OBIE • Another Directory service provider 2. Authentication Authentication section have two parts for authentication of different types of requests. • POST operation - TLS Mutual Authentication • GET, PUT and DELETE operations - client credentials grant
  • 21. Changes Compared to v1.0.0-rc2 3. Endpoints HTTP Operation Endpoint Mandatory ? Grant Type POST POST /register Conditional NA GET GET /register/{ClientId} Optional Client Credentials PUT PUT /register/{ClientId} Optional Client Credentials DELETE DELETE /register/{ClientId} Optional Client Credentials
  • 22. DCR v3.1 with WSO2 Open Banking ● For DCR v3.1, a separate API is written to expose via APIM ● All the APIs invoked are routed to the internal API which is written in APIM through the insequence in gateway level.
  • 23. Architecture for DCR v3.1 in WSO2 Open Banking Gateway Insequence API Service DAO IS DB APIM POST GET PUT DELETE Generate Access Token Calls to APIM 1 - Request Admin Credentials 2 - Create Admin Stub 3 - Create User 4 - Get all Applications 5 - Create Application 6 - Generate Keys
  • 24. Release Details for DCR v3.1 • Will be available before the september deadline
  • 25. WSO2 Documentation for TPP Onboarding • For more information refer the WSO2 documentation TPP Onboarding