This documentation is for WSO2 Open Banking version 1.2.0 of UK. View documentation for the latest release.
Dynamic Client Registration - WSO2 Open Banking 1.2.0 UK - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

Dynamic client registration allows trusted third-parties to register themselves with the ASPSP (Account Services Payment Services Providers) dynamically. The process is as follows:

  1. The TPP sends a registration request,

    1. This is a POST request including an SSA (Software Statement Assertion) as a claim in the payload.

    2. The SSA is sent as a signed JWT, which is obtained from the Open Banking directory. This contains the client metadata.

  2. The ASPSP validates the SSA based on the specifications provided in theOpen Banking OpenID Dynamic Client Registration specification.

  3. The ASPSP registers the client application using the metadata sent in the SSA.

  4. The ASPSP returns the response (success or error if the validation fails) based on the open banking UK specification.

  5. The automated DCR (Dynamic Client Registration) process is carried out by calling a synapse API in the gateway.
    An example request sent to the DCR registration endpoint is shown below:

    POST https://localhost:8243/register
    Content-Type: application/jwt
    eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJJREFtYXpvbiIsImlhdCI6MTQ5OTgwNTg0OCwiZXhwIjoxNTMxMzQxODQ4LCJhdWQiOiJodHRwczovL2F1dGhuLmxsb3lkc2JhbmsuY29tIiwic3ViIjoiaHR0cHM6Ly9hdXRobi5sbG95ZHNiYW5rLmNvbSIsImNsaWVudF9pZCI6IklEQW1hem9uMSIsInNvZnR3YXJlX3N0YXRlbWVudCI6ImV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUlzSW1saGRDSTZNVFE1T1Rnd05UZzBPQ3dpWlhod0lqb3hOVE14TXpReE9EUTRMQ0poZFdRaU9pSkZlR0Z0Y0d4bElGUlFVQ0lzSW5OMVlpSTZJa1Y0WVcxd2JHVWdWRkJRSWl3aVQySlVVRkJKWkNJNklrbEVRVzFoZW05dUlpd2lUMkpVVUZCU2IyeGxJam9pVUVsVFVDSjkuUnJydEpYbmZmSzVjOHJJeEczUm93QXNRZWNlSDNvWlFXTWJwZ0hENzhPOCJ9.VRckIjwgB9ahNTPK6GcDzCfqbU9mkvoOu-B_2jHdKzs
  6. The payload JWT should be in the format given below and must be signed using the signing certificate issued by the Open Banking directory. The kid parameter of the header should match the values in the kid of the signing certificate provided by the Open banking directory.

  7. The TPP should be enrolled in the Open Banking directory and should upload the CSR in order to obtain the public transport and signing certificates.

  8. Include the following claims in the body of the request payload;

    ClaimDescriptionSource SpecificationOptionalComments
    issRequest issuer (the TPP)[RFC7519]NO
    iatTime of issuance of request[RFC7519]NO
    expRequest expiration time[RFC7519]NO
    audRequest audience (the ASPSP)[RFC7519]NO
    jtiThe JWT ID[RFC7519]NO
    redirect_urisRegistered URIs the TPP uses to interact with the ASPSP AS[OIDC-R]NOMust match or be a subset of the software_redirect_uris claim in the SSA.
    token_endpoint_auth_methodSpecifies which token endpoint authentication method the TPP wants to use[RFC7591]NOprivate_key_jwt: If requested, the OP should extract the TPPs JWKS location from the included software statement assertion.
    grant_typesA JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token[RFC7591]NO
    response_typesA JSON array specifying what the TPP can request to be returned from the ASPSP authorization endpoint[RFC7591]YESASPSPs may reject anything other than code.
    software_idThe OB organization ID[RFC7591]YESIf specified, the software_id in the request must match the software_id specfied in the SSA. ASPSPs can choose to allow multiple registrations for a given software client name and may take the software_id from either the SSA or the TPP as a hint.
    scopeThe scopes requested by the client (if not specificed, default scopes are assigned by the AS)[RFC7591]YESMinimum scope should be openid + whatever scopes are appropriate for the PSD2 role of the software.
    software_statementThe SSA issued by Open Banking identifier[RFC7519]NO
    application_typeSpecifies whether the application type is web or mobile[OIDC-R]NOMust be web, if specified.
    id_token_signed_response_algThe algorithm with which the TPP expects to sign the id_token if an id_token is returned[OIDC-R]NOSupported values must comply with [FAPI-RW] Section 8.6.
    request_object_signing_algThe algorithm with which the TPP expects to sign the request object if a request object is part of the authorization request sent to the ASPSP.[OIDC-R]NOSupported values must comply with [FAPI-RW] Section 8.6.
    {
      "typ": "JWT",
      "alg": "RS256",
      "kid": "9yz0XwrEOkvFHil-t7KSXVhmR6s"
    }
    {
      "iss": "Amazon TPPID",
      "iat": 1492760444,
      "exp": 1624296449,
      "jti": "12345445",
      "aud": "https://authn.lloyds.co.uk",
      "scope": [
        "openid",
        "payments"
      ],
      "token_endpoint_auth_method": "private_key_jwt",
      "grant_types": [
        "authorization_code",
        "refresh_token"
      ],
      "response_types": [
        "code",
        "id_token"
      ],
      "id_token_signed_response_alg": "ES256",
      "request_object_signing_alg": "ES256",
      "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
      "application_type": "web",
      "redirect_uris": [
        "https://www.amazon.com"
      ],
      "software_statement": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImpfT1BYZTh0Y2hXdWhRM2dWTi1TT09PVHlEWSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1Mzg5MjY0MzAsImlzcyI6Ik9wZW5CYW5raW5nIEx0ZCIsImp0aSI6IjVqSTE0djJEZDN3WnZiaG1QT2UyTHUiLCJvYl9yZWdpc3RyeV90b3MiOiJodHRwczovL3JlZ2lzdHJ5Lm9wZW5iYW5raW5ndGVzdC5vcmcudWsvdG9zLmh0bWwiLCJvcmdfY29udGFjdHMiOlt7ImVtYWlsIjoic2FjaGluaXNAd3NvMi5jb20iLCJuYW1lIjoiVGVjaG5pY2FsIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiVGVjaG5pY2FsIn0seyJlbWFpbCI6InNhY2hpbmlzQHdzbzIuY29tIiwibmFtZSI6IkJ1c2luZXNzIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19pZCI6IjAwMTU4MDAwMDFIUVFyWkFBWCIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDFIUVFyWkFBWC8wMDE1ODAwMDAxSFFRclpBQVguandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYL3Jldm9rZWQvMDAxNTgwMDAwMUhRUXJaQUFYLmp3a3MiLCJvcmdfbmFtZSI6IldTTzIgKFVLKSBMSU1JVEVEIiwib3JnX3N0YXR1cyI6IkFjdGl2ZSIsIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCJdfV0sImF1dGhvcml0eV9pZCI6Ik9CR0JSIiwicmVnaXN0cmF0aW9uX2lkIjoiVW5rbm93bjAwMTU4MDAwMDFIUVFyWkFBWCIsInN0YXR1cyI6IkFjdGl2ZSJ9LCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJ0ZXN0aW5nIHB1cnBvc2UiLCJzb2Z0d2FyZV9jbGllbnRfaWQiOiIzYzhGMmE3enBXYXhuTzVrRk9acHlFIiwic29mdHdhcmVfY2xpZW50X25hbWUiOiJPcGVuIEJhbmtpbmcgdGVzdCIsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL2NsaWVudCIsInNvZnR3YXJlX2Vudmlyb25tZW50Ijoic2FuZGJveCIsInNvZnR3YXJlX2lkIjoiM2M4RjJhN3pwV2F4bk81a0ZPWnB5RSIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYLzNjOEYyYTd6cFdheG5PNWtGT1pweUUuandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAxSFFRclpBQVgvcmV2b2tlZC8zYzhGMmE3enBXYXhuTzVrRk9acHlFLmp3a3MiLCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmFtYXpvbi5jb20vbG9nbyIsInNvZnR3YXJlX21vZGUiOiJMaXZlIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6IlRoaXJkIHBhcnR5IHByb3ZpZGVycyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3BvbGljeSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly93d3cuYW1hem9uLmNvbSIsImh0dHBzOi8vd3d3LmFtYXpvbi5jb20vdHQvd2Vidmlldy9vb2JlL3Byb3Bvc2l0aW9uIl0sInNvZnR3YXJlX3JvbGVzIjpbIkFJU1AiLCJQSVNQIl0sInNvZnR3YXJlX3Rvc191cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3RvcyIsInNvZnR3YXJlX3ZlcnNpb24iOjEuMX0.WwuTR8guWhZynapiivAmVLD62I4z-49b_kiNv-6Ae4hsOqY-mDZoxVPxY8HrQUDB1MDGnUzWzcj1gBpRDf-kN3fiLp42Qo3PUhmfsCBUGMRgeCIelYWB3Wm8kYdjlArJ6CpNkj9dUo8g48dt7Bj-r1Uxa7SUpe6D-P_peTdebxf82z2zX9obu-sGhGzTAiMpNilnftaWmUdkk4EMtFUr4Qbw8QbJz3-6TjSU7nUHU7QvJ0xFPreTkAq5MoJ_JvF-INEmUFZIRa7S1z54M1TPnSSRA19mdxhSs2IaVvr5rPGgTvMw30Q1Ch
    
    idHyAQO4-FEkaIIbay-9YN2NxgelQOQQ"
    }
  9. The software statement should be obtained from the Open Banking directory by the TPP. This is a signed JWT issued by the Open Banking directory.
  10. A sample response is given below:

    HTTP/1.1 200 Ok
         Content-Type: application/json
      {
        "grant_types": [
            "authorization_code",
            "refresh_token"
        ],
        "software_client_name": "Open Banking test",
        "supportedGrantTypes": [
            "refresh_token",
            "client_credentials"
        ],
        "redirect_uris": [
            "https://www.amazon.com",
            "https://www.amazon.com/tt/webview/oobe/proposition"
        ],
        "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks",
        "token_endpoint_auth_method": "private_key_jwt",
        "consumerSecret": "DMcSUBmgi4tjKktagizDuDaiCAAa",
        "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
        "software_logo_uri": "https://www.amazon.com/logo",
        "scope": [
            "openid",
            "payments"
        ],
        "request_object_signing_alg": "ES256",
        "software_roles": [
            "AISP",
            "PISP"
        ],
        "consumerKey": "kKcxI71dFnCtIHoM9zTZiG6U1GUa",
        "id_token_signed_response_alg": "ES256"
    }

Configure dynamic registration

Follow the steps below to confgure dynamic registration.

Upload certificate to the trust store

The TPP can upload the Open Banking directory root and issuing certificates to the client truststore in both the API Manager and Identity Server using the following commands:

keytool -import -alias tpproot -file <OB root cert> -keystore client-truststore.jks -storepass wso2carbon

keytool -import -alias tpproot -file <OB issuing cert> -keystore client-truststore.jks -storepass wso2carbon


Edit the OpenBanking.xml file

In the <financialOB>/wso2ob-am-2.6.0/repository/conf/finance folder, open the OpenBanking.xml file and add the following parameters:

<UK>
<DCR>
        <TokenAuthentication>
            <Method>private_key_jwt</Method>
            <Method>tls_client_auth</Method>
            <Method>client_secret_basic</Method>
        </TokenAuthentication>
        <ConnectionTimeout>0</ConnectionTimeout>
        <ReadTimeout>0</ReadTimeout>
            <EndPointURL>
              <ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation>
               <Application>/api/am/store/v0.14/applications</Application>
               <Token>/token</Token>
               <KeyGeneration>/api/am/store/v0.14/applications/generate-keys</KeyGeneration>
            </EndPointURL>
</DCR>
</UK>
  • The token endpoint authentication methods indicate the authentication methods supported by WSO2. The registration validation will fail if the TPP requests a different authentication method.
  • The ConnectionTimeout and ReadTimeout values are needed when verifying the signatures for the request JWT and software statement JWT.
  • The ConnectionTimeout and ReadTimeout values are set to a default value of 3000.
  • The values can be increased in case the signature validation fails with a timeout.
  • The endpoint URLs are used to access the REST APIs of the API Manager in order to create the application and service provider, and to generate keys for the application.

Edit the axis2.xml file

In the <OB_HOME>/wso2-ob-solution-1.2.0/wso2ob-am-2.6.0/repository/conf/axis2 folder, open the axis2.xml file and add the following configurations to support the application/JWT content type:

Add a new message formatter
 <messageFormatters>
<messageFormatter contentType="application/jwt"class="org.apache.axis2.format.PlainTextFormatter"/>
</messageFormatters>
Add a new message builder
<messageBuilders>
<messageBuilder contentType="application/jwt class="org.apache.axis2.format.PlainTextBuilder"/>
</messageBuilders>

Edit the api-manager.xml file

To store any properties retrieved from the SSA, make sure you add the server level configuration to the api-manager.xml file in the <OB_AM_HOME>/repository/conf folder as explained here.

For example, if you want to store the software_client_id retrieved from the SSA created in the sandbox environment, the property name should look like: software_client_id_sandbox.

Similarly, to store the software_client_id retrieved from the SSA created in a production environment, the property name should be: software_client_id_production. Make sure you add these properties as false, as required.

In addition to these, make sure you include the software_jwks_endpoint included in the SSA. This is necessary in order to obtain an access token for the application.

<ApplicationConfiguration>
    <ApplicationAttributes>
        <Attribute required="false">
            <Name>software_id_sandbox</Name>
            <Description>Software ID of the sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_id_production</Name>
            <Description>Software ID of the production</Description>
        </Attribute>
       <Attribute required="false">
            <Name>software_roles_production</Name>
            <Description>Software roles of the production</Description>
        </Attribute>
       <Attribute required="false">
            <Name>software_roles_sandbox</Name>
            <Description>Software roles of the sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_jwks_endpoint_sandbox</Name>
            <Description>JWKS endpoint of sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_jwks_endpoint_production</Name>
            <Description>JWKS endpoint of production</Description>
        </Attribute>
    </ApplicationAttributes>
</ApplicationConfiguration>
  • No labels