This documentation is for WSO2 Open Banking version 1.2.0 of UK. View documentation for the latest release.
Manual Registration - WSO2 Open Banking 1.2.0 UK - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This page describes how to configure and use the manual registration flow, as indicated by the Open Banking specification UK.

Configure manual registration

Do the following configurations in order to support the manual registration flow.

  1. Add an identity provider with OAuth2-OpenID Connect to the Key Manager. 
  2. Fill the relevant values, based on the values you received from the Open Banking directory when registering for their identity provider service.

    Callback URLhttps://<keymanager_host>:<keymanager_port>/commonauthThis URL should be provided as the redirect URI when creating the SSA (Software Statement Assertion)
    OpenID Connect User ID LocationUser ID found among claims
    Additional Query Parametersscope=openid email profile&prompt=loginThis is to retrieve user information from WSO2 Open Banking.

    Make sure you select the Enable HTTP Basic auth for client authentication check box, as it is expected that the client ID and client secret are sent in the header.

  3. Expand the Claim Configuration section of the identity provider and add the following claim configurations.
  4. Expand the Just-in-Time Provisioning section, select Always provision to User Store Domain and select Provision Silently.
  5. Add a service provider for the Key Manager. For the inbound authentication, configure OAuth/OpenID Connect when configuring OAuth/OpenID Connect. For the Callback URL, provide https://{ob_apim_host}:{ob_apim_port}/store/jagg/jaggery_oidc_acs_ob.jag as the URL.

  6. Make a note of the client ID and client secret, which are needed later when configuring the Developer Portal.
  7. For the Local & Outbound Authentication Configuration of the service provider, select Federated Authentication and select the identity provider that you just added.
  8. For the claim configurations, add email and tpp_associated as the requested claims as specified below,
  9. Add tpp_associated to the OIDC claim dialect and mapping to the local claim http://wso2.org/claims/active, as explained here.
  10. As explained here, update the openid scope with the tpp_associated claim that you just added.
  11. Open the site.json file, which resides in the <OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder, and modify the OIDC configuration section as follows,

    "oidcConfiguration" : {
     "enabled" : "true",
     "issuer" : "API_STORE",
     "identityProviderURI" : "https://<OB_APIM_HOST>:<OB_APIM_NIO_PORT>/token",
     "authorizationEndpointURI" : "https://<OB_KM_HOST>:<OB_KM_PORT>/oauth2/authorize",
     "tokenEndpointURI" : "https://<OB_KM_HOST>:<OB_KM_PORT>/oauth2/token",
     "userInfoURI" : "https://<OB_KM_HOST>:<OB_KM_PORT>/oauth2/userinfo",
     "jwksURI" : "https://<OB_KM_HOST>:<OB_KM_PORT>/oauth2/jwks",
     "logoutEndpointURI" : "https://<OB_KM_HOST>:<OB_KM_PORT>/oidc/logout",
     "authHttpMethod": "POST",
     "usernameClaim":"email",
     "roleParameter":"tpp_associated",
     "role" :"Internal/subscriber",
     "clientConfiguration" : {
       "clientId" : "<Client_ID of the Service Provider created above>",
       "clientSecret" : "<Client_Secret of the Service Provider created above>",
       "responseType" : "code",
       "authorizationType" : "authorization_code",
       "scope" : "phone email address openid profile api_store",
       "redirectURI" : "https://<OB_APIM_HOST>:<OB_APIM_PORT>/store/jagg/jaggery_oidc_acs_ob.jag",
       "postLogoutRedirectURI" : "https://<OB_APIM_HOST>:<OB_APIM_PORT>/store/",
       "clientAlgorithm" : "RS256"
     }
    }

    Make sure you add the following parameters,

     "usernameClaim":"email",
     "roleParameter":"tpp_associated",
     "role" :"Internal/subscriber",

    Add the following if you want to add a parameter for a scope,

    "scope" : "phone email address openid profile api_store",
  12. Add "OBDirectoryIntegrated" : true to the site.json file, which resides in the <OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf folder.
  13. To store any of the properties retrieved from the SSA, make sure you add the server level configuration to the api-manager.xml file in the <OB_AM_HOME>/repository/conf folder, as explained here.

    For example, if you want to store the software_client_id that is retrieved from the SSA created in the sandbox environment, the property name should look like software_client_id_sandbox.

    Similarly, to store the software_client_id retrieved from the SSA created in a production environment, the property name should be software_client_id_production. Make sure you add these properties as false, as required.

    <ApplicationConfiguration>
        <ApplicationAttributes>
            <Attribute required="false">
                <Name>software_id_sandbox</Name>
                <Description>Software ID of the sandbox</Description>
            </Attribute>
            <Attribute required="false">
                <Name>software_id_production</Name>
                <Description>Software ID of the production</Description>
            </Attribute>
           <Attribute required="false">
                <Name>software_roles_production</Name>
                <Description>Software roles of the production</Description>
            </Attribute>
           <Attribute required="false">
                <Name>software_roles_sandbox</Name>
                <Description>Software roles of the sandbox</Description>
            </Attribute>
            <Attribute required="false">
                <Name>software_jwks_endpoint_sandbox</Name>
                <Description>JWKS endpoint of sandbox</Description>
            </Attribute>
            <Attribute required="false">
                <Name>software_jwks_endpoint_production</Name>
                <Description>JWKS endpoint of production</Description>
            </Attribute>
        </ApplicationAttributes>
    </ApplicationConfiguration>

    Software JWKS endpoints are needed for verifying whether mutually verified client certificates match with the SSA’s certificate. Therefore, make sure you add two optional application attributes; software_jwks_endpoint_sandbox and software_jwks_endpoint_production.

    To make sure that only this application can be subscribed to the APIs with roles specified in the software_role, make sure you add the following attributes: software_roles_production and software_roles_sandbox.

    To add a particular role to the API, when creating the API add software_role and add the relevant value (i.e. AISP or PISP) to that under the API properties section as explained here.

    Make sure you import the public certificates of https://keystore.openbanking.org.uk/keystore/openbanking.jwks and https://keystore.openbanking.org.uk/ to the client trust store of OB_APIM.

  • No labels