Dynamic Client Registration v1.0.0

Dynamic client registration allows trusted third-parties to register themselves with the Account Services Payment Services Providers (ASPSP) dynamically. The process is as follows:

The Third Party Provider (TPP) sends a registration request,
1. This is a POST request including an SSA (Software Statement Assertion) as a claim in the payload.
2. The SSA is sent as a signed JWT, which is obtained from the Open Banking (OB) directory. This contains the client metadata.
The ASPSP validates the SSA based on the specifications provided in the Open Banking OpenID Dynamic Client (OIDC) Registration specification.
The ASPSP registers the client application using the metadata sent in the SSA.
The ASPSP returns the response (success or error if the validation fails) based on the open banking UK specification.

The automated Dynamic Client Registration (DCR) process is carried out by calling a synapse API in the gateway.
An example request sent to the DCR registration endpoint is shown below:

POST https://localhost:8243/register
Content-Type: application/jwt
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJJREFtYXpvbiIsImlhdCI6MTQ5OTgwNTg0OCwiZXhwIjoxNTMxMzQxODQ4LCJhdWQiOiJodHRwczovL2F1dGhuLmxsb3lkc2JhbmsuY29tIiwic3ViIjoiaHR0cHM6Ly9hdXRobi5sbG95ZHNiYW5rLmNvbSIsImNsaWVudF9pZCI6IklEQW1hem9uMSIsInNvZnR3YXJlX3N0YXRlbWVudCI6ImV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUlzSW1saGRDSTZNVFE1T1Rnd05UZzBPQ3dpWlhod0lqb3hOVE14TXpReE9EUTRMQ0poZFdRaU9pSkZlR0Z0Y0d4bElGUlFVQ0lzSW5OMVlpSTZJa1Y0WVcxd2JHVWdWRkJRSWl3aVQySlVVRkJKWkNJNklrbEVRVzFoZW05dUlpd2lUMkpVVUZCU2IyeGxJam9pVUVsVFVDSjkuUnJydEpYbmZmSzVjOHJJeEczUm93QXNRZWNlSDNvWlFXTWJwZ0hENzhPOCJ9.VRckIjwgB9ahNTPK6GcDzCfqbU9mkvoOu-B_2jHdKzs

The payload JWT should be in the format given below and must be signed using the signing certificate issued by the Open Banking directory. The kid parameter of the header should match the values in the kid of the signing certificate provided by the Open banking directory.
The TPP should be enrolled in the Open Banking directory and should upload the Certificate Signing Request (CSR) in order to obtain the public transport and signing certificates.

Include the following claims in the body of the request payload;

Claim	Description	Source Specification	Optional	Comments
iss	Request issuer (the TPP)	[RFC7519]	NO
iat	Time of issuance of request	[RFC7519]	NO
exp	Request expiration time	[RFC7519]	NO
aud	Request audience (the ASPSP)	[RFC7519]	NO
jti	The JWT ID	[RFC7519]	NO
redirect_uris	Registered URIs the TPP uses to interact with the ASPSP AS	[OIDC-R]	NO	Must match or be a subset of the software_redirect_uris claim in the SSA.
token_endpoint_auth_method	Specifies which token endpoint authentication method the TPP wants to use	[RFC7591]	NO	private_key_jwt: If requested, the OP should extract the TPPs JWKS location from the included software statement assertion.
grant_types	A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token	[RFC7591]	NO
response_types	A JSON array specifying what the TPP can request to be returned from the ASPSP authorization endpoint	[RFC7591]	YES	ASPSPs may reject anything other than code.
software_id	The application name that is mentioned as `software_client_id` in the SSA.	[RFC7591]	YES	If specified, the software_id in the request must match the software_id specfied in the SSA. ASPSPs can choose to allow multiple registrations for a given software client name and may take the software_id from either the SSA or the TPP as a hint.
scope	The scopes requested by the client (if not specificed, default scopes are assigned by the AS)	[RFC7591]	YES	Minimum scope should be openid + whatever scopes are appropriate for the PSD2 role of the software.
software_statement	The SSA issued by Open Banking identifier	[RFC7519]	NO
application_type	Specifies whether the application type is web or mobile	[OIDC-R]	NO	Must be web, if specified.
id_token_signed_response_alg	The algorithm with which the TPP expects to sign the id_token if an id_token is returned	[OIDC-R]	NO	Supported values must comply with [FAPI-RW] Section 8.6.
request_object_signing_alg	The algorithm with which the TPP expects to sign the request object if a request object is part of the authorization request sent to the ASPSP.	[OIDC-R]	NO	Supported values must comply with [FAPI-RW] Section 8.6.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "9yz0XwrEOkvFHil-t7KSXVhmR6s"
}
{
  "iss": "Amazon TPPID",
  "iat": 1492760444,
  "exp": 1624296449,
  "jti": "12345445",
  "aud": "https://authn.lloyds.co.uk",
  "scope": [
    "openid",
    "payments"
  ],
  "token_endpoint_auth_method": "private_key_jwt",
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "response_types": [
    "code",
    "id_token"
  ],
  "id_token_signed_response_alg": "ES256",
  "request_object_signing_alg": "ES256",
  "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
  "application_type": "web",
  "redirect_uris": [
    "https://www.amazon.com"
  ],
  "software_statement": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImpfT1BYZTh0Y2hXdWhRM2dWTi1TT09PVHlEWSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1Mzg5MjY0MzAsImlzcyI6Ik9wZW5CYW5raW5nIEx0ZCIsImp0aSI6IjVqSTE0djJEZDN3WnZiaG1QT2UyTHUiLCJvYl9yZWdpc3RyeV90b3MiOiJodHRwczovL3JlZ2lzdHJ5Lm9wZW5iYW5raW5ndGVzdC5vcmcudWsvdG9zLmh0bWwiLCJvcmdfY29udGFjdHMiOlt7ImVtYWlsIjoic2FjaGluaXNAd3NvMi5jb20iLCJuYW1lIjoiVGVjaG5pY2FsIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiVGVjaG5pY2FsIn0seyJlbWFpbCI6InNhY2hpbmlzQHdzbzIuY29tIiwibmFtZSI6IkJ1c2luZXNzIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19pZCI6IjAwMTU4MDAwMDFIUVFyWkFBWCIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDFIUVFyWkFBWC8wMDE1ODAwMDAxSFFRclpBQVguandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYL3Jldm9rZWQvMDAxNTgwMDAwMUhRUXJaQUFYLmp3a3MiLCJvcmdfbmFtZSI6IldTTzIgKFVLKSBMSU1JVEVEIiwib3JnX3N0YXR1cyI6IkFjdGl2ZSIsIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCJdfV0sImF1dGhvcml0eV9pZCI6Ik9CR0JSIiwicmVnaXN0cmF0aW9uX2lkIjoiVW5rbm93bjAwMTU4MDAwMDFIUVFyWkFBWCIsInN0YXR1cyI6IkFjdGl2ZSJ9LCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJ0ZXN0aW5nIHB1cnBvc2UiLCJzb2Z0d2FyZV9jbGllbnRfaWQiOiIzYzhGMmE3enBXYXhuTzVrRk9acHlFIiwic29mdHdhcmVfY2xpZW50X25hbWUiOiJPcGVuIEJhbmtpbmcgdGVzdCIsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL2NsaWVudCIsInNvZnR3YXJlX2Vudmlyb25tZW50Ijoic2FuZGJveCIsInNvZnR3YXJlX2lkIjoiM2M4RjJhN3pwV2F4bk81a0ZPWnB5RSIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYLzNjOEYyYTd6cFdheG5PNWtGT1pweUUuandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAxSFFRclpBQVgvcmV2b2tlZC8zYzhGMmE3enBXYXhuTzVrRk9acHlFLmp3a3MiLCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmFtYXpvbi5jb20vbG9nbyIsInNvZnR3YXJlX21vZGUiOiJMaXZlIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6IlRoaXJkIHBhcnR5IHByb3ZpZGVycyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3BvbGljeSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly93d3cuYW1hem9uLmNvbSIsImh0dHBzOi8vd3d3LmFtYXpvbi5jb20vdHQvd2Vidmlldy9vb2JlL3Byb3Bvc2l0aW9uIl0sInNvZnR3YXJlX3JvbGVzIjpbIkFJU1AiLCJQSVNQIl0sInNvZnR3YXJlX3Rvc191cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3RvcyIsInNvZnR3YXJlX3ZlcnNpb24iOjEuMX0.WwuTR8guWhZynapiivAmVLD62I4z-49b_kiNv-6Ae4hsOqY-mDZoxVPxY8HrQUDB1MDGnUzWzcj1gBpRDf-kN3fiLp42Qo3PUhmfsCBUGMRgeCIelYWB3Wm8kYdjlArJ6CpNkj9dUo8g48dt7Bj-r1Uxa7SUpe6D-P_peTdebxf82z2zX9obu-sGhGzTAiMpNilnftaWmUdkk4EMtFUr4Qbw8QbJz3-6TjSU7nUHU7QvJ0xFPreTkAq5MoJ_JvF-INEmUFZIRa7S1z54M1TPnSSRA19mdxhSs2IaVvr5rPGgTvMw30Q1Ch

idHyAQO4-FEkaIIbay-9YN2NxgelQOQQ"
}

The software statement should be obtained from the Open Banking directory by the TPP. This is a signed JWT issued by the Open Banking directory.

A sample response is given below:

HTTP/1.1 200 Ok
     Content-Type: application/json
  {
    "grant_types": [
        "authorization_code",
        "refresh_token"
    ],
    "software_client_name": "Open Banking test",
    "supportedGrantTypes": [
        "refresh_token",
        "client_credentials"
    ],
    "redirect_uris": [
        "https://www.amazon.com",
        "https://www.amazon.com/tt/webview/oobe/proposition"
    ],
    "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks",
    "token_endpoint_auth_method": "private_key_jwt",
    "consumerSecret": "DMcSUBmgi4tjKktagizDuDaiCAAa",
    "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
    "software_logo_uri": "https://www.amazon.com/logo",
    "scope": [
        "openid",
        "payments"
    ],
    "request_object_signing_alg": "ES256",
    "software_roles": [
        "AISP",
        "PISP"
    ],
    "consumerKey": "kKcxI71dFnCtIHoM9zTZiG6U1GUa",
    "id_token_signed_response_alg": "ES256"
}

You need to get the latest product updates for the current version of WSO2 Open Banking. This fix is available as a product update from April 8, 2019 (04-08-2019) onwards. Changes affects to the sample response as follows.

HTTP/1.1 200 Ok
     Content-Type: application/json
  {
    "grant_types": [
        "authorization_code",
        "refresh_token"
    ],
    "software_client_name": "Open Banking test",
    "supportedGrantTypes": [
        "refresh_token",
        "client_credentials"
    ],
    "redirect_uris": [
        "https://www.amazon.com",
        "https://www.amazon.com/tt/webview/oobe/proposition"
    ],
    "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks",
    "token_endpoint_auth_method": "private_key_jwt",
    "client_secret": "DMcSUBmgi4tjKktagizDuDaiCAAa",
    "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
    "software_logo_uri": "https://www.amazon.com/logo",
    "scope": [
        "openid",
        "payments"
    ],
    "request_object_signing_alg": "ES256",
    "software_roles": [
        "AISP",
        "PISP"
    ],
    "client_id": "kKcxI71dFnCtIHoM9zTZiG6U1GUa",
    "id_token_signed_response_alg": "ES256"
}

Configure dynamic registration

Follow the steps below to configure dynamic registration.

Upload certificate to the client trust store

The ASPSP can upload the OB root and issuer certificates found from the following locations to the repository/resources/security/client trust store of both APIM and KM components.

In sandbox environment, upload certificates from https://openbanking.atlassian.net/wiki/spaces/DZ/pages/252018873/OB+Root+and+Issuing+Certificates+for+Sandbox.

In production environment, upload certificates from https://openbanking.atlassian.net/wiki/spaces/DZ/pages/80544075/OB+Root+and+Issuing+Certificates+for+Production

Use the commands to add the certificate to the client trust store as follows:

Add root certificate

keytool -import -alias tpproot -file <OB root cert> -keystore client-truststore.jks -storepass wso2carbon

Add issuer certificate

keytool -import -alias tppissuer -file <OB issuing cert> -keystore client-truststore.jks -storepass wso2carbon

Edit the open-banking.xml file

In the <WSO2_OBAM_HOME>/repository/conf/finance folder, open the open-banking.xml file and add the following parameters:

<UK>
    <DCR>
        <TokenAuthentication>
            <Method>private_key_jwt</Method>
            <Method>client_secret_basic</Method>
        </TokenAuthentication>
        <ConnectionTimeout>0</ConnectionTimeout>
        <ReadTimeout>0</ReadTimeout>
        <EndPointURL>
            <ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation>
            <Application>/api/am/store/v0.14/applications</Application>
            <Token>/token</Token>
            <KeyGeneration>/api/am/store/v0.14/applications/generate-keys</KeyGeneration>
            <ApiSearch>/api/am/store/v0.14/apis</ApiSearch>
            <ApiSubscribe>/api/am/store/v0.14/subscriptions/multiple</ApiSubscribe>
        </EndPointURL>
        <EnableURIValidation>false</EnableURIValidation>
		<EnableHostNameValidation>false</EnableHostNameValidation>
        <APISubscriptions>
            <PISP>
                <APIContext>/open-banking/v3.1/pisp</APIContext>
                <APIContext>/open-banking/v3.0/pisp</APIContext>
                <APIContext>/open-banking/v2.0/pisp</APIContext>
            </PISP>
            <AISP>
                <APIContext>/open-banking/v3.1/aisp</APIContext>
                <APIContext>/open-banking/v3.0/aisp</APIContext>
                <APIContext>/open-banking/v2.0/aisp</APIContext>
            </AISP>
        </APISubscriptions>
    </DCR>
</UK>

The token endpoint authentication methods indicate the authentication methods supported by WSO2. The registration validation will fail if the TPP requests a different authentication method.
The ConnectionTimeout and ReadTimeout values are needed when verifying the signatures for the request JWT and software statement JWT.
The ConnectionTimeout and ReadTimeout values are set to a default value of 3000.
The values can be increased in case the signature validation fails with a time-out.
The endpoint URLs are used to access the REST APIs of the API Manager in order to create the application and service provider, and to generate keys for the application.

Add the following configuration under <DCR> in the <OB_APIM>/repository/conf/finance/open-banking.xml.
```
 <UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName>
```
You need to get the latest product updates to use software_id as the application name in the current version of WSO2 Open Banking. This feature is available as a product update from June 7, 2019 (06-07-2019) onwards.

Edit the axis2.xml file

In the <WSO2_OBAM_HOME>/repository/conf/axis2 folder, open the axis2.xml file and add the following configurations to support the application/JWT content type:

Add a new message formatter

<messageFormatters>
<messageFormatter contentType="application/jwt"class="org.apache.axis2.format.PlainTextFormatter"/>
</messageFormatters>

Add a new message builder

<messageBuilders>
<messageBuilder contentType="application/jwt class="org.apache.axis2.format.PlainTextBuilder"/>
</messageBuilders>

Edit the api-manager.xml file

To store any properties retrieved from the SSA, make sure you add the server level configuration to the api-manager.xml file in the <OB_AM_HOME>/repository/conf folder as explained here. For example, if you want to store the software_client_id retrieved from the SSA created in the sandbox environment, the property name should look like: software_client_id_sandbox. Similarly, to store the software_client_id retrieved from the SSA created in a production environment, the property name should be: software_client_id_production. Make sure you add these properties as false, as required.

In addition to these, make sure you include the software_jwks_endpoint included in the SSA. This is necessary in order to obtain an access token for the application.

<ApplicationConfiguration>
    <ApplicationAttributes>
        <Attribute required="false">
            <Name>software_id_sandbox</Name>
            <Description>Software ID of the sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_id_production</Name>
            <Description>Software ID of the production</Description>
        </Attribute>
       <Attribute required="false">
            <Name>software_roles_production</Name>
            <Description>Software roles of the production</Description>
        </Attribute>
       <Attribute required="false">
            <Name>software_roles_sandbox</Name>
            <Description>Software roles of the sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_jwks_endpoint_sandbox</Name>
            <Description>JWKS endpoint of sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_jwks_endpoint_production</Name>
            <Description>JWKS endpoint of production</Description>
        </Attribute>
    </ApplicationAttributes>
</ApplicationConfiguration>

Ensure that the following values are accurately configured in the api-manager.xml file in order to retrieve the above-configured properties through a soap service.

<APIKeyValidator>
	<ServerURL><WSO2_OBIAM_HOST>${carbon.context}services/</ServerURL>
    <Username>${admin.username}</Username>
    <Password>${admin.password}</Password>
	...
</APIKeyValidator>