This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Manual Client Registration
In manual client registration, Primary Technical Contact (PTC) uses a portal that is managed by the Account Servicing Payment Service Provider (ASPSP). When using the web single sign-on, the PTC must use the credentials that were issued when registering with the Open Banking Directory. This page describes how to configure and use the manual registration flow as indicated by the Open Banking Implementation Entity (OBIE).
Configure manual registration
Upload certificate to client-trust store
The ASPSP can upload the OB root and issuer certificates found in the following locations to the <WSO2_OB_KM_HOME>/
repository/resources/security/client-truststore.jks
and <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks
.
In sandbox environment, upload certificates from https://openbanking.atlassian.net/wiki/spaces/DZ/pages/252018873/OB+Root+and+Issuing+Certificates+for+Sandbox.
In production environment, upload certificates from https://openbanking.atlassian.net/wiki/spaces/DZ/pages/80544075/OB+Root+and+Issuing+Certificates+for+Production
Use the commands to add the certificate to the client trust store as follows:
keytool -import -alias tpproot -file <OB root cert> -keystore client-truststore.jks -storepass wso2carbon
keytool -import -alias tppissuer -file <OB issuing cert> -keystore client-truststore.jks -storepass wso2carbon
Do the following configurations in order to support the manual registration flow.
Make sure the SupportedResponseTypes
contain code
as a SupportedResponseType
.
- Open the
<WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml
file. Under the
<SupportedResponseTypes>
tag, make sure the given configurations are available.<SupportedResponseTypes> <SupportedResponseType> <ResponseTypeName>code</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass> <ResponseTypeValidatorImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.validators.OBCodeTokenResponseValidator</ResponseTypeValidatorImplClass> </SupportedResponseType> </SupportedResponseTypes>
Add an identity provider with OAuth2-OpenID Connect to the Key Manager (KM).
Fill the relevant values based on the values you received from the Open Banking (OB) directory when registering for their identity provider service.Field Value Description Callback URL https://<keymanager_host>:<keymanager_port>/commonauth
This URL should be provided as the redirect URI when creating the SSA (Software Statement Assertion) OpenID Connect User ID Location User ID found among claims Additional Query Parameters scope=openid email profile&prompt=login
These parameters are used to retrieve user information from WSO2 Open Banking. Client Id The client id issued by the OB directory to ASPSP Client Secret The client secret issued by the OB directory to ASPSP Make sure you select the Enable HTTP Basic auth for client authentication checkbox as it is expected that the client ID and client secret are sent in the header.
Expand the Claim Configuration section of the identity provider and add the following claim configurations.
Identity Provider Claim URI tpp_associated Local Claim URI http://wso2.org/claims/active Identity Provider Claim URI email Local Claim URI https://wso2.org/claims/emailaddress User ID Claim URI email - Expand the Just-in-Time Provisioning section, select the Always provision to User Store Domain option and then the Provision Silently option.
Add a service provider for the Key Manager. In the inbound authentication section, configure OAuth/OpenID Connect when configuring OAuth/OpenID Connect. For the Callback URL, provide
https://{WSO2_OB_APIM_HOST}:{ob_apim_port}/store/jagg/jaggery_oidc_acs_ob.jag
as the URL.- Make a note of the client ID and client secret.
- For the Local & Outbound Authentication Configuration of the service provider, select Federated Authentication and select the identity provider that you just added.
- For the claim configurations, add email and tpp_associated as the requested claims as specified below.
- In the claims tab, select click on Add and select External Claim URI. Add tpp_associated to the Open ID Connect (OIDC) claim dialect and map it to the local claim
http://wso2.org/claims/active.
- In the OIDC scopes tab, click on Add and select Add claims for the openid scope. Update the openid scope with the tpp_associated claim that you just added.
In the
<WSO2_OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
file and modify the OIDC configuration section as follows:"oidcConfiguration" : { "enabled" : "true", "issuer" : "API_STORE", "identityProviderURI" : "https://<WSO2_OB_APIM_HOST>:<WSO2_OB_APIM_NIO_PORT>/token", "authorizationEndpointURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/authorize", "tokenEndpointURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/token", "userInfoURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/userinfo", "jwksURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oauth2/jwks", "logoutEndpointURI" : "https://<WSO2_OB_KM_HOST>:<WSO2_OB_KM_PORT>/oidc/logout", "authHttpMethod": "POST", "usernameClaim":"email", "roleParameter":"tpp_associated", "role" :"Internal/subscriber", "clientConfiguration" : { "clientId" : "<Client_ID of the Service Provider created above>", "clientSecret" : "<Client_Secret of the Service Provider created above>", "responseType" : "code", "authorizationType" : "authorization_code", "scope" : "phone email address openid profile api_store", "redirectURI" : "https://<WSO2_OB_APIM_HOST>:<OB_APIM_PORT>/store/jagg/jaggery_oidc_acs_ob.jag", "postLogoutRedirectURI" : "https://<WSO2_OB_APIM_HOST>:<OB_APIM_PORT>/store/", "clientAlgorithm" : "PS256" } }
Make sure you use the same algorithm in the following configurations:
The allowed signature algorithm for the TPP requests, configured in
<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml
<UK> <AllowedInboundSignatureAlgorithms> <Algorithm>PS256</Algorithm> </AllowedInboundSignatureAlgorithms> </UK>
The
clientAlgorithm
property in the site.json file.
Make sure you add the following parameters.
"usernameClaim":"email", "roleParameter":"tpp_associated", "role" :"Internal/subscriber",
Add the following if you want to add a parameter for a scope.
"scope" : "phone email address openid profile api_store",
- In the
<WSO2_OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
file, addOBDirectoryIntegrated
configuration astrue.
In the
<WSO2_OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
file, addUseSoftwareIdAsApplicationName
configuration astrue.
To store any of the properties retrieved from the SSA, make sure you add the
Server
level configuration to the<WSO2_OB_APIM_HOME>/repository/conf/api-manager.xml
file, as explained here.For example, if you want to store the
software_client_id
that is retrieved from the SSA created in the sandbox environment, the property name should look likesoftware_client_id_sandbox
.Similarly, to store the
software_client_id
retrieved from the SSA created in a production environment, the property name should besoftware_client_id_production
. Make sure you add these properties as false, as required.<ApplicationConfiguration> <ApplicationAttributes> <Attribute required="false"> <Name>software_id_sandbox</Name> <Description>Software ID of the sandbox</Description> </Attribute> <Attribute required="false"> <Name>software_id_production</Name> <Description>Software ID of the production</Description> </Attribute> <Attribute required="false"> <Name>software_roles_production</Name> <Description>Software roles of the production</Description> </Attribute> <Attribute required="false"> <Name>software_roles_sandbox</Name> <Description>Software roles of the sandbox</Description> </Attribute> <Attribute required="false"> <Name>software_jwks_endpoint_sandbox</Name> <Description>JWKS endpoint of sandbox</Description> </Attribute> <Attribute required="false"> <Name>software_jwks_endpoint_production</Name> <Description>JWKS endpoint of production</Description> </Attribute> </ApplicationAttributes> </ApplicationConfiguration>
Software JWKS endpoints are needed to verify whether mutually verified client certificates match with the SSA’s certificate. Therefore, make sure you add two optional application attributes;
software_jwks_endpoint_sandbox
andsoftware_jwks_endpoint_production
.To make sure that only this application can be subscribed to the APIs with roles specified in the
software_role
, make sure you add the following attributes:software_roles_production
andsoftware_roles_sandbox
.To add a particular role to the API, when creating the API add
software_role
and add the relevant value (i.e. AISP or PISP) to that under the API properties section as explained here.Create an application
Navigate to the API Store using the following URL:
https://<WSO2_OB_APIM_HOST>:9443/store
.Click Sign In. You are re-directed to the OB login page.
Log in using the OB directory credentials and provide the second-factor authentication.
- After a successful login, you are redirected back to the API Store. Click the Applications tab and click Add Application.
- Provide a valid SSA. The application name is picked up from the
software_client_name
of the SSA. Click Add to add the application. If application creation is successful, the relevant application page is shown.