This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

API Security for Australia

Owned by Former user (Deleted)
Last updated: Oct 04, 2022
4 min read

The information security profile is based on the Financial-grade API Read Write Profile (FAPI-RW) and other standards relating to Open ID Connect 1.0 (OIDC). This is the security profile that the Consumer Data Standards (CDS) recommends to ensure API security. It consists of the standards for grant types, authentication, and authorisation flows. For more information, see CDS - Security Profile.

The API Security features are not applicable to Phase 1 - Product APIs. 

Let’s see how WSO2 Open Banking supports the security profile:

Transport layer security

Mutual Transport Layer Security (MTLS)

WSO2 Open Banking uses MTLS to check if the message context contains the transport certificate using the following handlers. This is to make sure that the MTLS handshake is successful at the gateway.

HandlerDescription
  • MTLSValidationHandler

Ensures that the communication is initiated within a mutually authenticated Transport Layer Security (TLS) session by checking if the transport certificate is available as a property in the Axis2 message context.

  • MTLSCertValidationHandler

This handler is used to populate the transport certificate into a message context that can be used in the application-level validations.

The MTLSCertValidationHandler handler ensures that the transport certificate that is sent is valid, by validating the signature of the certificate. The signature of the certificate is validated using the public issuer certificate that is available in the client trust store.

In WSO2 Open Banking, the gateway expects Data Recipient's certificate as ssl.client.auth.cert.X509 in the transport header. In case an external load balancer terminates the TLS session and passes the transport certificate attached in a header, you need to make sure that the transport header is configurable. 

  • Add the following configuration to the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file:
[open_banking.cert_mgt.client_transport_cert_as_header]
enable = true

Currently, the client transport certificate in the header is simply parsed. However, when the server is fronted with a load balancer, it is possible to parse this certificate as a header. There are situations that the load balancer does not send the header in the format expected by the solution. For example, additional spaces or newlines, the client does not send the header and the load balancer send a null value as the header. These situations generate exceptions in the WSO2 Open Banking certificate parser.

To cater for such situations, the solution lets you write your own customised client transport certificate parsers by extending the default certificate parsing logic.

 Click here to see how to develop and configure a custom parser...

  1. Extend the following interface:

    com.wso2.finance.open.banking.common.parser.ClientTransportCertParser

  2. Implement the following method:

    method parse()

  3. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file. 

  4. Add the client_transport_cert_parser_impl configuration under the [open_banking.cert_mgt] tag.

    • Add the fully qualified class name (FQN) of the customised client transport certificate parser.

    • For example, if the FQN of your parser is com.wso2.finance.open.banking.common.parser.ClientTransportCertParserImpl, the configurations are as follows:

      [open_banking.cert_mgt]
client_transport_cert_parser_impl = "com.wso2.finance.open.banking.common.parser.ClientTransportCertParserImpl"
  5. Restart the API Manager server. 

Enable MTLS for Userinfo, PAR and Introspection Endpoints

According to the Consumer Data Standards, the UserInfo endpoint, Introspection endpoint, and the Pushed Authorization endpoint following endpoints need to be secured with MTLS.  To enable MTLS for these endpoints follow the instructions given below:

  1. To proxy these aforementioned endpoints through the gateway, copy the following synapse config files from the <WSO2_OB_APIM_HOME>/repository/resources/finance/synapse-configs/au directory to the <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api directory:

    • _IntrospectAPI_.xml

    • _PARAPI_.xml

    • _UserInfoAPI_.xml

  2. To enable MTLS certificate validation, make sure the MTLS Certificate Validator is available in the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file under the [server] tag as follows: 

    globally_engaged_modules = ["mtlscertvalidator"]

  3. Add the MTLS Enforcement Filter to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file: 

    [[tomcat.filter]]
name = "MTLSEnforcementFilter"
class = "com.wso2.finance.open.banking.identity.extensions.filter.MTLSEnforcementFilter"

  4. To enable MTLS for the UserInfo endpoint, add the following filter mapping to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file: 

    [[tomcat.filter_mapping]]
name = "MTLSEnforcementFilter"
url_pattern = "/userinfo/*"

  5. To enable MTLS for the PAR endpoint, add the following filter mapping to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file:  

    [[tomcat.filter_mapping]]
name = "MTLSEnforcementFilter"
url_pattern = "/par/*"

  6. To enable MTLS for the Introspect endpoint, add the following filter mapping to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file:  

    [[tomcat.filter_mapping]]
name = "MTLSEnforcementFilter"
url_pattern = "/introspect/*"

Token endpoint security

WSO2 Open Banking uses the Authorization Code grant type to ensure token endpoint security. When a Data Recipient attempts to access a CDS resource; WSO2 Open Banking requests the bank customer to authorise the Data Recipient by granting the consent for the Data Recipient to access that account information. Once the user grants the consent, the user is redirected to the redirect URL of the Data Recipient with the authorization code. Using the generated authorisation code, the Data Recipient can generate the user access token as follows:

Run the following authorisation URL in a browser to prompt the invocation of the authorize API. Make sure you update the placeholders with the relevant values:

Once you run the authorisation URL, you are directed to a login page.

  1. Log in with the credentials of a user that has a Subscriber role.
  2. If a secondary factor is required. For example, SMS OTP, provide the relevant values.
  3. Upon successful authentication, the user is redirected to a page where the user needs to select the accounts that need to be authorised.
  4. Then confirm or deny the access to displayed details in the selected account(s).

  5. Upon agreement, the consumer is redirected to the callback URL of the ADR with the authorization code. For example:

    https://www.google.com/redirects/redirect1#code=2c8a03f7-af33-326f-839a-63a4eebfe3f5&id_token=eyJraWQiOiJEd01LZFdNbWo3UFdpbnZvcWZReVhWenlaNlEiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0.KaRhQA63F2Sm72zSZrkoRucIiz4IC0pzqApjTzSOJSyV_J6fYBwHuIAjLn4MZA36ZfVCmm3-KzqJcGAv9W9sDWBi7aI80CVKLFVJ2rh9l_9bMnANjm5fCsZ-pE_F4eW5BnqiU7xOoel31W2WF2brEWf9l5dibILU5E7inYKkQ9qPCS3Ei7uo9LTYQMWR4RQSglAsb5TsnijOPtGBvQgyuwOeI9vWBIcm7Y64NXuWKiv1iManbTepggpKhCSj9qPPizVV4v7Vv1IgHbvViRCE0uIvomLsL9qTxkBVK2s_h3welM9-9CE0WvoGkbYgsDc3nBQEx7Vj4hBiYJ0nD2_dWw.zslxDgOETvBaMOTQ.XAPYdrt5HXhvF53llXp40YkRHWBSrosYDc0UVLnqwJkAcNs3CQo8vWKSNqfc8l6CezvFPinul4LEp-eRrOqrpnhzAMf-W4O-s0jjF0dPsa3NII_qdi5bmCQhwxTVzo31SBiKn1aCBu8lQXSLUAz7z3UF6JyH1OkCXU3Ld8puF45QTRoTRPru8oNy8W8ZbchDj11IhEzrT9RPmWznCDQ3rs8M16R636-TuULXdSqJUGtXB3wteXu8lcgGpIMno1T6Bq2rI8Ncg_rCe6RgepAlEjlC0J0hpgMOk-EiXFDXN5N0NfEo6VSv9-M1v5THSJBThZIlcZrL-njz4G2NiDa30PSrQFqLgusYpZNpL1bHGsUbz_Xqvwlpjq-A5TcrqjxwWHkK383pY-tE064FKQuk93HnOee1gp4iRc9GLiqOK4vawSKStaSWe1oWxeFkDDuY85H3rFL1U8JzAC-vbPpozju82q7mONQto0q1fnCa80jtl5rDVsxzXLkEDbfwrvE-_13MKTLGc9io-PbEy6UgD9bAz5qvoOtNLWh0rcAbT5yhnZnruecB9l3yBsnbo60HQC_83mMzPWjGQaTm-ujO-hockrUSkezEO2JhNKrMWI5V-2aBNin_0UcSShMQnFy4P9baFKcyvrt2r3LNOvqfl_mK9qh57AOQw4vjhJRRaPVVacB8h5WCoiq8ut8wnHq3L2MvF9HId9T0Ug9FaPP76ofLziM.u19pyEql02PpVrFrki3RWA&state=af0ifjsldkj&session_state=c57cc0825bf8838fd2b6f14597ed34b5d9404493b216092e9daa766749cdac40.-1D9AEiTjPN-3hzlRFN97Q
  6. The authorization code from the above URL is in the code parameter (code=4489572f-83c9-3589-b403-c4ecf8fb77f4).


See Authorisation endpoint security that discusses security enhancements for Authorisation Code grant type.

The Token Introspection Endpoint and Token Revocation Endpoints are protected with Private Key JWT Client Authentication and therefore it is mandatory to have the client-id parameter in these request bodies.

Mandate PAR

This is only available as a WSO2 Update from WSO2 Open Banking API Manager Level 2.0.0.191 and WSO2 Open Banking Identity Server  Level 2.0.0.184 onwards. For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

With the Decision Proposal 209 - Transition to FAPI 1.0 Advanced Profile, the Data Recipient software products must send authorisation requests only using PAR. To enable this mandate,

  1. Add the following configurations to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file: 

    [open_banking.au.push_authorisation]
is_mandatory = true

  2. Furthermore, Data Recipients must use PKCE  in accordance with FAPI-1.0-Advanced. In order to mandate PKCE for already registered ADRs, run the relevant migration script in the following directory against the openbank_apimgtdb:

    <WSO2_OB_IAM_HOME>/dbscripts/finance/apimgt/cds_decision_209_phase02_migration 

Refresh tokens

Refresh tokens are used to get a new user access token from the authentication server in order to access a specific resource. The most common use case is generating a refresh token when the user access token is expired. 

curl -X POST \
 https://<WSO2_OB_APIM_HOST>:8243/token \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -H 'cache-control: no-cache' \
 -k --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
 -d 'grant_type=refresh_token&refresh_token=<REFRESH_TOKEN>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<CLIENT_ASSERTION>'

WSO2 Open Banking supports Private Key JWT to secure the token endpoint that is used by Data Recipients to obtain the application and access tokens. Private Key JWT is the default token endpoint authenticator used in WSO2 Open Banking. 

Holder of Key (HoK) validation

Holder of Key validation ensures that the user access token bounds with the Data Recepient's transport certificate, which was presented during the token request. For this, the user access token needs to be bound with the MTLS certificate.

Mutual Transport Layer Security (MTLS) certificate bound access token

  1. Add the following handler to the <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file. 

    <handler class="com.wso2.finance.open.banking.mtls.validator.handler.GatewayClientAuthenticationHandler"/>

Authorisation endpoint security

WSO2 Open Banking enhances the security of the authorisation code grant type in authorisation endpoint security with request object and response type attributes.

Once decoded, the request object that is used to get the Data Recipient's information looks as follows:

{
  "kid": "<Certificate fingerprint>",
  "typ": "JWT",
  "alg": "<Supported algorithm>"
}
{
  "iss": "<Application ID>",
  "aud": "<Audience the ID Token is intended for. For example,https://<WSO2_OB_APIM_HOST>:8243/token>",
  "response_type": "<code:Retrieves authorize code, code id_token: Retrieves authorize token and ID token>",
  "exp": <A JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC expiry time>,
  "client_id": "<Application ID>",
  "redirect_uri": "<Redirect URL of the client application>",
  "scope": "<Available scopes are bank:accounts.basic:read, bank:accounts.detail:read, bank:transactions:read, bank:payees:read, bank:regular_payments:read, common:customer.basic:read, and common:customer.detail:read >",
  "state": "af0ifjsldkj",
  "nonce": "<Prevents replay attacks>",
  "claims": {
    "sharing_duration": "<Requested duration for sharing, in seconds>",
    "id_token": {
      "acr": {
        "values": ["urn:cds.au:cdr:3"]
      }
    }
  }
}
<signature>

The sharing_duration claim in the request object defines the validity period of the refresh token. This is to limit the validity of the consent to the defined period.

The sample redirect URL for the bank customer to authorise the CDR Arrangement ID looks as follows:

https://<WSO2_OB_APIM_HOST>:8243/authorize?prompt=login&response_type=code id_token&client_id=<APPLICATION_ID>&redirect_uri=<APPLICATION_REDIRECT_URI>&scope=<AUTHORISATION_SCOPE_AS_PER_REQUEST_OBJECT>&nonce=n-0S6_WzA2Mj
&state=af0ifjsldkj HTTP/1.1&request=<REQUEST_OBJECT>