Adding Custom Authenticators

There are several authenticators and connectors implemented for WSO2 Open Banking Key Manager. See Identity Server (IS) Connectors documentation to find the complete list of authenticators and connectors in their deployment guide. If the authenticator or connector you're looking for is not available, you can implement a one that caters your requirement.

WSO2 Open Banking solution allows admin users to add local and outbound authenticators that are used during the SCA flow. This gives the flexibility to Account Servicing Payment Service Providers (ASPSPs) to choose any number of preferred authenticators in the SCA flow.

This section will provide a guideline on how to add a custom authenticator to Open Banking Key Manager (WSO2 OB KM).

Step 1. Selecting a suitable authenticator

Custom Local Authenticator

If a user needs to be authenticated with the user store and authorized based on a specific assigned role, you can write a custom Local Authenticator. Follow Writing a Custom Local Authenticator to find how to write your own custom local authenticator.

Custom Federated Authenticator

The responsibility of the federated authenticators is to authenticate the user with an external system. This can be with Facebook, Google, Yahoo, LinkedIn, Twitter, Salesforce or any other identity provider. Writing a Custom Federated Authenticator documentation guides you on how to write a Custom Federated Authenticator.

Step 2. Copying the authenticator components to the WSO2 Open Banking Key Manager server

An authenticator consists of two components.
- Authenticator logic in a .jar file
- Web application packed in .war file (only for local authenticators)

Copy the .jar file of the authenticator to <WSO2_OB_KM_HOME>/repository/components/dropins directory and restart the WSO2 OB KM server.

If you are using a local authenticator copy the .war file of the authenticator to <WSO2_OB_KM_HOME>/repository/deployment/server/webapps directory. Refer the server logs and make sure the web application is successfully deployed in WSO2 OB KM.

You can find the WSO2 OB KM logs in <WSO2_OB_KM_HOME>/repository/logs/wso2carbon.log file.

Step 3. Adding authenticator configs to the application-authentication.xml file

A sample AuthenticatorConfig for the FacebookAuthenticator is given below:

<AuthenticatorConfig name="FacebookAuthenticator" enabled="true">
            <Parameter name="AuthTokenEndpoint">https://graph.facebook.com/oauth/access_token</Parameter>
            <Parameter name="AuthnEndpoint">http://www.facebook.com/dialog/oauth</Parameter>
            <Parameter name="UserInfoEndpoint">https://graph.facebook.com/me</Parameter>
            <!--<Parameter name="ClaimDialectUri">http://wso2.org/facebook/claims</Parameter>-->
</AuthenticatorConfig>

If you want to configure a Federated Authenticator you need to configure an identity provider. Follow the instructions below to add a new identity provider.

Sign in to WSO2 OB KM. Enter your username and password to log on to the Management Console.
Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
Fill in the details in the Basic Information section.
Expand the Federated Authenticators section.
You can notice a configuration section added for the new authenticator. See the example from the Facebook authenticator below.
Expand the configuration section and fill in the property values. These values are defined during the implementation of the authenticator.
Click Register to add the Identity Provider.

Step 4. Verifying the authenticator

Sign in to the WSO2 OB KM. Enter your username and password to log in to the Management Console.
Try adding a new service provider or editing an existing one.
Expand Local & Outbound Authentication Configuration
Depending on the type of the authenticator (Local Authenticator/ Federated Authenticator) you will see the newly added custom authenticator in the drop down list.