This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Dynamic Client Registration v1.0.0
Dynamic client registration allows trusted third-parties to register themselves with the Account Services Payment Services Providers (ASPSP) dynamically. The process is as follows:
The Third Party Provider (TPP) sends a registration request,
This is a POST request including an SSA (Software Statement Assertion) as a claim in the payload.
The SSA is sent as a signed JWT, which is obtained from the Open Banking (OB) directory. This contains the client metadata.
The ASPSP validates the SSA based on the specifications provided in the Open Banking OpenID Dynamic Client (OIDC) Registration specification.
The ASPSP registers the client application using the metadata sent in the SSA.
The ASPSP returns the response (success or error if the validation fails) based on the open banking UK specification.
The automated Dynamic Client Registration (DCR) process is carried out by calling a synapse API in the gateway.
An example request sent to the DCR registration endpoint is shown below:POST https://localhost:8243/register Content-Type: application/jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJJREFtYXpvbiIsImlhdCI6MTQ5OTgwNTg0OCwiZXhwIjoxNTMxMzQxODQ4LCJhdWQiOiJodHRwczovL2F1dGhuLmxsb3lkc2JhbmsuY29tIiwic3ViIjoiaHR0cHM6Ly9hdXRobi5sbG95ZHNiYW5rLmNvbSIsImNsaWVudF9pZCI6IklEQW1hem9uMSIsInNvZnR3YXJlX3N0YXRlbWVudCI6ImV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUlzSW1saGRDSTZNVFE1T1Rnd05UZzBPQ3dpWlhod0lqb3hOVE14TXpReE9EUTRMQ0poZFdRaU9pSkZlR0Z0Y0d4bElGUlFVQ0lzSW5OMVlpSTZJa1Y0WVcxd2JHVWdWRkJRSWl3aVQySlVVRkJKWkNJNklrbEVRVzFoZW05dUlpd2lUMkpVVUZCU2IyeGxJam9pVUVsVFVDSjkuUnJydEpYbmZmSzVjOHJJeEczUm93QXNRZWNlSDNvWlFXTWJwZ0hENzhPOCJ9.VRckIjwgB9ahNTPK6GcDzCfqbU9mkvoOu-B_2jHdKzs
The payload JWT should be in the format given below and must be signed using the signing certificate issued by the Open Banking directory. The kid parameter of the header should match the values in the kid of the signing certificate provided by the Open banking directory.
The TPP should be enrolled in the Open Banking directory and should upload the Certificate Signing Request (CSR) in order to obtain the public transport and signing certificates.
Include the following claims in the body of the request payload;
Claim Description Source Specification Optional Comments iss Request issuer (the TPP) [RFC7519] NO iat Time of issuance of request [RFC7519] NO exp Request expiration time [RFC7519] NO aud Request audience (the ASPSP) [RFC7519] NO jti The JWT ID [RFC7519] NO redirect_uris Registered URIs the TPP uses to interact with the ASPSP AS [OIDC-R] NO Must match or be a subset of the software_redirect_uris claim in the SSA. token_endpoint_auth_method Specifies which token endpoint authentication method the TPP wants to use [RFC7591] NO private_key_jwt: If requested, the OP should extract the TPPs JWKS location from the included software statement assertion. grant_types A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token [RFC7591] NO response_types A JSON array specifying what the TPP can request to be returned from the ASPSP authorization endpoint [RFC7591] YES ASPSPs may reject anything other than code. software_id The application name that is mentioned as software_client_id
in the SSA.[RFC7591] YES If specified, the software_id in the request must match the software_id specfied in the SSA. ASPSPs can choose to allow multiple registrations for a given software client name and may take the software_id from either the SSA or the TPP as a hint. scope The scopes requested by the client (if not specificed, default scopes are assigned by the AS) [RFC7591] YES Minimum scope should be openid + whatever scopes are appropriate for the PSD2 role of the software. software_statement The SSA issued by Open Banking identifier [RFC7519] NO application_type Specifies whether the application type is web or mobile [OIDC-R] NO Must be web, if specified. id_token_signed_response_alg The algorithm with which the TPP expects to sign the id_token if an id_token is returned [OIDC-R] NO Supported values must comply with [FAPI-RW] Section 8.6. request_object_signing_alg The algorithm with which the TPP expects to sign the request object if a request object is part of the authorization request sent to the ASPSP. [OIDC-R] NO Supported values must comply with [FAPI-RW] Section 8.6. { "typ": "JWT", "alg": "RS256", "kid": "9yz0XwrEOkvFHil-t7KSXVhmR6s" } { "iss": "Amazon TPPID", "iat": 1492760444, "exp": 1624296449, "jti": "12345445", "aud": "https://authn.lloyds.co.uk", "scope": [ "openid", "payments" ], "token_endpoint_auth_method": "private_key_jwt", "grant_types": [ "authorization_code", "refresh_token" ], "response_types": [ "code", "id_token" ], "id_token_signed_response_alg": "ES256", "request_object_signing_alg": "ES256", "software_id": "3c8F2a7zpWaxnO5kFOZpyE", "application_type": "web", "redirect_uris": [ "https://www.amazon.com" ], "software_statement": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImpfT1BYZTh0Y2hXdWhRM2dWTi1TT09PVHlEWSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1Mzg5MjY0MzAsImlzcyI6Ik9wZW5CYW5raW5nIEx0ZCIsImp0aSI6IjVqSTE0djJEZDN3WnZiaG1QT2UyTHUiLCJvYl9yZWdpc3RyeV90b3MiOiJodHRwczovL3JlZ2lzdHJ5Lm9wZW5iYW5raW5ndGVzdC5vcmcudWsvdG9zLmh0bWwiLCJvcmdfY29udGFjdHMiOlt7ImVtYWlsIjoic2FjaGluaXNAd3NvMi5jb20iLCJuYW1lIjoiVGVjaG5pY2FsIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiVGVjaG5pY2FsIn0seyJlbWFpbCI6InNhY2hpbmlzQHdzbzIuY29tIiwibmFtZSI6IkJ1c2luZXNzIiwicGhvbmUiOiIrOTQ3NzQyNzQzNzQiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19pZCI6IjAwMTU4MDAwMDFIUVFyWkFBWCIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDFIUVFyWkFBWC8wMDE1ODAwMDAxSFFRclpBQVguandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYL3Jldm9rZWQvMDAxNTgwMDAwMUhRUXJaQUFYLmp3a3MiLCJvcmdfbmFtZSI6IldTTzIgKFVLKSBMSU1JVEVEIiwib3JnX3N0YXR1cyI6IkFjdGl2ZSIsIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCJdfV0sImF1dGhvcml0eV9pZCI6Ik9CR0JSIiwicmVnaXN0cmF0aW9uX2lkIjoiVW5rbm93bjAwMTU4MDAwMDFIUVFyWkFBWCIsInN0YXR1cyI6IkFjdGl2ZSJ9LCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJ0ZXN0aW5nIHB1cnBvc2UiLCJzb2Z0d2FyZV9jbGllbnRfaWQiOiIzYzhGMmE3enBXYXhuTzVrRk9acHlFIiwic29mdHdhcmVfY2xpZW50X25hbWUiOiJPcGVuIEJhbmtpbmcgdGVzdCIsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL2NsaWVudCIsInNvZnR3YXJlX2Vudmlyb25tZW50Ijoic2FuZGJveCIsInNvZnR3YXJlX2lkIjoiM2M4RjJhN3pwV2F4bk81a0ZPWnB5RSIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYLzNjOEYyYTd6cFdheG5PNWtGT1pweUUuandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAxSFFRclpBQVgvcmV2b2tlZC8zYzhGMmE3enBXYXhuTzVrRk9acHlFLmp3a3MiLCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmFtYXpvbi5jb20vbG9nbyIsInNvZnR3YXJlX21vZGUiOiJMaXZlIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6IlRoaXJkIHBhcnR5IHByb3ZpZGVycyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3BvbGljeSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly93d3cuYW1hem9uLmNvbSIsImh0dHBzOi8vd3d3LmFtYXpvbi5jb20vdHQvd2Vidmlldy9vb2JlL3Byb3Bvc2l0aW9uIl0sInNvZnR3YXJlX3JvbGVzIjpbIkFJU1AiLCJQSVNQIl0sInNvZnR3YXJlX3Rvc191cmkiOiJodHRwczovL3d3dy5hbWF6b24uY29tL3RvcyIsInNvZnR3YXJlX3ZlcnNpb24iOjEuMX0.WwuTR8guWhZynapiivAmVLD62I4z-49b_kiNv-6Ae4hsOqY-mDZoxVPxY8HrQUDB1MDGnUzWzcj1gBpRDf-kN3fiLp42Qo3PUhmfsCBUGMRgeCIelYWB3Wm8kYdjlArJ6CpNkj9dUo8g48dt7Bj-r1Uxa7SUpe6D-P_peTdebxf82z2zX9obu-sGhGzTAiMpNilnftaWmUdkk4EMtFUr4Qbw8QbJz3-6TjSU7nUHU7QvJ0xFPreTkAq5MoJ_JvF-INEmUFZIRa7S1z54M1TPnSSRA19mdxhSs2IaVvr5rPGgTvMw30Q1Ch idHyAQO4-FEkaIIbay-9YN2NxgelQOQQ" }
- The software statement should be obtained from the Open Banking directory by the TPP. This is a signed JWT issued by the Open Banking directory.
A sample response is given below:
HTTP/1.1 200 Ok Content-Type: application/json { "grant_types": [ "authorization_code", "refresh_token" ], "software_client_name": "Open Banking test", "supportedGrantTypes": [ "refresh_token", "client_credentials" ], "redirect_uris": [ "https://www.amazon.com", "https://www.amazon.com/tt/webview/oobe/proposition" ], "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks", "token_endpoint_auth_method": "private_key_jwt", "consumerSecret": "DMcSUBmgi4tjKktagizDuDaiCAAa", "software_id": "3c8F2a7zpWaxnO5kFOZpyE", "software_logo_uri": "https://www.amazon.com/logo", "scope": [ "openid", "payments" ], "request_object_signing_alg": "ES256", "software_roles": [ "AISP", "PISP" ], "consumerKey": "kKcxI71dFnCtIHoM9zTZiG6U1GUa", "id_token_signed_response_alg": "ES256" }
You need to get the latest product updates for the current version of WSO2 Open Banking. This fix is available as a product update from April 8, 2019 (04-08-2019) onwards. Changes affects to the sample response as follows.
HTTP/1.1 200 Ok Content-Type: application/json { "grant_types": [ "authorization_code", "refresh_token" ], "software_client_name": "Open Banking test", "supportedGrantTypes": [ "refresh_token", "client_credentials" ], "redirect_uris": [ "https://www.amazon.com", "https://www.amazon.com/tt/webview/oobe/proposition" ], "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/3c8F2a7zpWaxnO5kFOZpyE.jwks", "token_endpoint_auth_method": "private_key_jwt", "client_secret": "DMcSUBmgi4tjKktagizDuDaiCAAa", "software_id": "3c8F2a7zpWaxnO5kFOZpyE", "software_logo_uri": "https://www.amazon.com/logo", "scope": [ "openid", "payments" ], "request_object_signing_alg": "ES256", "software_roles": [ "AISP", "PISP" ], "client_id": "kKcxI71dFnCtIHoM9zTZiG6U1GUa", "id_token_signed_response_alg": "ES256" }
Configure dynamic registration
Follow the steps below to configure dynamic registration.
Upload certificate to the client trust store
The ASPSP can upload the OB root and issuer certificates found from the following locations to the repository/resources/security/client trust store
of both APIM
and KM
components.
In sandbox environment, upload certificates from https://openbanking.atlassian.net/wiki/spaces/DZ/pages/252018873/OB+Root+and+Issuing+Certificates+for+Sandbox.
In production environment, upload certificates from https://openbanking.atlassian.net/wiki/spaces/DZ/pages/80544075/OB+Root+and+Issuing+Certificates+for+Production
Use the commands to add the certificate to the client trust store as follows:
keytool -import -alias tpproot -file <OB root cert> -keystore client-truststore.jks -storepass wso2carbon
keytool -import -alias tppissuer -file <OB issuing cert> -keystore client-truststore.jks -storepass wso2carbon
Edit the open-banking.xml
file
In the
<WSO2_OBAM_HOME>/repository/conf/finance
folder, open the open-banking.xml
file and add the following parameters:<UK> <DCR> <TokenAuthentication> <Method>private_key_jwt</Method> <Method>client_secret_basic</Method> </TokenAuthentication> <ConnectionTimeout>0</ConnectionTimeout> <ReadTimeout>0</ReadTimeout> <EndPointURL> <ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation> <Application>/api/am/store/v0.14/applications</Application> <Token>/token</Token> <KeyGeneration>/api/am/store/v0.14/applications/generate-keys</KeyGeneration> <ApiSearch>/api/am/store/v0.14/apis</ApiSearch> <ApiSubscribe>/api/am/store/v0.14/subscriptions/multiple</ApiSubscribe> </EndPointURL> <EnableURIValidation>false</EnableURIValidation> <EnableHostNameValidation>false</EnableHostNameValidation> <APISubscriptions> <PISP> <APIContext>/open-banking/v3.1/pisp</APIContext> <APIContext>/open-banking/v3.0/pisp</APIContext> <APIContext>/open-banking/v2.0/pisp</APIContext> </PISP> <AISP> <APIContext>/open-banking/v3.1/aisp</APIContext> <APIContext>/open-banking/v3.0/aisp</APIContext> <APIContext>/open-banking/v2.0/aisp</APIContext> </AISP> </APISubscriptions> </DCR> </UK>
- The token endpoint authentication methods indicate the authentication methods supported by WSO2. The registration validation will fail if the TPP requests a different authentication method.
- The
ConnectionTimeout
andReadTimeout
values are needed when verifying the signatures for the request JWT and software statement JWT. - The
ConnectionTimeout
andReadTimeout
values are set to a default value of 3000. - The values can be increased in case the signature validation fails with a time-out.
- The endpoint URLs are used to access the REST APIs of the API Manager in order to create the application and service provider, and to generate keys for the application.
Add the following configuration under
<DCR>
in the<OB_APIM>/repository/conf/finance/open-banking.xml.
<UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName>
You need to get the latest product updates to use
software_id
as the application name in the current version of WSO2 Open Banking. This feature is available as a product update from June 7, 2019 (06-07-2019) onwards.
Edit the axis2.xml
file
In the <WSO2_OBAM_HOME>/repository/conf/axis2
folder, open the axis2.xml
file and add the following configurations to support the application/JWT content type:
<messageFormatters> <messageFormatter contentType="application/jwt"class="org.apache.axis2.format.PlainTextFormatter"/> </messageFormatters>
<messageBuilders> <messageBuilder contentType="application/jwt class="org.apache.axis2.format.PlainTextBuilder"/> </messageBuilders>
Edit the api-manager.xml
file
To store any properties retrieved from the SSA, make sure you add the server level configuration to the api-manager.xml
file in the <OB_AM_HOME>/repository/conf
folder as explained here. For example, if you want to store the software_client_id
retrieved from the SSA created in the sandbox environment, the property name should look like: software_client_id_sandbox
. Similarly, to store the software_client_id
retrieved from the SSA created in a production environment, the property name should be: software_client_id_production
. Make sure you add these properties as false, as required.
In addition to these, make sure you include the software_jwks_endpoint
included in the SSA. This is necessary in order to obtain an access token for the application.
<ApplicationConfiguration> <ApplicationAttributes> <Attribute required="false"> <Name>software_id_sandbox</Name> <Description>Software ID of the sandbox</Description> </Attribute> <Attribute required="false"> <Name>software_id_production</Name> <Description>Software ID of the production</Description> </Attribute> <Attribute required="false"> <Name>software_roles_production</Name> <Description>Software roles of the production</Description> </Attribute> <Attribute required="false"> <Name>software_roles_sandbox</Name> <Description>Software roles of the sandbox</Description> </Attribute> <Attribute required="false"> <Name>software_jwks_endpoint_sandbox</Name> <Description>JWKS endpoint of sandbox</Description> </Attribute> <Attribute required="false"> <Name>software_jwks_endpoint_production</Name> <Description>JWKS endpoint of production</Description> </Attribute> </ApplicationAttributes> </ApplicationConfiguration>
Ensure that the following values are accurately configured in the api-manager.xml
file in order to retrieve the above-configured properties through a soap service.
<APIKeyValidator> <ServerURL><WSO2_OBIAM_HOST>${carbon.context}services/</ServerURL> <Username>${admin.username}</Username> <Password>${admin.password}</Password> ... </APIKeyValidator>