The information security profile is built upon the foundations of the Financial-grade API Read Write Profile (FAPI-RW) and other standards relating to Open ID Connect 1.0 (OIDC). This is the security profile that the Consumer Data Standards (CDS) recommends to ensure API security. It consists of the standards for grant types, authentication and authorisation flows. For more information, see CDS - Security Profile.
The API Security features are not applicable to Phase 1 - Product APIs.
Let’s see how WSO2 Open Banking supports the security profile:
Transport layer security
Mutual Transport Layer Security (MTLS)
WSO2 Open Banking uses MTLS to check if the message context contains the transport certificate using the following handlers. This is to make sure that the MTLS handshake is successful at the gateway.
|Ensures that mutual TLS has taken place by checking if the transport certificate is available as a property in the Axis2 message context.|
This handler is applicable if MTLS is terminated at the load balancer level.
If Mutual Transport Layer Security (MTLS) is terminated before the request reaches the Gateway, retrieve the Data Recipient's certificate from the MTLS session and include as a transport certificate header. By default, the gateway expects
Click here to see how to enable MLTS...
The load balancer should not allow the Data Recipient to send its certificate as a transport certificate header that is configured in the
If such header was found in the Data Recipient’s request, it is mandatory to remove that header from the request. This is applicable even when the MTLS session is not terminated at the load balancer.
Token endpoint security
To manage the Data Recipient interaction with the resources exposed via the banks’ APIs, WSO2 Open Banking uses:
- Client credentials grant type
- Authorisation code grant type
WSO2 Open Banking uses Client credentials grant type when generating access tokens for the Dynamic Client Registration API. For example:
The grant type used to generate an application access token.
The above example is for an application access token generated using Client Credentials grant type. For more information, see Dynamic Client Registration v0.1.
Limit of access for the application access token/clientId.
The value of the client assertion, generated using the following format:
The type used to pass the client assertion. WSO2 uses the self-signed JSON Web Token (JWT).
The above cURL request results in an access token along with a refresh token and an encrypted id token.
WSO2 Open Banking also uses the Authorization Code grant type to ensure token endpoint security. When a Data Recipient attempts to access a CDS resource; WSO2 Open Banking requests the bank customer to authorise the Data Recipient by granting the consent for the Data Recipient to access that account information. Once the user grants the consent, the user is redirected to the redirect URL of the Data Recipient with the authorization code. Using the generated authorisation code, the Data Recipient can generate the user access token. For instructions on generating a user access token, see Generate user access token.
See Authorisation endpoint security that discusses security enhancements for Authorisation code grant type.
Refresh tokens are used to get a new user access token from the authentication server in order to access a specific resource. The most common use case is generating a refresh token when the user access token is expired.
WSO2 Open Banking supports Private Key JWT to secure the token endpoint that is used by Data Recipients to obtain the application and access tokens. Private Key JWT is the default token endpoint authenticator used in WSO2 Open Banking.
Holder of Key (HoK) validation
HolderOfKeyValidationHandler in the API Manager performs this validation to verify that the scope parameter in the access token contains the thumbprint of the TLS certificate sent in the request. For this, the access token needs to be bound with the MTLS certificate.
Mutual Transport Layer Security (MTLS) certificate bound access token
<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml file and do the following:
- Open the
<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xmlfile and do the following:
Update the following configuration under
<APISecurity><EnableMTLSTokenBinding>to enable this feature.
Configure the client certificate header name using the
<CertificateManagement><ClientAuthenticationHeader>property as follows:
Add the following handler to the
Authorisation endpoint security
WSO2 Open Banking enhances the security of the authorisation code grant type in authorisation endpoint security with request object and response type attributes.
Once decoded, the request object that is used to get the Data Recipient's information looks as follows:
sharing_duration claim in the request object defines the validity period of the refresh token. This is to limit the validity of the consent to the defined period.
The sample redirect URL for the bank customer to authorise the payment consent looks as follows: