This documentation is for WSO2 Open Banking version 1.4.0. View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: APISecurity for consent mgt apis

...

  1. Update identity.xml file in <WSO2_OB_KM_HOME>/repository/conf/identity with the following configurations.

      1. Define the Open Banking specific Request Object Validator under the <OpenIDConnect> as follows:

        Code Block
        languagexml
        <RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
      2. Update the following configurations under the <OAuth> property with the hostname of the Open Banking API Manager Gateway.

        Code Block
        languagexml
        <OAuth2AuthzEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/authorize</OAuth2AuthzEPUrl>      
        <OAuth2TokenEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/token</OAuth2TokenEPUrl>
        
        <OAuth2UserInfoEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/userinfo</OAuth2UserInfoEPUrl>
        
        
        <OAuth2DCREPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/register</OAuth2DCREPUrl>
        
        <IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
      3. Make sure the RenewRefreshTokenForRefreshGrant value set to false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.

        Code Block
        languagexml
        <RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
      4. Configure the ReceiverURL of the <EventPublisher> under <AdaptiveAuth> with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.

        Code Block
        languagexml
        <ReceiverURL>http://<WSO2_OB_BI_HOST>:8006/</ReceiverURL>
      5. Make sure the following Open Banking specific response type handlers are added under the <SupportedResponseTypes>.

        Code Block
        languagexml
        <SupportedResponseType>
        	<ResponseTypeName>code</ResponseTypeName>
        	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass>
        </SupportedResponseType>
        <SupportedResponseType>
        	<ResponseTypeName>code id_token</ResponseTypeName>
        	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass>
        </SupportedResponseType>
      6. The following Open Banking specific grant types should be there under <SupportedGrantTypes> property.

        Code Block
        languagexml
        <SupportedGrantType>
        	<GrantTypeName>authorization_code</GrantTypeName>
        	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
        </SupportedGrantType>
        
        <SupportedGrantType>
        	<GrantTypeName>client_credentials</GrantTypeName>
        	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
        	<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
        	<IdTokenAllowed>false</IdTokenAllowed>
        </SupportedGrantType>
      7. The cache configurations are available in <CacheConfig> under <CacheManager> element. You can update the configurations according to your requirements.

      8. The org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder is the ID Token Builder. Make sure the <IDTokenBuilder> configurations are as follows: 

        Code Block
        languagexml
        <OpenIDConnect>
        	<IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
        </OpenIDConnect>
      9. By default, the Consent Management APIs are secured with basic authentication. 

        1. Each API resource is configured using a <Resource> element under <ResourceAccessControl>

        2. Update the <Permissions> element with the role assigned to the user, that is configured under 

        APISecurity
        1. <APISecurity> in open-banking.xml.

          Expand
          titleClick here to see how to configure a user for APISecurity in open-banking.xml
          1. Use the
        admin
          1. default user or create a new user using the WSO2 Open Banking Key Manager Management Console.
          2. Note down the role assigned to the user.
          3. Open the <WSO2_OB_
        KM
          1. APIM_HOME>/repository/conf/finance/open-banking.xml file.
          2. Update the credentials under <APISecurity> <Global>, with the created user details.

            By default, this is set to the username and password of the super admin.

            Code Block
            languagexml
            <APISecurity>
            	<Global>
            		<Username>[email protected]</Username>
            		<Password>wso2123</Password>
            	</Global>
            </APISecurity>
        1. To disable basic authentication for a resource, set the secured property to false in the corresponding <Resource> element. For example, to disable basic authentication for uk300 resources, update the configurations as follows:

          Code Block
          languagexml
          <ResourceAccessControl>
          	<!--
          
                      Configuration for protecting consent management APIs.
                      If not required, set secured to false. The credentials of the basic auth are
                      from the registered user role with the permission as specified in the Permission tag.
                  
              -->
          	<Resource context="(.*)/
        berlin110
        1. uk300/(.*)" http-method="all" secured="
        true
        1. false" allowed-auth-handlers="BasicAuthentication">
          		<Permissions>/permission/admin</Permissions>
          	</Resource>
          	
        <Resource context="(.*)/berlin130/(.*)" http-method="all" secured="true" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <Resource context="(.*)/stet140/(.*)" http-method="all" secured="true" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <Resource context="(.*)/uk110/(.*)" http-method="all" secured="true" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <Resource context="(.*)/uk200/(.*)" http-method="all" secured="true" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <Resource context="(.*)/uk300/(.*)" http-method="all" secured="true" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <!-- END OF Configuration for protecting consent management APIs --> </ResourceAccessControl>

        To disable basic authentication for a resource, set the  secured property to false in the corresponding <Resource> element. For example, to disable basic authentication for  uk300 resources, update the configurations as follows:

        Code Block
        languagexml
        <ResourceAccessControl> <Resource context="(.*)/uk300/(.*)" http-method="all" secured="false" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource>
        1. <!--
                     END OF Configuration for protecting consent management APIs 
              -->
          </ResourceAccessControl>