This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 231 Next »

Let's take a look at the key concepts and terminology related to WSO2 Open Banking.


Open Banking

Open banking promotes greater financial transparency by allowing third parties to securely and rapidly build financial services with the use of open APIs that facilitate access to accounts (XS2A).

Payment Service Directives

The Payment Services Directives, also known as PSD and PSD2, are two pieces of legislation (European Union directives) administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union and European Economic Area (EEA).

PSD2

PSD2 is the revised Payment Service Directive, which was mandated in 2016. It stems from PSD1, which was mandated in 2009. PSD2  requires Europe's banks to give regulated third-party providers (TPPs) access to customers' account information and payment initiation with the customers' permission and consent.

Some of the benefits of PSD2 include:

  • The customers can manage their finances using third-party applications, e.g., pay your bills using social media accounts. 
  • More consumer choices and better online and mobile payment methods.
  • More opportunities for the financial technology companies to introduce new and innovative banking services.
  • Enhanced payment security.
  • Ability to standardize the payment systems and impose limits on transaction fees to ensure lower costs for the consumers.

PSP/TPP

A PSP (Payment Service Provider), also called as TPP (Third-Party Provider), is an authorized third-party that allows merchants to accept a wide variety of payments through a single channel/third-party application and manage the entire transaction process from start to finish. This means the TPP is responsible for the transaction flow starting from the moment a customer inputs the credit card details to the moment the funds appear in the merchant's bank account. In this process, the bank continues to be the gatekeeper of the customer's information and requires the third-party to produce a security token in order to access the customer's bank details.

A TTP can be categorized into two types as AISP and PISP. The customer's bank too can offer AISP and PISP services. 

PISP

A Payment Initiation Service Provider (PISP) initiates credit transfers on behalf of a bank's customer.

The following diagram depicts a generic PISP flow:

To view a live demo of the PISP flow of events, see PISP demo.

AISP

An Account Information Service Provider (AISP) provides an aggregated view of all the accounts and past transactions that a customer has with different banks. To provide this view to the customer, the AISP should have authorization from the customer to view the corresponding transaction and balance information of all the payment accounts. The AISPs can also provide the facility to analyze the customer's spending patterns, expenses, and financial needs. Unlike a PISP, an AISP cannot transfer funds from a payment account. 

The following diagram depicts a generic AISP flow:

To view a live demo of the AISP flow of events, see AISP demo.

PSU

A PSU (Payment Service User) is a person who makes use of a payment service in the capacity of either a payer, payee, or both. 

ASPSP

An Account Servicing Payment Service Provider (ASPSP) is a PSP that provides and maintains a payment account for a payer. Examples of ASPSPs are banks and credit card issuers. The ASPSPs are obligated to grant access to the account and transaction data on their customers’ payment accounts through APIs. 

Fintech

Fintech is another name for financial technology and is used to refer to a business that offers new and innovative financial services using software and modern technology.

Fintechs thrive to offer various financial services like money transfers, payments, and lending in fast and easy ways to keep up with the requirements of the modern-day, tech-savvy, digitally advanced customers. Due to this reason, Fintechs have become quite a competitive challenge to banks that have more rigid, process-oriented structures.


Open Data

Open data is data that is freely available and can be used, reused, and distributed freely by any party. Just like movements such as open source, there is no copyright, patent, or any other methods of control over open data. At most, the user is required to attribute and/or adhere to share-alike licensing. 


WSO2 Open Banking

Components

WSO2 Open Banking is geared with the following core functionality:

  • API Management: This supports securely exposing data to third parties with the ability to complying to open banking specifications.

     Click here for more information.

    The API management component comprises the following:

    • API Publisher: This is the API publishing portal (UI) used by API creators and API publishers to create, publish, govern APIs.
    • API Store: This is the developer portal (UI) used by API consumers/ subscribers to access the published and prototyped APIs.
    • Admin Portal: This is the UI used by admins for administrative purposes.
    • Management Console: This is the UI used by super admins to manage the solution. 
    • API Gateway: This a proxy that secures, protects, manages, and scales API calls. It intercepts API requests, applies policies, e.g. throttling, and manages API statistics. Upon validation of a policy, the API Gateway passes web service calls to the actual backend. If the service call is a token request, the API Gateway passes it directly to the Key Manager.
    • Key Manager: This component manages all the access token related operations.
    • Traffic Manager: This helps users to regulate API traffic, make APIs and applications available to consumers at different service levels, and secure APIs against security attacks, e.g. DoS attacks.
    • Analytics: This component provides a host of statistical graphs, an alerting mechanism for predetermined events, and log analysis. 
    • This component provides a host of statistical graphs, an alerting mechanism for pre-determined events and a log analysis. 

  • Identity and Access Management (IAM): This enables compliance with the Regulatory Techincal Standards (RTS) of the PSD2 regulations, including SCA and user consent management.
  • Analytics: This enables monitoring and recording of API-level usage through statistical visualizations. 
  • Integration: This provides required integration points to integrate with core banking systems and other related third-party systems.

User Types

Following are the user types/roles that are available in WSO2 Open Banking:

  • Super Admin: This is the WSO2 Open Banking provider that hosts and manages the overall functional aspects of the WSO2 Open Banking system, e.g., Bank infra/IT. A super admin is responsible for creating user roles in the system, assign them to users, managing databases, security, etc. 
  • Admin: An Admin manages the overall functional aspects of WSO2 Open Banking, e.g., Bank IT Manager. 
  • Manager: They are typically bank's decision makers and bank infrastructure (BI) staff.

  • API Creator: This is a technical role capable of understanding the technical aspects of the APIs, e.g., interfaces, documentation, and versions, and provisioning APIs. The API creators use the API Store to consult ratings and feedback provided by API users. An API creator can add APIs to the API Store, but cannot manage their lifecycles.

  • API Publisher: An API publisher manages a set of APIs across the enterprise or business unit and controls the API lifecycle, subscriptions, and monetization aspects, i.e., Bank API Publisher, Bank API Product Manager. The API publisher is also interested in usage patterns for APIs and has access to all API statistics. 
  • API Consumer: This is an API subscriber that uses the API Store to discover APIs, read the documentation and forums, rate/comment on the APIs, subscribes to APIs, obtain access tokens, and invoke the APIs, i.e., PISP App Developer, AISP App Developer, Fintech App Developer).
  • End User: These are typically retail and corporate PSUs. 
  • Observer: These are typically regulators interested in performance and/or compliance aspects. 
  • App Admin: These are TPP decision makers, AISPs, and  PISPs.

TPP Onboarding

Third-Party Providers (TPPs) can create third-party applications to facilitate banking services exposed via Bank APIs. 

Before getting TPPs connected with the Banks and onboard, they are subjected to a thorough verification. This verification includes a comprehensive sign-up process at the API Store, the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP.

Consent Management

Consent management ensures that the following takes places with the consent of the respective PSU:

  • Accessing PSU's account and transaction data by AISPs
  • Processing online payments on behalf of PSUs by PISPs


APIs

An Application Programming Interfaces (API) is a mechanism that enables exposing software functionality without revealing its implementation. APIs enable software applications to interact with each other and exchange data. WSO2 Open Banking supports REST, SOAP, and WebSocket APIs. 

API Resources

An API is made up of one more resources, each of which handles a particular type of request. A resource is defined with a URL pattern and a set of methods that operate on it.

ComponentDescription
URL Pattern

The URL pattern can be written in either of the following forms:

  • A URL mapping, e.g., /state/town/*
  • A URI template, e.g., /{state}/{town}

The URL mapping performs a one-to-one mapping with the request URL where as the URI template performs a pattern matching.

When an API is published, an XML definition gets created in the API Gateway. This XML file has a dedicated section for defining resources.

<resource methods="POST GET" url-mapping="/state/town/*">
<resource methods="POST GET" uri-template="/{state}/{town}">

You can parameterize the API resource URL to map the incoming requests to the defined resource template based on the message content and the request URI. Once a URI template is matched, the parameters in the template are populated appropriately. As per the above example, a request made to the http://host:port/api/v1/texas/houston sets the value of state to texas and the value of town to houston

Methods

A method is analogous to a method of a function and a resource is analogous to an object instance or a class in the object-oriented programming language.

There are a few standard methods that are defined for a resource corresponding to the standard HTTP GET, POST, PUT, and DELETE  methods.
Example:

The PhoneVerifier API has the CheckphoneNumber resource with the GET, POST, PUT, and DELETE methods. 

 

------------------

------------------

------------------

API Lifecycle

APIs have their own lifecycles that are independent of the backend services they rely on. An API lifecycle is exposed in the API publisher and is managed by the API publisher role.

The following stages are available in the default API lifecycle: 

  • CREATED: In this stage, the API metadata are added to the API Store but the API is not deployed in the API Gateway. Therefore, the API is not visible in the API Store to subscribers.
  • PROTOTYPED: The APIs in this stage are deployed and published in the API Store as prototypes. A prototype API is usually a mock implementation made public in order to get feedback about its usability. Users can invoke the API without a subscription.
  • PUBLISHED: These APIs are visible in the API Store and available for subscription.
  • DEPRECATED: Deprecated APIs are not available for subscription. But these APIs are still deployed in the API Gateway and are available at runtime to existing subscribers. Existing subscribers can continue to use it as usual until the API is retired.
  • RETIRED: These APIs are unpublished from the API Gateway and deleted from the API Store.
  • BLOCKED: Access to the API is temporarily blocked. Runtime calls are blocked and the API is not shown in the API Store anymore.

API Visibility

Visibility settings prevent certain user roles from viewing and modifying APIs created by another user role.

  • Public: These APIs are visible to all anonymous (users who use APIs without signing in) and registered users, and can be advertised in multiple stores, i.e., central and non-WSO2 API Stores.
  • Restricted by Roles: These APIs are only visible to user roles that you specify. 

The API visibility levels apply to users in different roles in the following manner:

  • API Creator/API Publisher: These users can see all the APIs in the API Store even if you restrict access to them. This is because these roles have permission to view and edit all the APIs in the API Publisher.
  • Anonymous: These users can only see public APIs.
  • Registered: These users can see all the public APIs as well as the APIs accessible to their user roles.

API Documentation

WSO2 Open Banking facilitates adding documentation to APIs.  API documentation helps API subscribers to understand the functionality of the API and API publishers to market their APIs better and sustain the competition. By default, the visibility of an API documentation is as same as its API visibility.

API Throttling 

Throttling allows you to limit the number of successful hits to an API during a given period of time, typically in cases such as the following:

  • To protect your APIs from common types of security attacks such as denial of service (DoS)
  • To regulate traffic according to infrastructure availability
  • To make an API, application, or a resource available to a consumer at different levels of service, usually for monetization purpose 

You can define throttling at the API, application, and resource levels. The final request limit granted to a given user for a given API is ultimately defined by the consolidated output of all the applicable throttling tiers.  The throttling tiers are also referred to as Service-level agreements (SLAs). 

OpenAPI Specification

OpenAPI (formerly known as Swagger) is a 100% open source, standard, language-agnostic specification and a complete framework for describing, producing, consuming, and visualizing RESTful APIs, without the need of a proxy or third-party services. OpenAPI allows consumers to understand the capabilities of a remote service without accessing its source code and interact with the service with a minimal amount of implementation logic. OpenAPI describes a service in the same way that interfaces describe lower-level programming code. 

The Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS that dynamically generates documentation from an OpenAPI-compliant API. OpenAPI-compliant APIs give you interactive documentation, client SDK generation, and more discoverability. The Swagger UI has JSON code, and its UI facilitates easier code indentation, keyword highlighting and shows syntax errors on the fly. You can add resource parameters, summaries and descriptions to your APIs using the Swagger UI. The WSO2 Open Banking API management component has an integrated Swagger UI. For more information, see OpenAPI Specification version 2.0 (formerly known as Swagger RESTful API Documentation Specification) and OpenAPI Specification version 3.0.0.


Applications

An application is an intermediary that sits between an API and its consumer. API consumers use applications to subscribe to APIs and consume them.

An API consumer can subscribe to multiple APIs using a single Application. Thus, it acts as a logical collection of API subscriptions and decouples the API consumer from the APIs. Each Application can be associated with different Service Level Agreement (SLA) levels. This is enabled by attaching an Application with throttling tiers that determine the maximum number of API calls allowed during a given duration.

Applications therefore enable:

  • Generating and using a single key for multiple APIs
  • Subscribing to the same API multiple times with different tiers/Service Level Agreement (SLA) levels

WSO2 Open Banking comes with a pre-created default application, which allows unlimited access by default. You can also create your own applications. 


Security

Security refers to the means through which computer systems are protected from damage and disruption without being compromised to risks and vulnerabilities. WSO2 Open Banking implements security at the application level and transport level.

Application-level Security

Application-level security refers to the security requirements at the application level. Following is a list of concepts related to application-level security:

Encryption

Encryption is the process of translating/encoding data/messages (plaintext) using an algorithm (cipher) into a secret code (ciphertext) that can only be accessed by authorized entities with a secret key or a password.

Authentication 

Authentication is the process used to distinctly identify a certain entity using the following factors:

  • Knowledge factor: This is something the user knows, e.g., password, PIN, and security question.

  • Ownership factor: This is something the user has, e.g., ATM card, identity card, mobile phone, and security token.
  • Inherence factor: This is something the user is/does, i.e., biometrics.  

Authentication is implemented in either of the following forms:

  • Single-factor Authentication: This mechanism utilizes a single factor to authenticate an entity. 

  • Multi-factor Authentication: Multi-factor authentication (MFA) utilizes two or more factors to authenticate an entity.
  • Two-factor Authentication: Two-factor authentication (2FA) is a subset of MFA. It utilizes two factors to authenticate an entity.
  • Strong Customer Authentication: Strong customer authentication (SCA) is another name for 2FA and MFA. It simply means that two or more elements are used to authenticate a user. These elements are based on the same categories used in MFA: customer's knowledge, possession, and inherence. The idea is that these elements are independent so that the breach of one does not compromise the others.
  • Federated Authentication: Federated authentication provides a user with access to multiple systems across different enterprises. Subscribers can use the same identification data to gain access to all enterprises in a group at once. 
  • Out-of-band Authentication:  Out-of-band authentication (OOB) is an anti-fraud measure that is popular among financial institutions. It triggers an alert through a channel such as a mobile device to the customer when a transaction occurs in his/her account. This alert is typically done through a phone call or a message.
Authorization

Authorization is the process via which an entity is granted permission to access to another entity, e.g., data, resources, and system. In general, authorization takes place subsequent to authentication. WSO2 Open Banking uses role-based access control (RBAC) and scopes to implement authorization.

Role-based Access Control

Role-based access control (RBAC) is a type of access control that restricts access to authorized users based on their role.

Scopes

Scopes enable fine-grained access control to API resources based on user roles. When a user invokes the API, the user's OAuth2 bearer token cannot grant access to any API resource beyond its associated scopes.

To illustrate the functionality of scopes, let's assume the following:

  • There is an API with the following resources:
    • GET: This is attached to the payment_read scope.
    • POST: This is attached to the payment_write scope.
  • There are two user roles: Manager and Front Desk.
  • The Manager role is linked to both the payment_read and payment_write scopes, while the Front Desk role is only linked to the payment_read scope.
  • The Manager role is assigned only to John, while the Front Desk role is assigned to both Tom and John.

  • Tom requests a token through the Token API as grant_type=password&username=tom&password=xxxx&scope=payment_read payment_write. However, as Tom is not in the Manager role, he will only be granted a token bearing the payment_read scope.

    "scope":"payment_read","token_type":"bearer","expires_in":3299, "refresh_token":"8579facb65d1d3eba74a395a2e78dd6", "access_token":"eb51eff0b4d85cda1eb1d312c5b6a3b8"
  • Next, John requests a token as grant_type=password&username=john&password=john123&scope=payment_read payment_write. As John has both the roles assigned, the token will bear both requested scopes.

    "scope":"payment_read payment_write", "token_type":"bearer", "expires_in":3299, "refresh_token":"4ca244fb321bd555bd3d555df39315", "access_token":"42a377a0101877d1d9e29c5f30857e"
  • This means that Tom can only access the GET operation of the API, while John can access both as he is assigned to both the Manager and Front Desk user roles. If Tom tries to access the POST operation, there will be an HTTP 403 Forbidden error as follows:

    <ams:faultxmlns:ams="http://wso2.org/apimanager/security"> <ams:code>900910</ams:code> <ams:message>The access token does not allow you to access the requested resource</ams:message> <ams:description>Access failure for API: /orgnews, version: 1.0.0 with key: eb51eff0b4d85cda1eb1d312c5b6a3b8 </ams:description> </ams:fault>
Access Tokens

An access token is a simple string that is passed as an HTTP header of a request, e.g., "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a". WSO2 Open Banking supports two types of access tokens for authentication to ensure better security, e.g., preventing DoS attacks:

  • Application access tokens: These tokens identify and authenticate an entire application. Thus, you can invoke all the APIs associated with an application using a single application access token.
  • User access tokens: These tokens identify the end user of an application, e.g., the end user of a mobile application deployed on a different device.

Access tokens authenticate API users and applications, and ensure better security, e.g., preventing DoS attacks. If a token that is passed with a request is invalid, the request is discarded in the first stage of processing. Access tokens work equally well for SOAP and REST calls. 

Grant Types

Access tokens grant access to protected API resources. The level of access granted by each access token is determined by the method (known as grant type) used to generate the access token. There are several grant types used in WSO2 Open Banking:

  • Authorization Code Grant:  

    • The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint (you can use the /authorize endpoint for the authorization code grant type of OAuth 2.0). It includes the client identifier, response_type, requested scope, and a redirection URI to which the authorization server sends the user-agent back after granting access. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner granted or denied the client's access request. Assuming the resource owner grants access, the authorization server then redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes an authorization code. 

    • The client then requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. It then includes the redirection URI used to obtain the authorization code for verification. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI matches the URI used to redirect the client from the authorize endpoint in the previous response. If valid, the authorization server responds back with an access token and, optionally, a refresh token.

    • Instead of requesting authorization directly from the resource owner (resource owner's credentials), in this grant type, the client directs the resource owner to an authorization server. The authorization server works as an intermediary between the client and resource owner to issues an authorization code, authenticate the resource owner and obtain authorization. As this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a Web browser) and receiving incoming requests (via redirection) from the authorization server.

  • NTLM Grant: NTLM is the successor of the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product, and attempts to provide backward compatibility with LANMAN. You can obtain an access token to your API in a WSO2 Open Banking instance running on Windows by providing a valid NTLM token as an authorization grant. 
  • Password Grant: You can obtain an access token by providing the resource owner's username and password as an authorization grant. It requires the base64 encoded string of the consumer-key:consumer-secret combination. 
  • SAML Extension Grant: SAML 2.0 is an XML-based protocol. It uses security tokens containing assertions to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IdP) and a SAML consumer is a service provider (SP). Enterprise applications that have SAML2 based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IdP, even if the OAuth authorization server is entirely different from the IdP. WSO2 Open Banking leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server. 
  • Client Credentials Grant: Client credentials can be used when the authorization scope is limited to the protected resources belonging to the client. Client credentials are used as an authorization grant when the client requests access to protected resources based on an authorization previously arranged with the authorization server. The client application requests an access token from the authorization server, authenticating the request with its client key and client secret. If the client is successfully authenticated, an access token is returned. 
  • Kerberos OAuth2 Grant: Kerberos is a security protocol that has support built into various operating systems and open-source distributions, e.g., Ubuntu, Windows, RedHat, and Open Solaris. In addition, a majority of browsers support some Kerberos functions as well. As WSO2 Open Banking uses the OAuth 2.0 protocol, the Kerberos OAuth2 grant type allows organizations to exchange a Kerberos ticket for an OAuth 2.0 token. Thereby, allowing organizations to re-use their existing Kerberos infrastructure, while easier adopting OAuth 2.0 within these organizations. 
  • Refresh Token Grant: After an access token is generated, sometimes you might have to renew the old token due to expiration or security concerns. You can renew an access token using a refresh token, by issuing a REST call to the Token API with the following parameters. With this grant type, the refresh token acts as credentials that are issued to the client by the authorization server. Issuing a refresh token is optional. If the authorization server issues a refresh token, it is included when issuing an access token. Refresh tokens are issued for all other grant types other than the implicit grant as recommended by the OAuth 2.0 specification.  
Certificates

A certificate (also known as an SSL certificate or digital certificate) is an encryption tool issued by a trusted certification authority (CA) that encrypts data transmitted between a client and a server. Certificates are used for public-key encryption in Public Key Infrastructure (PKI). In WSO2 Open Banking a TPP must forward a certificate to the ASPSP so that when the TPP sends an application access token request, the ASPSP can verify the authenticity of the request using the shared certificate. A keystore is a repository that contains multiple certificates. 

OIDC

OpenID Connect (OIDC) is an identity layer that functions on top of the OAuth2 protocol. It enables the Client/TPP applications to verify the end users/PSUs, and obtain the basic PSU profile information via claims. OIDC utilizes the OAuth2 Authorization Code Grant and revolves around three types of actors. 

OIDC ActorOAuth2 NomenclatureDescriptionExample
End UserResource OwnerThis is the PSU who gets authenticated.Bank Customer
Relying Party (RP)ClientThis is the client application, e.g., TPP application that requires to authenticate the PSU and obtain the claims regarding the PSU.An application developed by an AISP
OpenID Provider (OP)Authorization ServerThis is an identity provider (IDP) that authenticates the PSU and provides claims regarding the PSU to the Relying Party.WSO2 Open Banking IAM component

The OP of the ASPSP generates an identity token named ID Token to represent the PSU's identity. The ID Tokens are created in JSON Web Token (JWT) format and signed using the JSON Web Signature (JWS) to accomplish integrity and non-repudiation.

There are four types of endpoints, i.e., HTTP resources in OIDC:

  • Authorization Endpoint: This is the OP endpoint that authenticates the PSU. When a PSU attempts to access the account details or initiate a payment via an RP application, the PSU gets directed to the Authorization Endpoint. The Authorization Endpoint authenticates the PSU and generates an authorization code to grant permission for the RP application. 
  • Token Endpoint: This endpoint generates ID Tokens and access tokens using the authorization code generated at the Authorization Endpoint for ROs.
  • UserInfo Endpoint: This endpoint provides claims related to a PSU upon receiving a valid access token
  • Redirect Endpoint: This endpoint redirects the PSU's browser back to the RO application. 

Ther are three types of OIDC flows that RPs can use to request OPs to authenticate PSUs.

Authorization FlowDescriptionResponse Type
Authorization Code Flow

In this flow, first an authorization code is generated at the Authorization Endpoint after which access token and ID Token are generated at the Token Endpoint.

This flow is more sutiable for the RPs that can share a client secret with the OP.

  • code: This is to generate the authorization code.
Implicit Flow

In this flow, an authorization code is not generated at the Authorization Endpoint.

Even the access token and ID Token are generated at the Authorization Endpoint, not in the Token Endpoint.

This flow is more suitable for the browser-based RP applications.

  • id_token: This is to generate the ID Token.
  • id_token token: This is to generate the ID token and access token.
Hybrid Flow

This flow is a combination of both the Authorization Code Flow and Implicit Flow.

In this flow, authorization code, ID Token, and access token are generated at the Authorization Endpoint.

  • code token: This is to generate the authorization code and ID Token.
  • code id_token: This is to generate the authorization code and ID Token.

WSO2 Open Banking utilizes the Hybrid Flow to authenticate the PSUs. Following are the high-level steps that are involved in this flow:

  • User Sign Up: The authorized entities of the RP/TPP registers at the WSO2 Open Banking Developer Portal.
  • Application Registration: The TPPs register their open banking applications at the WSO2 Open Banking Developer Portal. This includes the uploading of the public certificate of the TPP. 
  • Key Generation: The TPPs request the client key and client secret for the applications registered at the WSO2 Open Banking Developer Portal.
  • Application Access Token Generation: In this step, the TPPs obtain the application access tokens from the Token Endpoint that is exposed via the Token API. First, the TPPs create the client assertions by utilizing their public certificates. This enables the ASPSPs to authenticate the TPPs. Subsequently, the TPPs generate the application access tokens using the preferred grant types. 
  • Consent Initiation: The TPPs send the Account Initiation (AISP flow) or Payment Initiation (PISP flow) call to the Resource Endpoint. The Resource Endpoint responds with a Consent ID by utilizing the application access token. In WSO2 Open Banking, the Consent ID is represented as either the Account Consent ID (AISP flow) or Payments ID (PISP flow). 
  • Authorization Code Generation: This involves the TPP application obtaining the authorization codes from the Authorization Endpoint that is exposed via the Authorize API. In this step, the Consent ID is utilized to create a request object in JWT that is in turn utilized to call the Authorize API. The Authorize API facilitates the PSUs to approve the account access (AISP flow) or online payment (PISP flow). 
  • User Access Token Generation: This involves obtaining an OAuth2 token for the generated authorization code. The PSUs can utilize this user access token to call the Account Information API (AISP flow) and Payment API (PISP flow) and proceed.  

Transport-level Security

Transport-level security (TLS) is a mechanism that secures internet and intranet communications. WSO2 Open Banking uses certificates, and keystores to implement transport-level security. 

CORS

Cross-Origin Resource Sharing (CORS) is a mechanism that allows accessing restricted resources, i.e., fonts, images, scripts, videos, and iframes from domains outside the domain from which the requesting resource originated. By default, web browsers apply the same-origin policy to avoid interactions between different origins. CORS defines a way in which a browser and a server can interact to determine whether or not it is safe to allow the cross-origin requests.

GDPR

The General Data Protection Regulation (GDPR) is a new legal framework formalized in the European Union (EU) in 2016 and comes into effect from 28, May 2018. GDPR effectively replaces the previously used EU Data Protection Directive (DPD). 

GDPR is applicable to any individual living in the EU and considers the following two aspects:

  1. Processing of personal data belonging to an individual living in the EU
  2. Free movement of personal data belonging to an individual living in the EU within the region

If you are new to GDPR, we recommend that you take a look at our tutorial series on Creating a Winning GDPR Strategy.

For more resources on GDPR, see the white papers, case studies, solution briefs, webinars, and talks published on our WSO2 GDPR homepage. You can also find the original GDPR legal text here.

Personal Data

Personal data or Personally Identifiable Information (PII) is any information that identifies a natural person, e.g., username, email address, IRC username, cookie, IP address, Radio Frequency Identification (RFID) tags, and biometric.

Processing

Data processing involves the following:

  • Collecting personal data
  • Recording personal data
  • Organizing, cataloging, and structuring personal data
  • Storing personal data
  • Adapting or altering personal data
  • Retrieving personal data 
  • Consultation based on personal data
  • Personal data disclosure by transmission
  • Disseminating or making available the personal data
  • Alignment or combining personal data
  • Restricting personal data
  • Erasure or destruction of personal data

Processing or movement of data belonging to a non-human such as a legal entity, business organization, an animal, and personal data belonging to a deceased individual are not covered under the GDPR regulations.

Controller and Processor

The controller is a natural or legal person, public authority, agency or any other body that alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.

The Rights of Individuals

GDPR defines a very strong set of rights for individuals. It is important for both individuals and personal data processing organizations to understand these rights:

  • The right of transparency and modalities: All processing activities based on personal data must be transparent to individuals. It is the responsibility of the processing organizations to make these processing details available for individuals in a clear, concise, and intelligible manner. Additionally, this information must be easily accessible and should use plain language.
  • The right to be informed: Each individual should be given an adequate level of information regarding the data processing organization including the name and contact details of the organization, purpose of data processing, legal basis for the processing, intended period of personal data storage, whether an automated decision-making system is in place, other recipients of data including third parties, and rights of individuals such as right to access their data at anytime, right to withdraw previous consent, and right to lodge a complaint. These details need to be provided when collecting personal data from individuals directly or indirectly. 
  • The right of access: GDPR facilitates individuals to request information about data processing from a processing organization by sending a Subject Access Request (SAR). This information includes what personal data has been processed, the purpose of processing, and what data is stored within the system. It is mandatory for processing organizations to respond to SARs at latest within one month of receipt. If the processing of SAR is complex, organizations can further extend this period by another two months, subject to notifying the individual about the extension.
  • The right to rectification: An individual should have the right to require that the processing organization correct any errors in personal data processed without any delays.
  • The right to be forgotten: An individual should have the right to request the processing organizations to erase personal data without any delays. When a processing organization makes personal data public, the individual can request to erase any links to copying and/or replication of personal data.
  • The right to restrict processing: The individuals can request a processing organization to restrict their personal data processing. In such cases, the processing organization may continue to store the data, but the purposes for which the data can be processed are strictly limited.
  • The right for notification obligation: The processing organization should notify the individual in the event of rectification, erasure or restriction of the individual's personal data in a concise manner.
  • The right to data portability: An individual has the right to obtain the personal data stored in a processing organization in a structured, commonly used, and machine-readable format. This facilitates easy transmission of the data obtained by another organization. If technically feasible, an individual can request to transfer his/her personal data from one processing organization to another directly.
  • The right to object: An individual can object the processing of the individual's personal data at any time. In such cases, the processing organization should stop the processing of affected data unless they can demonstrate legitimate grounds for continuing with the processing of the affected data.
  • Rights in relation to automated decision making and profiling: An individual has the right not to be subject to decisions based solely on automated processing that significantly affect the individual. Examples of solely automated processing include online credit application, e-recruiting or e-evaluation of performance without any human intervention. 

Data Protection Officer (DPO)

The Data Protection Officer (DPO) provides necessary advice to processing organizations and act as the point of contact for individuals and supervisory authorities. DPO can be a staff member or an external contractor and must possess professional qualifications and expert knowledge to perform tasks associated with the role.





  • No labels