This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Dynamic Client Registration v0.1

Owned by Former user (Deleted)
Last updated: Jul 05, 2022Version comment
10 min read

Before you begin:

Deploy the Dynamic Client Registration (DCR) API v0.1. 

 Click here to see how to deploy the DCR API

Data Recipient must be accredited and the associated software product must be configured within the CDR Register.

  1. Sign in to the API Publisher Portal (https://<WSO2_OB_APIM_HOST>:9443/publisher) with creator/publisher privileges.
  2. In the  APIs tab, select  CREATE NEW API > I Have an Existing REST API  
  3. Set the  Input Type  to  OpenAPI File
  4. Click  BROWSE FILE TO UPLOAD  and select the Swagger definition (.yaml file) from  <WSO2_OB_APIM_HOME>/repository/resources/finance/apis/consumerdatastandards.org.au/DynamicClientRegistration/0.1/au-dcr-swagger.yaml.
  5. Click  Next .

  6. Set the endpoint as follows: 

    https://<WSO2_OB_APIM_HOST>:9443/api/openbanking/dynamic-client-registration/common
  7. Set the business plan to Unlimited : Allows unlimited requests unless you want to limit the requests. 
  8. Click  Create  to create the API.
  9. Once you get the message that the API is successfully updated, go to Runtime Configurations using the left menu panel.
  10. Click the edit button under Request > Message Mediation.
  11. Now, select the Custom Policy option.
  12. Upload the <WSO2_OB_APIM_HOME>/repository/resources/finance/apis/consumerdatastandards.org.au/DynamicClientRegistration/0.1/au-dcr-insequence-0.1.xml file and click SELECT.
  13. Scroll down and click  SAVE.
  14. Now, go to Properties using the left menu panel.
  15. Click Add New Property.

  16. Add the following properties and click  the Add button to save the values.

    Property Name

    Property Value

    ob-specau
    ob-api-typedcr

  17. Click SAVE.
  18. Go back to Overview using the left menu panel.
  19. Click PUBLISH.
  20. The published DCR v0.1 API is available in the Developer Portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

CDR-registered software products of the Accredited Data Recipient (ADR) can be registered with one or more Data Holders. Thereby, the ADR can obtain client credentials and use it to retrieve consumer data. The Dynamic Client Registration (DCR) endpoint is capable of dynamically registering the ADRs with the Data Holders when the client sends a registration request with its metadata. This results in a registration response that includes a client identifier and the client metadata values registered for the client.

This document explains how to utilize DCR with WSO2 Open Banking.  

Configuring dynamic client registration

Follow the steps below to configure the DCR API v0.1 in WSO2 Open Banking.

Uploading certificate to the client trust store

Upload the OB root and issuer certificates found in the below-mentioned locations to the client trust store of both WSO2 Open Banking API Management (WSO2_OB_APIM) and Identity and Access Management (WSO2_OB_IAM) modules.

In sandbox environment, upload certificates from OB_Sandbox_Certs.zip.

The client trust stores are located in the following locations:

  • <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks
  • <WSO2_OB_IAM_HOME>/repository/resources/security/client-truststore.jks

Use the following commands to add the certificate to the client trust store:

Add root certificate 
keytool -import -alias obroot -file <OB_ROOT_CERT> -keystore client-truststore.jks -storepass wso2carbon
Add issuer certificate
keytool -import -alias obissuer -file <OB_ISSUING_CERT> -keystore client-truststore.jks -storepass wso2carbon
Configuring deployment.toml 

Follow the steps below to configure the DCR API v0.1 in WSO2 Open Banking.

  1. Configuring the WSO2 Open Banking Identity and Access Management module:
    1. Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file. 

    2. To display the DCR endpoint in OpenID Connect Discovery (https://<WSO2_OB_IAM_HOST>:8243/.well-known/openid-configuration), update the value of the oauth2_dcr_url property: 

      [oauth.endpoints]
oauth2_dcr_url = "${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/open-banking/0.1/register"

    3. For Consumer Data Right of Australia, it is recommended only to sign the ID token with SHA256withPS. Therefore, open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file and configure as follows:

      [oauth.oidc]
id_token.signature_algorithm = "SHA256withPS"
  2. Configuring the WSO2 Open Banking API Management module:
    1. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file. 

    2. The following property is to validate the policy, client, terms of service, logo URIs. To validate these, set this to  true .

      [open_banking.dcr]
uri_validation.enable = false

    3. The following property is to validate the hostnames of policy, client, terms of service, logo URIs against the hostname of redirect URIs.  To validate these, set this to  true .

      [open_banking.dcr]
hostname_validation.enable = false

    4. The following property is to use SoftwareID in SSA as the name of the application. 

      [open_banking.dcr]
software_id_as_application_name.enable = true

      Make sure to keep the  software_id_as_application_name.enable  property always set to  true .

    5. Add the following configurations to validate the JTI claims in the JWT and the SSA in a DCR request:

      This is only available as a WSO2 Update from WSO2 Open Banking API Manager Level 2.0.0.85 and WSO2 Open Banking Identity Server  Level 2.0.0.93 onwards. For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

      [open_banking.dcr]
request_jti_validation.enable = true
ssa_jti_validation.enable = true
jti_cache_expiry_time = 60

To reflect the configuration changes, restart the servers with the API Management and Identity and Access Management modules.

Registering an application  

If your application has one or more Callback URLs that exceed the default sizes, increase the column sizes of the CALLBACK_URL columns.

The Callback URLs are stored in the database as follows:

DatabaseTableColumnDefault Size
openbank_apimgtdbAM_APPLICATIONCALLBACK_URLvarchar 512
openbank_apimgtdbIDN_OAUTH_CONSUMER_APPSCALLBACK_URLvarchar 1024

The API allows the ADR to request the Data Holder to register a new client. The process is as follows:

  1. The ADR sends a registration request,

    1. This is a POST request including a Software Statement Assertion (SSA) as a claim in the payload.  If you want to change the request object, use the signing certificate and the private keys attached here for testing purposes:

      Note that the signature of the SSA is not currently validated due to the unavailability of the SSA verification JWKS URI of the Australian Competition and Consumer Commission (ACCC).

    2. When invoking this API, use the transport certificates available here.

    3. The automated DCR process is carried out by calling a synapse API in the gateway.

    An example request sent to the DCR registration endpoint is shown below:

    curl -X POST \https://<WSO2_OB_APIM_HOST>:8243/open-banking/0.1/register \
-H "accept: application/json" \
-H "Content-Type: application/jwt" \ 
-H "x-v: 0.1" \
--cert <TRANSPORT_PUBLIC_KEY_FILE_PATH> --key <TRANSPORT_PRIVATE_KEY_FILE_PATH> \
-d eyJ0eXAiOiJKV1QiLCJhbGciOiJQUzI1NiIsImtpZCI6IkR3TUtkV01tajdQV2ludm9xZlF5WFZ6eVo2USJ9.eyJpc3MiOiJNb2NrIENvbXBhbnkiLCJpYXQiOjE1NzIyMjUzMzYsImV4cCI6MTcwMzg0NzczMSwianRpIjoiMzc3NDdjZDEtYzEwNS00NTY5LTlmNzUtNGFkZjI4YjczZTMxIiwiYXVkIjoiaHR0cHM6Ly93d3cuaW5mb3NlYy5jZHIuZ292LmF1L3Rva2VuIiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczovL3d3dy5nb29nbGUuY29tL3JlZGlyZWN0cy9yZWRpcmVjdDEiLCJodHRwczovL3d3dy5nb29nbGUuY29tL3JlZGlyZWN0cy9yZWRpcmVjdDIiXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9zaWduaW5nX2FsZyI6IlBTMjU2IiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJwcml2YXRlX2tleV9qd3QiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJyZWZyZXNoX3Rva2VuIiwidXJuOmlldGY6cGFyYW1zOm9hdXRoOmdyYW50LXR5cGU6and0LWJlYXJlciJdLCJyZXNwb25zZV90eXBlcyI6WyJjb2RlIGlkX3Rva2VuIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJ3ZWIiLCJpZF90b2tlbl9zaWduZWRfcmVzcG9uc2VfYWxnIjoiUFMyNTYiLCJyZXF1ZXN0X29iamVjdF9zaWduaW5nX2FsZyI6IlBTMjU2Iiwic29mdHdhcmVfc3RhdGVtZW50IjoiZXlKaGJHY2lPaUpRVXpJMU5pSXNJbXRwWkNJNkltSTRabUZqWmpKbVpqTTVORFEwWmpjNE1XVXdZbVUxWkdJMFlqRTBaakUySWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSmpaSEl0Y21WbmFYTjBaWElpTENKcFlYUWlPakUxTnpFNE1EZ3hOamNzSW1WNGNDSTZNakUwTnpRNE16WTBOaXdpYW5ScElqb2lNMkpqTWpBMVlURmxZbU01TkRObVltSTJNalJpTVRSbVkySXlOREV4T1RZaUxDSnZjbWRmYVdRaU9pSXpRakJDTUVFM1FpMHpSVGRDTFRSQk1rTXRPVFE1TnkxRk16VTNRVGN4UkRBM1F6Z2lMQ0p2Y21kZmJtRnRaU0k2SWsxdlkyc2dRMjl0Y0dGdWVTQkpibU11SWl3aVkyeHBaVzUwWDI1aGJXVWlPaUpOYjJOcklGTnZablIzWVhKbElpd2lZMnhwWlc1MFgyUmxjMk55YVhCMGFXOXVJam9pUVNCdGIyTnJJSE52Wm5SM1lYSmxJSEJ5YjJSMVkzUWdabTl5SUhSbGMzUnBibWNnVTFOQklpd2lZMnhwWlc1MFgzVnlhU0k2SW1oMGRIQnpPaTh2ZDNkM0xtMXZZMnRqYjIxd1lXNTVMbU52YlM1aGRTSXNJbkpsWkdseVpXTjBYM1Z5YVhNaU9sc2lhSFIwY0hNNkx5OTNkM2N1WjI5dloyeGxMbU52YlM5eVpXUnBjbVZqZEhNdmNtVmthWEpsWTNReElpd2lhSFIwY0hNNkx5OTNkM2N1WjI5dloyeGxMbU52YlM5eVpXUnBjbVZqZEhNdmNtVmthWEpsWTNReUlsMHNJbXh2WjI5ZmRYSnBJam9pYUhSMGNITTZMeTkzZDNjdWJXOWphMk52YlhCaGJua3VZMjl0TG1GMUwyeHZaMjl6TDJ4dloyOHhMbkJ1WnlJc0luUnZjMTkxY21raU9pSm9kSFJ3Y3pvdkwzZDNkeTV0YjJOclkyOXRjR0Z1ZVM1amIyMHVZWFV2ZEc5ekxtaDBiV3dpTENKd2IyeHBZM2xmZFhKcElqb2lhSFIwY0hNNkx5OTNkM2N1Ylc5amEyTnZiWEJoYm5rdVkyOXRMbUYxTDNCdmJHbGplUzVvZEcxc0lpd2lhbmRyYzE5MWNta2lPaUpvZEhSd2N6b3ZMMnRsZVhOMGIzSmxMbTl3Wlc1aVlXNXJhVzVuZEdWemRDNXZjbWN1ZFdzdk1EQXhOVGd3TURBd01VaFJVWEphUVVGWUx6bGlOWFZ6UkhCaVRuUnRlRVJqVkhwek4wZDZTM0F1YW5kcmN5SXNJbkpsZG05allYUnBiMjVmZFhKcElqb2lhSFIwY0hNNkx5OW5hWE4wTG1kcGRHaDFZblZ6WlhKamIyNTBaVzUwTG1OdmJTOXBiV1Z6YURrMEx6TXhOekpsTW1VME5UYzFOMk5rWVRBNFpXTXlOekkzWmprd1lqY3lZMlZrTDNKaGR5OW1aakJrTTJWaFltVTBZMlJrWTJVME4yVmxZekF5TWpobU5Ua3lNVGMxTWpJelpHUTVNbUl5TDNkemJ6SXRZWFV0WkdOeUxXUmxiVzh1YW5kcmN5SXNJbk52Wm5SM1lYSmxYMmxrSWpvaU56UXdRek0yT0VZdFJVTkdPUzAwUkRJNUxVRXlSVUV0TURVeE5FRTJOa0l3UTBST0lpd2ljMjltZEhkaGNtVmZjbTlzWlhNaU9pSmtZWFJoTFhKbFkybHdhV1Z1ZEMxemIyWjBkMkZ5WlMxd2NtOWtkV04wSWl3aWMyTnZjR1VpT2lKaVlXNXJPbUZqWTI5MWJuUnpMbUpoYzJsak9uSmxZV1FnWW1GdWF6cGhZMk52ZFc1MGN5NWtaWFJoYVd3NmNtVmhaQ0JpWVc1ck9uUnlZVzV6WVdOMGFXOXVjenB5WldGa0lHSmhibXM2Y0dGNVpXVnpPbkpsWVdRZ1ltRnVhenB5WldkMWJHRnlYM0JoZVcxbGJuUnpPbkpsWVdRZ1kyOXRiVzl1T21OMWMzUnZiV1Z5TG1KaGMybGpPbkpsWVdRZ1kyOXRiVzl1T21OMWMzUnZiV1Z5TG1SbGRHRnBiRHB5WldGa0lHTmtjanB5WldkcGMzUnlZWFJwYjI0aWZRLk1ZSHBsRlduaG0wVkFoendCbkRjWS1MTmlGbk9ycnlvcmotbTNod1VHNVkyVkFFUm85Nms5Zjk5RHdTWWc1UTl6SmxYbllWQWZjMEJXNFZSYVBTREt4eUlQSWN5X3VDZFBBZjZHSm8zcHQxWHZyMU9uZUwySzFEVllTZGpfTENaQUE5ZzJPd2NNOGo5QjNxWEg3QUNvOF9fTjltVVV3TUI3eWFrUkdxMnAwV1VkTTllUGRyaHFwdmZJTHBDbnZwUGg1THNSZlhiZlNnXzJKOEpvcEFqNU5YZElCTGhSNV9FUzN5bC1JWXpHMklzZ2dSV3l1eHZPcFNkRVZVUmhSMkNuUnd2blRuYXpueWVvZWJVdkFrQkZKbVBEZXc3eGE2VVpiYU9ELU1JWjg4eEtnaFREaDhDUlJibFVzX3FhTFFPcEdleGFGd0prcHJVWUt1eGVaek9FdyJ9.JptM-xWqFpBAo_pZN-PtzAeizEJyeWFWdOunuPBNppCcePgJ9mnEg5WnAwwmIxsXcSUAM1axL25hVAtYid8GOSdWq8DKG0fQunRIwRw5KuHcniEhgFODwmHiVFwQYzW5IPjDCVZdbaaekCxtKI_7WSwzFBQOdXHjBXQLMOtleGMguhZJft2lk-VOdkNkalicqrBD3E0YT__xUFVnnL-nAkPrW8VpuL7jBA51AXsJTdXkWOkcySy2Sr1Yx3I--JlumQylJ9qGCX1qkvMpzYo7Vq7z4aXqteh4NsWgCAgiuT4QO048ahdAKeos2FaRfwDcb8s9HqcpmGGYi7z4Vo7HqA
     Click here to see the format of the JWT payload once decoded.
    {
  "typ": "JWT",
  "alg": "PS256",
  "kid": "DwMKdWMmj7PWinvoqfQyXVzyZ6Q"
}

{
  "iss": "Mock Company",
  "iat": 1572225336,
  "exp": 1703847731,
  "jti": "37747cd1-c105-4569-9f75-4adf28b73e31",
  "aud": "https://www.infosec.cdr.gov.au/token",
  "redirect_uris": [
    "https://www.google.com/redirects/redirect1",
    "https://www.google.com/redirects/redirect2"
  ],
  "token_endpoint_auth_signing_alg": "PS256",
  "token_endpoint_auth_method": "private_key_jwt",
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "response_types": [
    "code id_token"
  ],
  "application_type": "web",
  "id_token_signed_response_alg": "PS256",
  "request_object_signing_alg": "PS256",
  "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6ImI4ZmFjZjJmZjM5NDQ0Zjc4MWUwYmU1ZGI0YjE0ZjE2IiwidHlwIjoiSldUIn0.eyJpc3MiOiJjZHItcmVnaXN0ZXIiLCJpYXQiOjE1NzE4MDgxNjcsImV4cCI6MjE0NzQ4MzY0NiwianRpIjoiM2JjMjA1YTFlYmM5NDNmYmI2MjRiMTRmY2IyNDExOTYiLCJvcmdfaWQiOiIzQjBCMEE3Qi0zRTdCLTRBMkMtOTQ5Ny1FMzU3QTcxRDA3QzgiLCJvcmdfbmFtZSI6Ik1vY2sgQ29tcGFueSBJbmMuIiwiY2xpZW50X25hbWUiOiJNb2NrIFNvZnR3YXJlIiwiY2xpZW50X2Rlc2NyaXB0aW9uIjoiQSBtb2NrIHNvZnR3YXJlIHByb2R1Y3QgZm9yIHRlc3RpbmcgU1NBIiwiY2xpZW50X3VyaSI6Imh0dHBzOi8vd3d3Lm1vY2tjb21wYW55LmNvbS5hdSIsInJlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9yZWRpcmVjdHMvcmVkaXJlY3QxIiwiaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9yZWRpcmVjdHMvcmVkaXJlY3QyIl0sImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cubW9ja2NvbXBhbnkuY29tLmF1L2xvZ29zL2xvZ28xLnBuZyIsInRvc191cmkiOiJodHRwczovL3d3dy5tb2NrY29tcGFueS5jb20uYXUvdG9zLmh0bWwiLCJwb2xpY3lfdXJpIjoiaHR0cHM6Ly93d3cubW9ja2NvbXBhbnkuY29tLmF1L3BvbGljeS5odG1sIiwiandrc191cmkiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMUhRUXJaQUFYLzliNXVzRHBiTnRteERjVHpzN0d6S3AuandrcyIsInJldm9jYXRpb25fdXJpIjoiaHR0cHM6Ly9naXN0LmdpdGh1YnVzZXJjb250ZW50LmNvbS9pbWVzaDk0LzMxNzJlMmU0NTc1N2NkYTA4ZWMyNzI3ZjkwYjcyY2VkL3Jhdy9mZjBkM2VhYmU0Y2RkY2U0N2VlYzAyMjhmNTkyMTc1MjIzZGQ5MmIyL3dzbzItYXUtZGNyLWRlbW8uandrcyIsInNvZnR3YXJlX2lkIjoiNzQwQzM2OEYtRUNGOS00RDI5LUEyRUEtMDUxNEE2NkIwQ0ROIiwic29mdHdhcmVfcm9sZXMiOiJkYXRhLXJlY2lwaWVudC1zb2Z0d2FyZS1wcm9kdWN0Iiwic2NvcGUiOiJiYW5rOmFjY291bnRzLmJhc2ljOnJlYWQgYmFuazphY2NvdW50cy5kZXRhaWw6cmVhZCBiYW5rOnRyYW5zYWN0aW9uczpyZWFkIGJhbms6cGF5ZWVzOnJlYWQgYmFuazpyZWd1bGFyX3BheW1lbnRzOnJlYWQgY29tbW9uOmN1c3RvbWVyLmJhc2ljOnJlYWQgY29tbW9uOmN1c3RvbWVyLmRldGFpbDpyZWFkIGNkcjpyZWdpc3RyYXRpb24ifQ.MYHplFWnhm0VAhzwBnDcY-LNiFnOrryorj-m3hwUG5Y2VAERo96k9f99DwSYg5Q9zJlXnYVAfc0BW4VRaPSDKxyIPIcy_uCdPAf6GJo3pt1Xvr1OneL2K1DVYSdj_LCZAA9g2OwcM8j9B3qXH7ACo8__N9mUUwMB7yakRGq2p0WUdM9ePdrhqpvfILpCnvpPh5LsRfXbfSg_2J8JopAj5NXdIBLhR5_ES3yl-IYzG2IsggRWyuxvOpSdEVURhR2CnRwvnTnaznyeoebUvAkBFJmPDew7xa6UZbaOD-MIZ88xKghTDh8CRRblUs_qaLQOpGexaFwJkprUYKuxeZzOEw"
}

<signature>

    The claims in the request payload are as follows:

    ClaimDescriptionOptional
    issContains the identifier for the ADR Software Product as defined in the CDR RegisterNO
    iatIssued at time claimNO
    expExpiration Time claimNO
    audData Holder auth server URINO
    jtiJWT ID claim. A unique identifier for the token used to prevent reuse of the tokenNO
    redirect_urisAn array of redirection URI strings for use in redirect-based flows. Only required if overwrites a list of values in the software statement. If used, redirect_uris MUST match or be a subset of the redirect_uris as defined in the SSAYES
    token_endpoint_auth_methodThe requested authentication method for the token endpoint. The only supported method will be private_key_jwtNO
    grant_typesAn array of OAuth 2.0 grant type strings that the client can use at the token endpoint. Supported values: [client_credentials, authorization_code, refresh_token, urn:ietf:params:oauth:grant-type:jwtbearer]NO
    response_typesvalue: [code id_token]YES
    software_statementSoftware statement assertion issued by the CDR RegisterNO
    application_typeKind of the application. The only supported application type will be webYES
    id_token_signed_response_algThe algorithm which the ADR expects the id_token to be signed with, if an id_token is returned Supported values as constrained by FAPI-RWYES
    request_object_signing_algThe algorithm which the ADR expects to sign the request object if a request object will be part of the authorization request sent to the Data Holder
    Supported values as constrained by FAPI-RW    		YES

    The payload contains an SSA. Given below is a decoded SSA.

    {
  "alg": "PS256",
  "kid": "b8facf2ff39444f781e0be5db4b14f16",
  "typ": "JWT"
}
{
  "iss": "cdr-register",
  "iat": 1571808167,
  "exp": 2147483646,
  "jti": "3bc205a1ebc943fbb624b14fcb241196",
  "org_id": "3B0B0A7B-3E7B-4A2C-9497-E357A71D07C8",
  "org_name": "Mock Company Inc.",
  "client_name": "Mock Software",
  "client_description": "A mock software product for testing SSA",
  "client_uri": "https://www.mockcompany.com.au",
  "redirect_uris": [
    "https://www.google.com/redirects/redirect1",
    "https://www.google.com/redirects/redirect2"
  ],
  "logo_uri": "https://www.mockcompany.com.au/logos/logo1.png",
  "tos_uri": "https://www.mockcompany.com.au/tos.html",
  "policy_uri": "https://www.mockcompany.com.au/policy.html",
  "jwks_uri": "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks",
  "revocation_uri": "https://gist.githubusercontent.com/imesh94/3172e2e45757cda08ec2727f90b72ced/raw/ff0d3eabe4cddce47eec0228f592175223dd92b2/wso2-au-dcr-demo.jwks",
  "software_id": "740C368F-ECF9-4D29-A2EA-0514A66B0CDN",
  "software_roles": "data-recipient-software-product",
  "scope": "bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration"
}
<signature>
  2. The Data Holder validates the SSA based as specified in the Consumer Data Right (CDR) Dynamic Client Registration specification.

  3. The Data Holder registers the client application using the metadata sent in the SSA.

    • If client creation is successful, the Data Holder responds with a JSON payload that describes the client that was created. The ADR can then use the client to access resources on the Data Holder's resource server. 

    • If client creation is unsuccessful, the Data Holder responds with an error payload.

      A sample response is given below:

      {
   "client_id":"7aKJwMhgaI2unIuEhgnGwpgkSTca",
   "client_id_issued_at":1600421709,
   "redirect_uris":[
      "https://www.google.com/redirects/redirect1",
      "https://www.google.com/redirects/redirect2"
   ],
   "grant_types":[
      "authorization_code",
      "refresh_token",
      "urn:ietf:params:oauth:grant-type:jwt-bearer"
   ],
   "application_type":"web",
   "id_token_signed_response_alg":"PS256",
   "token_endpoint_auth_signing_alg":"PS256",
   "request_object_signing_alg":"PS256",
   "scope":"bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration",
   "software_id":"740C368F-ECF9-4D29-A2EA-0514A66B0CDN",
   "client_name":"Mock Software",
   "client_description":"A mock software product for testing SSA",
   "client_uri":"https://www.mockcompany.com.au",
   "org_id":"3B0B0A7B-3E7B-4A2C-9497-E357A71D07C8",
   "org_name":"Mock Company Inc.",
   "logo_uri":"https://www.mockcompany.com.au/logos/logo1.png",
   "tos_uri":"https://www.mockcompany.com.au/tos.html",
   "policy_uri":"https://www.mockcompany.com.au/policy.html",
   "jwks_uri":"https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks",
   "revocation_uri":"https://gist.githubusercontent.com/imesh94/3172e2e45757cda08ec2727f90b72ced/raw/ff0d3eabe4cddce47eec0228f592175223dd92b2/wso2-au-dcr-demo.jwks",
   "software_roles":"data-recipient-software-product",
   "token_endpoint_auth_method":"private_key_jwt"
}

      Once you register the application, enable ID token encryption as follows:

      1. Log in to the Management Console of WSO2 Open Banking Identity and Access Management at https://<WSO2_OB_IAM_HOST>:9446/carbon.  

      2. Navigate to Service Provider → Lists on the left pane menu.

      3. Select Service Provider → Inbound Authentication Configuration and expand OAuth/OpenID Connect Configuration. Then, click Configure.

      4. Click Enable ID Token Encryption to enable id token encryption.

        Once you enable id_token encryption, two select boxes will be visible to choose your preferred encryption algorithm and encryption method.

        • Encryption Algorithm: Asymmetric encryption algorithm that is used to encrypt the Content Encryption Key (CEK), using the public key of the service provider.

        • Encryption Method: Symmetric encryption algorithm that is used to encrypt the JWT claims set using the CEK.

  4. Generate a Client Credentials grant access token for the application using the following command: 

     Click here to see how to generate the client assertion

    Generate the client assertion by signing the following JSON payload using the supported algorithms.  

    curl -X POST \
  https://<WSO2_OB_APIM_HOST>:8243/token \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --cert <TRANSPORT_PUBLIC_KEY_FILE_PATH> --key <TRANSPORT_PRIVATE_KEY_FILE_PATH> \
  -d 'grant_type=client_credentials&scope=openid bank:accounts.basic:read bank:transactions:read common:customer.detail:read&client_assertion=<CLIENT_ASSERTION_JWT>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&redirect_uri=<APPLICATION_CALLBACK_URL>'



Retrieving an application 

The API allows the ADR to retrieve the details for a client that has already been registered. The request consists of one path parameter named ClientId that the ADR wants to retrieve details for. When invoking this API, use the transport certificates available here.

  • If the request is successful and the identifier ( ClientId ) matches the client to whom the Client Credentials grant access token was issued, the Data Holder returns details of the requested client.
  • If the ClientId is unknown, the Data Holder responds with an Unauthorized status code.

You can find the sample request and response below:

Updating an application

The API allows the ADR to request the Data Holder to modify one or more attributes related to an existing client. The ADR submits ClientId as a path parameter and a JWS payload that describes the characteristics of the client to be modified. This must include all the claims, including the ones that will not be modified. When invoking this API, use the transport certificates available here.

  • If the client is successfully modified, the Data Holder responds with a JSON payload.

  • If the ClientId is unknown, the Data Holder responds with an Unauthorized status code.

  • If client modification is unsuccessful, the Data Holder responds with an error payload.

You can find the sample request and response below:

Deleting an application

The API allows the ADR to request the Data Holder to delete an existing client. The request consists of one path parameter namely ClientId of the ADR, which should be deleted. When invoking this API, use the transport certificates available here.

  • If the request is successful and the ClientId matches the client to whom the Client Credentials grant access token was issued, the Data Holder must delete the client and invalidate long-lived access tokens that were issued to the client.
  • If the ClientId is unknown, the Data Holder responds with an Unauthorized status code.

You can find the sample request and response below: