Versions Compared

Old Version 229

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Open banking promotes greater financial transparency by allowing third parties to securely and rapidly build financial services with the use of open APIs that facilitate access to accounts (XS2A).

Payment Service Directives

...

Multiexcerpt
MultiExcerptNameAPIDocs

WSO2 Open Banking facilitates adding documentation to APIs.  API documentation helps API subscribers to understand the functionality of the API and API publishers to market their APIs better and sustain the competition. By default, the visibility of an API documentation is as same as its API visibility.

Anchor
APIThrottling
APIThrottling
API Throttling 

Multiexcerpt
MultiExcerptNameThrottling Tiers

Throttling allows you to limit the number of successful hits to an API during a given period of time, typically in cases such as the following:

  • To protect your APIs from common types of security attacks such as denial of service (DoS)
  • To regulate traffic according to infrastructure availability
  • To make an API, application, or a resource available to a consumer at different levels of service, usually for monetization purpose 

You can define throttling at the API, application, and resource levels. The final request limit granted to a given user for a given API is ultimately defined by the consolidated output of all the applicable throttling tiers.  The throttling tiers are also referred to as Service-level agreements (SLAs). 

...

OpenAPI Specification

Multiexcerpt
MultiExcerptNameSwagger

Swagger is OpenAPI (formerly known as Swagger) is a 100% open source, standard, language-agnostic specification and a complete framework for describing, producing, consuming, and visualizing RESTful APIs, without the need of a proxy or third-party services. Swagger  OpenAPI allows consumers to understand the capabilities of a remote service without accessing its source code and interact with the service with a minimal amount of implementation logic. Swagger OpenAPI describes a service in the same way that interfaces describe lower-level programming code. 

The Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS that dynamically generates documentation from a Swaggeran OpenAPI-compliant API. Swagger OpenAPI-compliant APIs give you interactive documentation, client SDK generation, and more discoverability. The Swagger UI has JSON code, and its UI facilitates easier code indentation, keyword highlighting , and shows syntax errors on the fly. You can add resource parameters, summaries and descriptions to your APIs using the Swagger UI. The WSO2 Open Banking API management component has an integrated Swagger UI, which is part of the Swagger project. For more information, see the Swagger 2.0 specification OpenAPI Specification version 2.0 (formerly known as Swagger RESTful API Documentation Specification) and OpenAPI Specification version 3.0.0.

[Back to Top]

...

Anchor
applications
applications
Applications

...

Role-based access control (RBAC) is a type of access control that restricts access to authorized users based on their role.

Anchor
Scopes
Scopes
Scopes
Multiexcerpt
MultiExcerptNameScopes

Scopes enable fine-grained access control to API resources based on user roles. When a user invokes the API, the user's OAuth2

...

bearer  cannot grant access to any API resource beyond its associated scopes.

To illustrate the functionality of scopes, let's assume the following:

  • There is an API with the following resources:
    • GET: This is attached to the payment_read scope.
    • POST: This is attached to the payment_write scope.
  • There are two user roles: Manager and Front Desk.
  • The Manager role is linked to both the payment_read and payment_write scopes, while the Front Desk role is only linked to the payment_read scope.
  • The Manager role is assigned only to John, while the Front Desk role is assigned to both Tom and John.

  • Tom requests a token through the Token API as grant_type=password&username=tom&password=xxxx&scope=payment_read payment_write. However, as Tom is not in the Manager role, he will only be granted a token bearing the payment_read scope.

    Code Block
    "scope":"payment_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"

  • Next, John requests a token as grant_type=password&username=john&password=john123&scope=payment_read payment_write. As John has both the roles assigned, the token will bear both requested scopes.

    Code Block
    "scope":"payment_read payment_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"

  • This means that Tom can only access the GET operation of the API, while John can access both as he is assigned to both the Manager and Front Desk user roles. If Tom tries to access the POST operation, there will be an HTTP 403 Forbidden error as follows:

    Code Block
    <ams:faultxmlns:ams="http://wso2.org/apimanager/security"> <ams:code>900910</ams:code> <ams:message>The access token does not allow you to access the requested resource</ams:message> <ams:description>Access failure for API: /orgnews, version: 1.0.0 with key: eb51eff0b4d85cda1eb1d312c5b6a3b8 </ams:description> </ams:fault>

...

  • User Sign Up: The authorized entities of the RP/TPP registers at the WSO2 Open Banking Developer Portal.
  • Application Registration: The TPPs register their open banking applications at the WSO2 Open Banking Developer Portal. This includes the uploading of the public certificate of the TPP. 
  • Key Generation: The TPPs request the client key and client secret for the applications registered at the WSO2 Open Banking Developer Portal.
  • Application Access Token Generation: In this step, the TPPs obtain the application access tokens from the Token Endpoint that is exposed via the Token API. First, the TPPs create the client assertions by utilizing their public certificates. This enables the ASPSPs to authenticate the TPPs. Subsequently, the TPPs generate the application access tokens using the preferred grant types. 
  • Consent Initiation: The TPPs send the Account Initiation (AISP flow) or Payment Initiation (PISP flow) call to the Resource Endpoint. The Resource Endpoint responds with a Consent ID by utilizing the application access token. In WSO2 Open Banking, the Consent ID is represented as either the Account Consent ID (AISP flow) or Payments ID (PISP flow). 
  • Authorization Code Generation: This involves the TPP application obtaining the authorization codes from the Authorization Endpoint that is exposed via the Authorize API. In this step, the Consent ID is utilized to create a request object in JWT that is in turn utilized to call the Authorize API. The Authorize API facilitates the PSUs to approve the account access (AISP flow) or online payment (PISP flow). 
  • User Access Token Generation: This involves obtaining an OAuth2 token for the generated authorization code. The PSUs can utilize this user access token to call the Account Information API (AISP flow) and Payment API (PISP flow) and proceed.  

Image RemovedImage Added

Transport-level Security

...

  • The right of transparency and modalities: All processing activities based on personal data must be transparent to individuals. It is the responsibility of the processing organizations to make these processing details available for individuals in a clear, concise, and intelligible manner. Additionally, this information must be easily accessible and should use plain language.
  • The right to be informed: Each individual should be given an adequate level of information regarding the data processing organization including the name and contact details of the organization, purpose of data processing, legal basis for the processing, intended period of personal data storage, whether an automated decision-making system is in place, other recipients of data including third parties, and rights of individuals such as right to access their data at anytime, right to withdraw previous consent, and right to lodge a complaint. These details need to be provided when collecting personal data from individuals directly or indirectly. 
  • The right of access: GDPR facilitates individuals to request information about data processing from a processing organization by sending a Subject Access Request (SAR). This information includes what personal data has been processed, the purpose of processing, and what data is stored within the system. It is mandatory for processing organizations to respond to SARs at latest within one month of receipt. If the processing of SAR is complex, organizations can further extend this period by another two months, subject to notifying the individual about the extension.
  • The right to rectification: An individual should have the right to require that the processing organization correct any errors in personal data processed without any delays.
  • The right to be forgotten: An individual should have the right to request the processing organizations to erase personal data without any delays. When a processing organization makes personal data public, the individual can request to erase any links to copying and/or replication of personal data.
  • The right to restrict processing: The individuals can request a processing organization to restrict their personal data processing. In such cases, the processing organization may continue to store the data, but the purposes for which the data can be processed are strictly limited.
  • The right for notification obligation: The processing organization should notify the individual in the event of rectification, erasure or restriction of the individual's personal data in a concise manner.
  • The right to data portability: An individual has the right to obtain the personal data stored in a processing organization in a structured, commonly used, and machine-readable format. This facilitates easy transmission of the data obtained by another organization. If technically feasible, an individual can request to transfer his/her personal data from one processing organization to another directly.
  • The right to object: An individual can object the processing of the individual's personal data at any time. In such cases, the processing organization should stop the processing of affected data unless they can demonstrate legitimate grounds for continuing with the processing of the affected data.
  • Rights in relation to automated decision making and profiling: An individual has the right not to be subject to decisions based solely on automated processing that significantly affect the individual. Examples of solely automated processing include online credit application, e-recruiting or e-evaluation of performance without any human intervention. 

Data Protection Officer (DPO)

The Data Protection Officer (DPO) provides necessary advice to processing organizations and act as the point of contact for individuals and supervisory authorities. DPO can be a staff member or an external contractor and must possess professional qualifications and expert knowledge to perform tasks associated with the role.

...