This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

API Security for Berlin

Owned by Former user (Deleted)
Last updated: Jun 15, 2021 by Former user (Deleted)Version comment
7 min read

OAuth 2.0 is the underlying framework that Berlin NextGen PSD2 XS2A framework uses to ensure both the Account Servicing Payment Service Providers (ASPSPs) and Third Party Providers (TPPs) have correctly configured client and server instances in their open banking implementation. It consists of the standards for grant types, authentication, and authorisation flows. Additionally, Berlin NextGen PSD2 XS2A Framework recommends Electronic Identification, Authentication & Trust Services (eIDAS) Regulation to verify the certificates used in the transport and application layers. For more information on eIDAS, see eIDAS Implementation for PSD2 Compliance.

API Security in WSO2 Open Banking explains how Regulatory Technical Standards (RTS) have elaborated with PSD2. It enhances consumer protection, promotes innovation and improves the security of payment services across the European Union. Let’s see how WSO2 Open Banking supports the FAPI security profile:

Transport layer security

Mutual Transport Layer Security (MTLS)

WSO2 Open Banking uses MTLS to check if:

  • the message context contains the transport certificate to make sure that the MTLS handshake is successful at the gateway
  • the transport certificate bounds with the application when invoking the APIs

through the following handlers:

HandlerDescription
  • MTLSValidationHandler

MTLSValidationHandler in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml ensures that the communication is initiated within a mutually authenticated Transport Layer Security (TLS) session by checking if the transport certificate is available as a property in the Axis2 message context. 

<handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSValidationHandler"/>
  • MTLSClientTokenValidationHandler

MTLSClientTokenValidationHandler in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml validates the subject domain name of the certificate during API invocations with the certificate information gathered during the registration.

<handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSClientTokenValidationHandler"/>

In addition, this handler is able to validate the TPP role according to eIDAS. If you need to enable the TPP role validation, uncomment the following properties under the handler. Under the "value" parameter, set the scope that you give in the WSO2 Open Banking API Publisher when publishing the relevant API:

 <handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSClientTokenValidationHandler">
        <property name="pspRoleValidationEnabled" value="true"/>
        <property name="paymentInitiationScopes" value="payments"/>
        <property name="accountInformationScopes" value="accounts"/>
        <property name="cardBasedPaymentInstrumentsScopes" value="fundsconfirmations"/>
</handler>
  • MTLSCertValidationHandler

MTLSCertValidationHandler handler in the <WSO2_OB_APIM_HOME>/repository/conf/axis2/axis2.xml is used to populate the transport certificate into a message context that can be used in the application-level validations.

The MTLSCertValidationHandler handler ensures that the transport certificate that is sent is valid, by validating the signature of the certificate. The signature of the certificate is validated using the public issuer certificate that is available in the client trust store.

In WSO2 Open Banking, the gateway expects Data Recipient's certificate as ssl.client.auth.cert.X509 in the transport header. In case an external load balancer terminates the TLS session and passes the transport certificate attached in a header, you need to make sure that the transport header is configurable. 

  • Add the following configuration to the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file:
[open_banking.cert_mgt.client_transport_cert_as_header]
enable = true

Currently, the client transport certificate in the header is simply parsed. However, when the server is fronted with a load balancer, it is possible to parse this certificate as a header. There are situations that the load balancer does not send the header in the format expected by the solution. For example, additional spaces or newlines, the client does not send the header and the load balancer send a null value as the header. These situations generate exceptions in the WSO2 Open Banking certificate parser.

To cater for such situations, the solution lets you write your own customised client transport certificate parsers by extending the default certificate parsing logic.

 Click here to see how to develop and configure a custom parser...

  1. Extend the following interface:

    com.wso2.finance.open.banking.common.parser.ClientTransportCertParser

  2. Implement the following method:

    method parse()

  3. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file. 

  4. Add the client_transport_cert_parser_impl configuration under the [open_banking.cert_mgt] tag.

    • Add the fully qualified class name (FQN) of the customised client transport certificate parser.

    • For example, if the FQN of your parser is com.wso2.finance.open.banking.common.parser.ClientTransportCertParserImpl, the configurations are as follows:

      [open_banking.cert_mgt]
client_transport_cert_parser_impl = "com.wso2.finance.open.banking.common.parser.ClientTransportCertParserImpl"
  5. Restart the API Manager server. 

Qualified Web Authentication Certificates (QWAC)

During API invocations, PSPs can use their eIDAS Qualified Web Authentication Certificates (QWAC) to establish a secure Transport Layer Security (TLS) channel and protect the transport layer communication from potential attackers on the network. The WSO2 Open Banking solution validates the following aspects of the QWAC if it is used for an API invocation:

  1. The certificate is technically correct and is not expired.

  2. The certificate is qualified. 

  3. The PSD2 information in the certificate such as the PSD2 roles, Authorization Number, etc. match with the API being invoked.

  4. The certificate is not revoked using Certificate Revocation Lists (CRL) or Online Certificate Status Protocol (OCSP) validations.

Application layer security

Following are the security mechanisms used in WSO2 Open Banking to ensure Application layer security.

Qualified Certificate for Electronic Seal (QSealC)

WSO2 Open Banking allows using QSeal certificates as signing certificates in application layer security to ensure protecting the data or messages from attacks on integrity and non repudiation of data.

For more information on QSealC, QWAC, and eIDAS Implementation to support PSD2 Compliance, see eIDAS Implementation for PSD2 Compliance.

Token endpoint security

To manage the TPP interaction with the resources exposed via the banks’ APIs, WSO2 Open Banking uses:

  • Client credentials grant type
  • Authorisation code grant type

WSO2 Open Banking uses Client credentials grant type when a TPP generates an application access token in order to access the API resources in both Accounts and Payments API endpoints. A sample cURL command to generate the application access token looks as follows:

curl POST \
  https://<WSO2_OB_APIM_HOST>:8243/token \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
   -d 'client_id=<CLIENT_ID>&grant_type=client_credentials&scope=accounts%20openid%20&client_assertion=<CLIENT_ASSERTION_JWT>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&redirect_uri=<APPLICATION_CALLBACK_URL>'
 Click here to find the parameter descriptions...
ParameterDescription
grant type

Grant type used to generate an application access token.

The above example is for an application access token generated using Client Credentials grant type. For more information, see Generate application access token.

scope
Limit of access for the application access token/clientId.


A TPP can request to enable an application access token/clienId to access Accounts/Payments API, or both by specifying the scope parameter.

client_assertion_type

The type used to pass the client assertion. WSO2 uses the self-signed JSON Web Token (JWT). The format of the client assertion looks as follows:

{ 
"alg": "<<This will be the algorithm used for signing>>", 
"kid": "<<This will be the certificate fingerprint>>", 
"typ": "JWT" 
} 

{ 
"iss": "<<This is the issue of the token, e.g., client ID of your application>>", 
"sub": "<<This is the subject identifier of the issuer, e.g., client ID of your application>>", 
"exp": <<This is epoch time of the token expiration date/time>>, 
"iat": <<This is epoch time of the token issuance date/time>>, 
"jti": "<<This is an incremental unique value>>", 
"aud": "<<This is the audience that the ID token is intended for, e.g., https://<<WSO2_OB_APIM_HOST>>:8243/token>>" 
} 

<signature>
client_assertion The value of the client assertion, generated using the format shown in the above step.

WSO2 Open Banking also uses the Authorization Code grant type to ensure token endpoint security. When a TPP attempts to access accounts or payment information; WSO2 Open Banking requests the bank customer to authorise the TPP by granting the consent for the TPP to access that account or payment information. Once the PSU grants the consent only, the PSU is redirected to the redirect URL of the TPP with the authorization code. Using the generated authorisation code, the TPP can generate the user access token. For instructions on generating a user access token, see Generate user access token.

See Authorisation endpoint security that discusses security enhancements for Authorisation code grant type.

Refresh tokens

Refresh tokens are used to get a new user access token from the authentication server in order to access a specific resource. The most common use case is generating a refresh token when the user access token is expired. For the sample curl command, See Generate application access token under Berlin Accounts flow.

WSO2 Open Banking supports Private Key JWT and MTLS to secure the token endpoint that is used by TPPs to obtain the application and access tokens. 

Private Key JWT is the default token endpoint authenticator used in WSO2 Open Banking. 

MTLS bound access token 

According to the OAuth 2.0 Authorisation Framework, TPPs can obtain delegated access to protected resources. This is implemented by binding the user access token to the MTLS certificate.

In order to bind the MTLS certificate of the TPP that is sent in the requests to the user access token, follow the instructions given below:

Note that you have to enable MTLS token binding and configure the client certificate header name in <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml as follows:

  1. By default, Mutual Transport Later Security (MTLS) certificate bound access token is disabled. To enable, configure set mtls_token_binding.enable as true.

    [open_banking.api_security]
mtls_token_binding.enable = false

  2. Upon enabling the feature, you need to configure the client certificate header name in the client_auth_header property under [open_banking.cert_mgt]:

    [open_banking.cert_mgt]
client_auth_header = "x-wso2-mutual-auth-cert"

  3. Add the following handler under ob-berlin specific handlers in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file:

    <handler class="com.wso2.finance.open.banking.mtls.validator.handler.HolderOfKeyValidationHandler"/>
To enable introspection for the data provider, open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file and add the following configuration under [oauth.grant_type]:
[oauth.grant_type]
uma_ticket.retrieve_uma_permission_info_through_introspection = true


Authorisation endpoint security

WSO2 Open Banking enhances the security of the authorisation code grant type in authorisation endpoint security with request object and response type attributes.

Once decoded, the request object that is used to get the TPP's information looks as follows:

{
  "kid": "<CERTIFICATE_FINGERPRINT>",
  "alg": "<SUPPORTED_ALGORITHM>",
  "typ": "JWT"
}
{
  "max_age": 86400,
  "aud": "<This is the audience that the ID token is intended for. e.g., https://<WSO2_OB_APIM_HOST>:8243/token>",
  "scope": "accounts openid",
  "iss": "<APPLICATION_ID>",
  "claims": {
    "id_token": {
      "acr": {
        "values": [
          "urn:openbanking:psd2:sca",
          "urn:openbanking:psd2:ca"
        ],
        "essential": true
      },
      "openbanking_intent_id": {
        "value": "<CONSENTID>",
        "essential": true
      }
    },
    "userinfo": {
      "openbanking_intent_id": {
        "value": "<CONSENTID>",
        "essential": true
      }
    }
  },
  "response_type": "<code:Retrieves authorize code/code id_token: Retrieves authorize token and ID token>",  
  "redirect_uri": "<CLIENT_APPLICATION_REDIRECT_URI>",
  "state": "YWlzcDozMTQ2",
  "exp": <EPOCH_TIME_OF_TOKEN_EXPIRATION>,
  "nonce": "<PREVENTS_REPLAY_ATTACKS>",
  "client_id": "<APPLICATION_ID>"
}
 Click here to find the parameter descriptions...
ParameterDescription
openbanking_intent_idThe consent id of the originating request.
response_type

The type of authorisation supports in the well-known configuration endpoint.

Possible values are code id_token, code id_token token, or code.

redirect_uriThe URI that the bank customer must be redirected after the authorisation.
stateRestore the state of the application.
expThe expiration of the user access token or application access token.
nonceThe nonce generated by the application/user access token.
client_idThe id that the bank issues to the TPP.

The sample redirect URL for the bank customer to authorise the payment consent looks as follows:

https://<WSO2_OB_APIM_HOST>:8243/authorize/?response_type=<RESPONSE_TYPE>&client_id=<APPLICATION_ID>&scope=accounts%20openid&redirect_uri=<APPLICATION_REDIRECT_URI>&state=YWlzcDozMTQ2&request=<REQUEST_OBJECT>&prompt=login&nonce=<REQUEST_OBJECT_NONCE>

For an example on authorising a consent, see the authorisation step in the Account and Transaction API flow.

Sources of Information