This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Dynamic Client Registration v1.0.0

Dynamic client registration allows trusted third-parties to register themselves with the Account Services Payment Services Providers (ASPSP) dynamically. The process is as follows:

  1. The Third Party Provider (TPP) sends a registration request,

    1. This is a POST request including an SSA (Software Statement Assertion) as a claim in the payload.

    2. The SSA is sent as a signed JWT, which is obtained from the Open Banking (OB) directory. This contains the client metadata.

  2. The ASPSP validates the SSA based on the specifications provided in the Open Banking OpenID Dynamic Client (OIDC) Registration specification.

  3. The ASPSP registers the client application using the metadata sent in the SSA.

  4. The ASPSP returns the response (success or error if the validation fails) based on the open banking UK specification.

  5. The automated Dynamic Client Registration (DCR) process is carried out by calling a synapse API in the gateway.
    An example request sent to the DCR registration endpoint is shown below:

    POST https://localhost:8243/register
    Content-Type: application/jwt
    eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJJREFtYXpvbiIsImlhdCI6MTQ5OTgwNTg0OCwiZXhwIjoxNTMxMzQxODQ4LCJhdWQiOiJodHRwczovL2F1dGhuLmxsb3lkc2JhbmsuY29tIiwic3ViIjoiaHR0cHM6Ly9hdXRobi5sbG95ZHNiYW5rLmNvbSIsImNsaWVudF9pZCI6IklEQW1hem9uMSIsInNvZnR3YXJlX3N0YXRlbWVudCI6ImV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUlzSW1saGRDSTZNVFE1T1Rnd05UZzBPQ3dpWlhod0lqb3hOVE14TXpReE9EUTRMQ0poZFdRaU9pSkZlR0Z0Y0d4bElGUlFVQ0lzSW5OMVlpSTZJa1Y0WVcxd2JHVWdWRkJRSWl3aVQySlVVRkJKWkNJNklrbEVRVzFoZW05dUlpd2lUMkpVVUZCU2IyeGxJam9pVUVsVFVDSjkuUnJydEpYbmZmSzVjOHJJeEczUm93QXNRZWNlSDNvWlFXTWJwZ0hENzhPOCJ9.VRckIjwgB9ahNTPK6GcDzCfqbU9mkvoOu-B_2jHdKzs
  6. The payload JWT should be in the format given below and must be signed using the signing certificate issued by the Open Banking directory. The kid parameter of the header should match the values in the kid of the signing certificate provided by the Open banking directory.

  7. The TPP should be enrolled in the Open Banking directory and should upload the Certificate Signing Request (CSR) in order to obtain the public transport and signing certificates.

  8. Include the following claims in the body of the request payload;

    ClaimDescriptionSource SpecificationOptionalComments
    issRequest issuer (the TPP)[RFC7519]NO
    iatTime of issuance of request[RFC7519]NO
    expRequest expiration time[RFC7519]NO
    audRequest audience (the ASPSP)[RFC7519]NO
    jtiThe JWT ID[RFC7519]NO
    redirect_urisRegistered URIs the TPP uses to interact with the ASPSP AS[OIDC-R]NOMust match or be a subset of the software_redirect_uris claim in the SSA.
    token_endpoint_auth_methodSpecifies which token endpoint authentication method the TPP wants to use[RFC7591]NOprivate_key_jwt: If requested, the OP should extract the TPPs JWKS location from the included software statement assertion.
    grant_typesA JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token[RFC7591]NO
    response_typesA JSON array specifying what the TPP can request to be returned from the ASPSP authorization endpoint[RFC7591]YESASPSPs may reject anything other than code.
    software_idThe application name that is mentioned as software_client_id in the SSA.[RFC7591]YESIf specified, the software_id in the request must match the software_id specfied in the SSA. ASPSPs can choose to allow multiple registrations for a given software client name and may take the software_id from either the SSA or the TPP as a hint.
    scopeThe scopes requested by the client (if not specificed, default scopes are assigned by the AS)[RFC7591]YESMinimum scope should be openid + whatever scopes are appropriate for the PSD2 role of the software.
    software_statementThe SSA issued by Open Banking identifier[RFC7519]NO
    application_typeSpecifies whether the application type is web or mobile[OIDC-R]NOMust be web, if specified.
    id_token_signed_response_algThe algorithm with which the TPP expects to sign the id_token if an id_token is returned[OIDC-R]NOSupported values must comply with [FAPI-RW] Section 8.6.
    request_object_signing_algThe algorithm with which the TPP expects to sign the request object if a request object is part of the authorization request sent to the ASPSP.[OIDC-R]NOSupported values must comply with [FAPI-RW] Section 8.6.
    {
      "typ": "JWT",
      "alg": "RS256",
      "kid": "9yz0XwrEOkvFHil-t7KSXVhmR6s"
    }
    {
      "iss": "Amazon TPPID",
      "iat": 1492760444,
      "exp": 1624296449,
      "jti": "12345445",
      "aud": "https://authn.lloyds.co.uk",
      "scope": [
        "openid",
        "payments"
      ],
      "token_endpoint_auth_method": "private_key_jwt",
      "grant_types": [
        "authorization_code",
        "refresh_token"
      ],
      "response_types": [
        "code",
        "id_token"
      ],
      "id_token_signed_response_alg": "ES256",
      "request_object_signing_alg": "ES256",
      "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
      "application_type": "web",
      "redirect_uris": [
        "https://www.amazon.com"
      ],
      "software_statement": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImpfT1BYZTh0Y2hXdWhRM2dWTi1TT09PVHlEWSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1Mzg5MjY0MzAsImlzcyI6Ik9wZW5CYW5raW5nIEx0ZCIsImp0aSI6IjVqSTE0djJEZDN3WnZiaG1QT2UyTHUiLCJvYl9yZWdpc3RyeV90b3MiOiJodHRwczovL3JlZ2lzdHJ5Lm9wZW5iYW5raW5ndGVzdC5vcmcudWsvdG9zLmh0bWwiLCJvcmdfY29udGFjdHMiOlt7ImVtYWlsIjoic2FjaGluaXNAd3NvMi5jb20iLCJuYW1lIjoiVGVjaG5pY2FsIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiVGVjaG5pY2FsIn0seyJlbWFpbCI6InNhY2hpbmlzQHdzbzIuY29tIiwibmFtZSI6IkJ1c2luZXNzIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19pZCI6IjAwMTU4MDAwMDFIUVFyWkFBWCIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDFIUVFyWkFBWC8wMDE1ODAwMDAxSFFRclpBQVguandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYL3Jldm9rZWQvMDAxNTgwMDAwMUhRUXJaQUFYLmp3a3MiLCJvcmdfbmFtZSI6IldTTzIgKFVLKSBMSU1JVEVEIiwib3JnX3N0YXR1cyI6IkFjdGl2ZSIsIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCJdfV0sImF1dGhvcml0eV9pZCI6Ik9CR0JSIiwicmVnaXN0cmF0aW9uX2lkIjoiVW5rbm93bjAwMTU4MDAwMDFIUVFyWkFBWCIsInN0YXR1cyI6IkFjdGl2ZSJ9LCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJ0ZXN0aW5nIHB1cnBvc2UiLCJzb2Z0d2FyZV9jbGllbnRfaWQiOiIzYzhGMmE3enBXYXhuTzVrRk9acHlFIiwic29mdHdhcmVfY2xpZW50X25hbWUiOiJPcGVuIEJhbmtpbmcgdGVzdCIsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL2NsaWVudCIsInNvZnR3YXJlX2Vudmlyb25tZW50Ijoic2FuZGJveCIsInNvZnR3YXJlX2lkIjoiM2M4RjJhN3pwV2F4bk81a0ZPWnB5RSIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYLzNjOEYyYTd6cFdheG5PNWtGT1pweUUuandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAxSFFRclpBQVgvcmV2b2tlZC8zYzhGMmE3enBXYXhuTzVrRk9acHlFLmp3a3MiLCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmFtYXpvbi5jb20vbG9nbyIsInNvZnR3YXJlX21vZGUiOiJMaXZlIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6IlRoaXJkIHBhcnR5IHByb3ZpZGVycyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3BvbGljeSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly93d3cuYW1hem9uLmNvbSIsImh0dHBzOi8vd3d3LmFtYXpvbi5jb20vdHQvd2Vidmlldy9vb2JlL3Byb3Bvc2l0aW9uIl0sInNvZnR3YXJlX3JvbGVzIjpbIkFJU1AiLCJQSVNQIl0sInNvZnR3YXJlX3Rvc191cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3RvcyIsInNvZnR3YXJlX3ZlcnNpb24iOjEuMX0.WwuTR8guWhZynapiivAmVLD62I4z-49b_kiNv-6Ae4hsOqY-mDZoxVPxY8HrQUDB1MDGnUzWzcj1gBpRDf-kN3fiLp42Qo3PUhmfsCBUGMRgeCIelYWB3Wm8kYdjlArJ6CpNkj9dUo8g48dt7Bj-r1Uxa7SUpe6D-P_peTdebxf82z2zX9obu-sGhGzTAiMpNilnftaWmUdkk4EMtFUr4Qbw8QbJz3-6TjSU7nUHU7QvJ0xFPreTkAq5MoJ_JvF-INEmUFZIRa7S1z54M1TPnSSRA19mdxhSs2IaVvr5rPGgTvMw30Q1Ch
    
    idHyAQO4-FEkaIIbay-9YN2NxgelQOQQ"
    }
  9. The software statement should be obtained from the Open Banking directory by the TPP. This is a signed JWT issued by the Open Banking directory.
  10. A sample response is given below:

    HTTP/1.1 200 Ok
         Content-Type: application/json
      {
        "grant_types": [
            "authorization_code",
            "refresh_token"
        ],
        "software_client_name": "Open Banking test",
        "supportedGrantTypes": [
            "refresh_token",
            "client_credentials"
        ],
        "redirect_uris": [
            "https://www.amazon.com",
            "https://www.amazon.com/tt/webview/oobe/proposition"
        ],
        "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks",
        "token_endpoint_auth_method": "private_key_jwt",
        "consumerSecret": "DMcSUBmgi4tjKktagizDuDaiCAAa",
        "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
        "software_logo_uri": "https://www.amazon.com/logo",
        "scope": [
            "openid",
            "payments"
        ],
        "request_object_signing_alg": "ES256",
        "software_roles": [
            "AISP",
            "PISP"
        ],
        "consumerKey": "kKcxI71dFnCtIHoM9zTZiG6U1GUa",
        "id_token_signed_response_alg": "ES256"
    }

    You need to get the latest product updates for the current version of WSO2 Open Banking. This fix is available as a product update from April 8, 2019 (04-08-2019) onwards. Changes affects to the sample response as follows.

    HTTP/1.1 200 Ok
         Content-Type: application/json
      {
        "grant_types": [
            "authorization_code",
            "refresh_token"
        ],
        "software_client_name": "Open Banking test",
        "supportedGrantTypes": [
            "refresh_token",
            "client_credentials"
        ],
        "redirect_uris": [
            "https://www.amazon.com",
            "https://www.amazon.com/tt/webview/oobe/proposition"
        ],
        "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks",
        "token_endpoint_auth_method": "private_key_jwt",
        "client_secret": "DMcSUBmgi4tjKktagizDuDaiCAAa",
        "software_id": "3c8F2a7zpWaxnO5kFOZpyE",
        "software_logo_uri": "https://www.amazon.com/logo",
        "scope": [
            "openid",
            "payments"
        ],
        "request_object_signing_alg": "ES256",
        "software_roles": [
            "AISP",
            "PISP"
        ],
        "client_id": "kKcxI71dFnCtIHoM9zTZiG6U1GUa",
        "id_token_signed_response_alg": "ES256"
    }

Configure dynamic registration

Follow the steps below to configure dynamic registration.

Upload certificate to the client trust store

The ASPSP can upload the OB root and issuer certificates found from the following locations to the repository/resources/security/client trust store of both APIM and KM components.

Use the commands to add the certificate to the client trust store as follows:

Add root certificate
keytool -import -alias tpproot -file <OB root cert> -keystore client-truststore.jks -storepass wso2carbon
Add issuer certificate
keytool -import -alias tppissuer -file <OB issuing cert> -keystore client-truststore.jks -storepass wso2carbon


Edit the open-banking.xml file

  1. In the <WSO2_OBAM_HOME>/repository/conf/finance folder, open the open-banking.xml file and add the following parameters:

    <UK>
        <DCR>
            <TokenAuthentication>
                <Method>private_key_jwt</Method>
                <Method>client_secret_basic</Method>
            </TokenAuthentication>
            <ConnectionTimeout>0</ConnectionTimeout>
            <ReadTimeout>0</ReadTimeout>
            <EndPointURL>
                <ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation>
                <Application>/api/am/store/v0.14/applications</Application>
                <Token>/token</Token>
                <KeyGeneration>/api/am/store/v0.14/applications/generate-keys</KeyGeneration>
                <ApiSearch>/api/am/store/v0.14/apis</ApiSearch>
                <ApiSubscribe>/api/am/store/v0.14/subscriptions/multiple</ApiSubscribe>
            </EndPointURL>
            <EnableURIValidation>false</EnableURIValidation>
    		<EnableHostNameValidation>false</EnableHostNameValidation>
            <APISubscriptions>
                <PISP>
                    <APIContext>/open-banking/v3.1/pisp</APIContext>
                    <APIContext>/open-banking/v3.0/pisp</APIContext>
                    <APIContext>/open-banking/v2.0/pisp</APIContext>
                </PISP>
                <AISP>
                    <APIContext>/open-banking/v3.1/aisp</APIContext>
                    <APIContext>/open-banking/v3.0/aisp</APIContext>
                    <APIContext>/open-banking/v2.0/aisp</APIContext>
                </AISP>
            </APISubscriptions>
        </DCR>
    </UK>
    • The token endpoint authentication methods indicate the authentication methods supported by WSO2. The registration validation will fail if the TPP requests a different authentication method.
    • The ConnectionTimeout and ReadTimeout values are needed when verifying the signatures for the request JWT and software statement JWT.
    • The ConnectionTimeout and ReadTimeout values are set to a default value of 3000.
    • The values can be increased in case the signature validation fails with a time-out.
    • The endpoint URLs are used to access the REST APIs of the API Manager in order to create the application and service provider, and to generate keys for the application.
  2. Add the following configuration under <DCR> in the <OB_APIM>/repository/conf/finance/open-banking.xml.

     <UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName>

    You need to get the latest product updates to use software_id as the application name in the current version of WSO2 Open Banking. This feature is available as a product update from June 7, 2019 (06-07-2019) onwards.

Edit the axis2.xml file

In the <WSO2_OBAM_HOME>/repository/conf/axis2 folder, open the axis2.xml file and add the following configurations to support the application/JWT content type:

Add a new message formatter
<messageFormatters>
<messageFormatter contentType="application/jwt"class="org.apache.axis2.format.PlainTextFormatter"/>
</messageFormatters>
Add a new message builder
<messageBuilders>
<messageBuilder contentType="application/jwt class="org.apache.axis2.format.PlainTextBuilder"/>
</messageBuilders>

Edit the api-manager.xml file

To store any properties retrieved from the SSA, make sure you add the server level configuration to the api-manager.xml file in the <OB_AM_HOME>/repository/conf folder as explained here. For example, if you want to store the software_client_id retrieved from the SSA created in the sandbox environment, the property name should look like: software_client_id_sandbox. Similarly, to store the software_client_id retrieved from the SSA created in a production environment, the property name should be: software_client_id_production. Make sure you add these properties as false, as required.

In addition to these, make sure you include the software_jwks_endpoint included in the SSA. This is necessary in order to obtain an access token for the application.

<ApplicationConfiguration>
    <ApplicationAttributes>
        <Attribute required="false">
            <Name>software_id_sandbox</Name>
            <Description>Software ID of the sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_id_production</Name>
            <Description>Software ID of the production</Description>
        </Attribute>
       <Attribute required="false">
            <Name>software_roles_production</Name>
            <Description>Software roles of the production</Description>
        </Attribute>
       <Attribute required="false">
            <Name>software_roles_sandbox</Name>
            <Description>Software roles of the sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_jwks_endpoint_sandbox</Name>
            <Description>JWKS endpoint of sandbox</Description>
        </Attribute>
        <Attribute required="false">
            <Name>software_jwks_endpoint_production</Name>
            <Description>JWKS endpoint of production</Description>
        </Attribute>
    </ApplicationAttributes>
</ApplicationConfiguration>

Ensure that the following values are accurately configured in the api-manager.xml file in order to retrieve the above-configured properties through a soap service.

<APIKeyValidator>
	<ServerURL><WSO2_OBIAM_HOST>${carbon.context}services/</ServerURL>
    <Username>${admin.username}</Username>
    <Password>${admin.password}</Password>
	...
</APIKeyValidator>