This documentation is for WSO2 Open Banking version 1.3.0. View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Add an identity provider with OAuth2-OpenID Connect to the Key Manager (KM).

    Fill the relevant values based on the values you received from the Open Banking (OB) directory when registering for their identity provider service.

    FieldValueDescription
    Callback URLhttps://<keymanager_host>:<keymanager_port>/commonauthThis URL should be provided as the redirect URI when creating the SSA (Software Statement Assertion)
    OpenID Connect User ID Location
    User ID found among claims
    Additional Query Parametersscope=openid email profile&prompt=loginThese parameters are used to retrieve user information from WSO2 Open Banking.
    Client Id
    The client id issued by the OB directory to ASPSP
    Client Secret
    The client secret issued by the OB directory to ASPSP
    Tip

    Make sure you select the Enable HTTP Basic auth for client authentication checkbox as it is expected that the client ID and client secret are sent in the header.

  2. Expand the Claim Configuration section of the identity provider and add the following claim configurations.

    Identity Provider Claim URI tpp_associated
    Local Claim URIhttp://wso2.org/claims/active
    Identity Provider Claim URIemail
    Local Claim URIhttps://wso2.org/claims/emailaddress
    User ID Claim URI email
  3. Expand the Just-in-Time Provisioning section, select the Always provision to User Store Domain option and then the Provision Silently option.
  4. Add a service provider for the Key Manager. In the inbound authentication section, configure OAuth/OpenID Connect when configuring OAuth/OpenID Connect. For the Callback URL, provide https://{WSO2_OB_APIM_HOST}:{ob_apim_port}/store/jagg/jaggery_oidc_acs_ob.jag as the URL.

  5. Make a note of the client ID and client secret.
  6. For the Local & Outbound Authentication Configuration of the service provider, select Federated Authentication and select the identity provider that you just added.
  7. For the claim configurations, add email and tpp_associated as the requested claims as specified below.
  8. In the claims tab, select click on Add and select External Claim URI. Add tpp_associated to the Open ID Connect (OIDC) claim dialect and map it to the local claim http://wso2.org/claims/active.
  9. In the OIDC scopes tab, click on Add and select Add claims for the openid scope. Update the openid scope with the tpp_associated claim that you just added.
  10. In the <WSO2_OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file and modify the OIDC configuration section as follows:

    Code Block
    "oidcConfiguration" : {
     "enabled" : "true",
     "issuer" : "API_STORE",
     "identityProviderURI" : "https://<WSO2_OB_APIM_HOST>:<WSO2_OB_APIM_NIO_PORT>/token",
     "authorizationEndpointURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/authorize",
     "tokenEndpointURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/token",
     "userInfoURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/userinfo",
     "jwksURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/jwks",
     "logoutEndpointURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oidc/logout",
     "authHttpMethod": "POST",
     "usernameClaim":"email",
     "roleParameter":"tpp_associated",
     "role" :"Internal/subscriber",
     "clientConfiguration" : {
       "clientId" : "<Client_ID of the Service Provider created above>",
       "clientSecret" : "<Client_Secret of the Service Provider created above>",
       "responseType" : "code",
       "authorizationType" : "authorization_code",
       "scope" : "phone email address openid profile api_store",
       "redirectURI" : "https://<WSO2_OB_APIM_HOST>:<OB_APIM_PORT>/store/jagg/jaggery_oidc_acs_ob.jag",
       "postLogoutRedirectURI" : "https://<WSO2_OB_APIM_HOST>:<OB_APIM_PORT>/store/",
       "clientAlgorithm" : "PS256"
     }
    }
    Tip

    Make sure you use the same algorithm in the following configurations:

    1. The allowed signature algorithm for the TPP requests, configured in <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml

      Code Block
      languagexml
      <UK>
          <AllowedInboundSignatureAlgorithms>
              <Algorithm>PS256</Algorithm>
          </AllowedInboundSignatureAlgorithms>
      </UK>
    2. The clientAlgorithm property in the site.json file.

    Make sure you add the following parameters.

    Code Block
     "usernameClaim":"email",
     "roleParameter":"tpp_associated",
     "role" :"Internal/subscriber",

    Add the following if you want to add a parameter for a scope.

    Code Block
    "scope" : "phone email address openid profile api_store",
  11. In the <WSO2_OB_APIM_HOST>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file, add OBDirectoryIntegrated configuration as true.
  12. In the <WSO2_OB_APIM_HOST>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file, add UseSoftwareIdAsApplicationName configuration as true.

    Info

    The UseSoftwareIdAsApplicationName configuration is available only as a WUM update and is effective from June 07, 2019 (06-07-2019). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

  13. To store any of the properties retrieved from the SSA, make sure you add the Server level configuration to the <WSO2_OB_APIM_HOST>/repository/conf/api-manager .xml  file, as explained here.

    For example, if you want to store the software_client_id that is retrieved from the SSA created in the sandbox environment, the property name should look like software_client_id_sandbox.

    Similarly, to store the software_client_id retrieved from the SSA created in a production environment, the property name should be software_client_id_production. Make sure you add these properties as false, as required.

    Code Block
    languagexml
    <ApplicationConfiguration>
        <ApplicationAttributes>
            <Attribute required="false">
                <Name>software_id_sandbox</Name>
                <Description>Software ID of the sandbox</Description>
            </Attribute>
            <Attribute required="false">
                <Name>software_id_production</Name>
                <Description>Software ID of the production</Description>
            </Attribute>
           <Attribute required="false">
                <Name>software_roles_production</Name>
                <Description>Software roles of the production</Description>
            </Attribute>
           <Attribute required="false">
                <Name>software_roles_sandbox</Name>
                <Description>Software roles of the sandbox</Description>
            </Attribute>
            <Attribute required="false">
                <Name>software_jwks_endpoint_sandbox</Name>
                <Description>JWKS endpoint of sandbox</Description>
            </Attribute>
            <Attribute required="false">
                <Name>software_jwks_endpoint_production</Name>
                <Description>JWKS endpoint of production</Description>
            </Attribute>
        </ApplicationAttributes>
    </ApplicationConfiguration>
    Tip

    Software JWKS endpoints are needed to verify whether mutually verified client certificates match with the SSA’s certificate. Therefore, make sure you add two optional application attributes; software_jwks_endpoint_sandbox and software_jwks_endpoint_production.

    To make sure that only this application can be subscribed to the APIs with roles specified in the software_role, make sure you add the following attributes: software_roles_production and software_roles_sandbox.

    To add a particular role to the API, when creating the API add software_role and add the relevant value (i.e. AISP or PISP) to that under the API properties section as explained here.

    Anchor
    specialCharactersWUM
    specialCharactersWUM

    Note
    Info

    This is available only as a WUM update and is effective from November 13, 2019 (11-13-2019). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

    • To enable viewing both softwareClientName and softwareClientID in the API Store when UseSoftwareIdAsApplicationName is enabled, add the following configurations to the <WSO2_OB_APIM_HOME>/repository/conf/api-manager.xml file under <ApplicationConfiguration> within the <APIManager> element:

      Code Block
      <Attribute required="false">
      	<Name>software_client_name_sandbox</Name>
      	<Description>Software Client Name of the sandbox</Description>
      </Attribute>
      <Attribute required="false">
      	<Name>software_client_name_production</Name>
      	<Description>Software Client Name of the production</Description>
      </Attribute>
    • To resolve the string mapping of the new column, add "ID": "ID" key-value pair in the following files:
    1. <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/locales/jaggery/locale_default.json
    2. <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/locales/jaggery/locale_en.json

    Once you follow the above instructions, notice the additional column Name under the Applications tab of the API Store, which displays softwareClientName.

    Anchor
    createAnApp
    createAnApp

    Creating an applicatio
  14. Navigate to the API Store using the following URL: https://<WSO2_OB_APIM_HOST>:9443/store.

  15. Click Sign In. You are re-directed to the OB login page.

  16. Log in using the OB directory credentials and provide the second-factor authentication.

  17. After a successful login, you are redirected back to the API Store. Click the Applications tab and click Add Application.
  18. Provide a valid SSA. The application name is picked up from the software_client_name of the SSA.
  19. Click Add to add the application. If application creation is successful, the relevant application page is shown.