Page History
...
Define the Open Banking specific Request Object Validator under the <
OpenIDConnect>
as follows:Code Block language xml <RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
Update the following configurations under the
<OAuth>
property with the hostname of the Open Banking API Manager Gateway.Code Block language xml <OAuth2AuthzEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/authorize</OAuth2AuthzEPUrl> <OAuth2TokenEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/token</OAuth2TokenEPUrl> <OAuth2UserInfoEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/userinfo</OAuth2UserInfoEPUrl> <OAuth2DCREPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/register</OAuth2DCREPUrl>
Update the following configuration under the
<OpenIDConnect>
tag with the hostname of the Open Banking API Manager server.Code Block language xml <IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
Make sure the
RenewRefreshTokenForRefreshGrant
value set to false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.Code Block language xml <RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
Configure the ReceiverURL of the
<EventPublisher>
under<AdaptiveAuth>
with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.Code Block language xml <ReceiverURL>http://<WSO2_OB_BI_HOST>:8006/</ReceiverURL>
Make sure the following Open Banking specific response type handlers are added under the
<SupportedResponseTypes>.
Code Block language xml <SupportedResponseType> <ResponseTypeName>code</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass> </SupportedResponseType> <SupportedResponseType> <ResponseTypeName>code id_token</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass> </SupportedResponseType>
Note In order to bind the MTLS certificate of the TPP that is sent in the requests to the user access token, update the
<GrantTypeHandlerImplClass>
parameter under<GrantTypeName>authorization_code</GrantTypeName>
as follows:Code Block <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.MTLSTokenBindingAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
Add the following event listener under
<EventListeners>
and enable it as follows:Code Block <EventListener enable="true" name="com.wso2.finance.open.banking.identity.extensions.listeners.OBIntrospectionResponseInterceptor" orderId="27" type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"/>
The following Open Banking specific grant types should be there under <
SupportedGrantTypes>
property.Code Block language xml <SupportedGrantType> <GrantTypeName>authorization_code</GrantTypeName> <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>client_credentials</GrantTypeName> <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass> <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed> <IdTokenAllowed>false</IdTokenAllowed> </SupportedGrantType>
The cache configurations are available in
<CacheConfig>
under<CacheManager>
element. You can update the configurations according to your requirements.The ID Token Builder and the algorithm that signs the ID Token Builder are configurable.
By default,
<IDTokenBuilder>
is set toorg.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder
. For example, to sign the <IDTokenBuilder>
with theSHA256withPS
algorithm the configurations are as follows:Code Block language xml <OpenIDConnect> <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder> <SignatureAlgorithm>SHA256withPS</SignatureAlgorithm> </OpenIDConnect>
Anchor BasicAuthConsentMgt BasicAuthConsentMgt By default, the Consent Management APIs are secured with basic authentication.
Each API resource is secured using a
<Resource>
element under<ResourceAccessControl>
.- Use the default user or create a new user in the Key Manager Management Console to access the Consent Management APIs.
- Update the
<Permissions>
element under<Resource>
with the permissions. Thesepermissions
are used to restrict access to the APIs. For more information, see Configuring Roles and Permissions. Update the credentials in Open Banking API Manager with the created user details.
Expand title Click here to see how it is done - Open the
<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml
file. Update the credentials under
<APISecurity><Global>
with the created user details.By default, this is set to the username and password of the super admin.
Code Block language xml <APISecurity> <Global> <Username>[email protected]</Username> <Password>wso2123</Password> </Global> </APISecurity>
- Open the
To disable basic authentication for an API, set the
secured
property tofalse
in the corresponding<Resource>
element. For example, to disable basic authentication foruk300
resources, update the configurations in the<WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml
file as follows:Code Block language xml <ResourceAccessControl> <!-- Configuration for protecting consent management APIs. If not required, set secured to false. The credentials of the basic auth are from the registered user role with the permission as specified in the Permission tag. --> <Resource context="(.*)/uk300/(.*)" http-method="all" secured="false" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <!-- END OF Configuration for protecting consent management APIs --> </ResourceAccessControl>
Disabling weak ciphers
A cipher is an algorithm for performing encryption or decryption. When you set the sslprotocol of your server to TLS, the TLS and the default ciphers get enabled without considering the strength of the ciphers. This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks. To prevent these types of security attacks, it is encouraged to disable the weak ciphers.
Refer to Disabling weak ciphers in the WSO2 Administration Guide and disable weak ciphers.