ANGOB-384 API Security documentation (#63)

* docs: added consent admin dashboard guide

* docs: modified consent admin dashboard guide

* added api-security documentation

* Update api-security.md

Fix markdown errors

* Update consent-admin-dashboard.md

Fix markdown errors

* Update consent-admin-dashboard.md

review edits

* Update api-security.md

review edits

* Update consent-admin-dashboard.md

fix markdown

* updated images

---------

Co-authored-by: mdeb <[email protected]>
Co-authored-by: lbadenhop <[email protected]>

content/en/docs/Overview/_index.md

@@ -11,6 +11,8 @@ This section provides a general overview of the solution. The goal is to provid
 
 * A [solution overview](/docs/overview/solution) that describes the solution features.
 * An [functional architecture](/docs/overview/integration) that shows a number of different flows.
+* A [Consent Admin Dashboard Guide](/docs/overview/consent-admin-dashboard) that describes backoffice user interface.
+
 <!-- * A [technical view](/docs/overview/technical) of the architecture and components. -->
 
 <!-- This section does not describe:

content/en/docs/Overview/api-security.md

@@ -0,0 +1,108 @@
+---
+title: "API Security"
+linkTitle: "API Security"
+weight: 12
+date: 2024-11-29
+---
+
+This document provides an overview of the security mechanisms implemented to protect the APIs offered by our solution. These mechanisms ensure that sensitive data is exchanged securely and accessed only by authorized parties.
+
+## Security Overview
+
+Our API security framework incorporates industry-standard mechanisms to ensure robust protection:
+
+* **OAuth 2.0**: Ensures secure access control via token-based authentication.
+* **Mutual TLS (mTLS)**: Guarantees secure communication between clients and servers through certificate-based authentication.
+* **JWT Tokens**: Provides secure, tamper-proof access tokens, ensuring only authorized entities can access the APIs.
+* **FDX Security Guidelines**: Aligns with FDX standards for secure financial data exchange, ensuring compliance with industry best practices.
+
+## Certificate-Based Authentication
+
+### TLS/SSL Encryption
+
+All API communications are encrypted using **TLS (Transport Layer Security)**, safeguarding data against interception and tampering. SSL certificates are used to verify the authenticity and integrity of the communication between clients and servers.
+
+### Mutual TLS (mTLS)
+
+To enhance security further, our APIs utilize **mutual TLS (mTLS)** for client and server authentication:
+
+* **Server Authentication**: The server presents its SSL certificate to verify its identity to the client.
+* **Client Authentication**: Clients must present valid certificates to authenticate themselves with the server, ensuring only authorized clients gain access.
+
+Additionally, **certificate-bound access tokens** are employed to strengthen security by binding tokens to client certificates.
+
+## Scope and Permissions
+
+Access to API resources is controlled through **scopes**, which define the permissions granted during authorization. The following table outlines available scopes and their corresponding access levels:
+
+| Scope                        | Description                                                                 |
+|------------------------------|-----------------------------------------------------------------------------|
+| `fdx:accountbasic:read`       | Grants read access to basic account information, such as account number, type, and balance. |
+| `fdx:accountdetailed:read`    | Grants read access to detailed account information, including account history, fees, and additional metadata. |
+| `fdx:customercontact:read`    | Grants read access to the customer's contact details, such as email address, phone number, and mailing address. |
+| `fdx:customerpersonal:read`   | Grants read access to the customer's personal information, such as date of birth, name, and other identifying details. |
+| `fdx:notifications:subscribe` | Grants the ability to subscribe to notifications related to the user's account or transactions. |
+| `fdx:paymentsupport:read`     | Grants read access to payment-related data, including payment history and support-related information. |
+| `fdx:transactions:read`       | Grants read access to transaction data, including details on all transactions, such as amount, date, and status. |
+
+## API Security, Scopes, and OAuth Protocols
+
+The tables below provides a summary of security measures, required scopes, and OAuth protocols for accessing API endpoints.
+
+### FDX APIs
+
+The following APIs are for Data Recipients and Data Aggregators to consume and build applications.
+
+#### FDX Core API
+
+| Method | Endpoint                                               | Security Protocol       | Scopes Required                                                   | OAuth Flow            |
+|--------|--------------------------------------------------------|-------------------------|-------------------------------------------------------------------|-----------------------|
+| GET |`/fdx/v6/core/accounts`                                    | mTLS, OAuth 2.0         | `fdx:accountbasic:read` or `fdx:accountdetailed:read`             | Authorization Code    |
+| GET |`/fdx/v6/core/accounts/{accountId}`                        | mTLS, OAuth 2.0         | `fdx:accountbasic:read` or`fdx:accountdetailed:read`              | Authorization Code    |
+| GET |`/fdx/v6/core/accounts/{accountId}/transactions`           | mTLS, OAuth 2.0         | `fdx:transactions:read`                                           | Authorization Code    |
+| GET |`/fdx/v6/core/accounts/{accountId}/contact`                | mTLS, OAuth 2.0         | `fdx:customercontact:read`, `fdx:customerpersonal:read` (optional)| Authorization Code    |
+| GET |`/fdx/v6/core/accounts/{accountId}/payment-networks`       | mTLS, OAuth 2.0         | `fdx:paymentsupport:read`                                         | Authorization Code    |
+| GET |`/fdx/v6/core/accounts/{accountId}/asset-transfer-networks`| mTLS, OAuth 2.0         | `fdx:paymentsupport:read`                                         | Authorization Code    |
+
+#### FDX Consent API
+
+| Method | Endpoint                                               | Security Protocol       | Scopes Required | OAuth Flow            |
+|--------|--------------------------------------------------------|-------------------------|-----------------|-----------------------|
+| GET    |`/fdx/v6/consents/{consentId}`                          | mTLS, OAuth 2.0         | NA              | Authorization Code    |
+| PATCH  |`/fdx/v6/consents/{consentId}/revocation`               | mTLS, OAuth 2.0         | NA              | Authorization Code    |
+| GET    |`/fdx/v6/consents/{consentId}/revocation`               | mTLS, OAuth 2.0         | NA              | Authorization Code    |
+
+#### FDX Notification Subscription API
+
+| Method | Endpoint                                                    | Security Protocol       | Scopes Required   | OAuth Flow            |
+|--------|-------------------------------------------------------------|-------------------------|-------------------|-----------------------|
+|  POST   |`/fdx/v6/events/notification-subscriptions`                 | mTLS, OAuth 2.0         | `fdx:notifications:subscribe`              | Client Credentials    |
+|  GET   |`/fdx/v6/events/notification-subscriptions/{subscriptionId}` | mTLS, OAuth 2.0         | `fdx:notifications:subscribe`              | Client Credentials    |
+|  DELETE   |`/fdx/v6/events/{consentId}/revocation/{subscriptionId}`  | mTLS, OAuth 2.0         | `fdx:notifications:subscribe`              | Client Credentials    |
+
+### Solution APIs
+
+The following APIs are for Data Providers to integrate with our consent managenent module.
+
+#### External Resource Authentication API
+
+This API is for consent grant application to get and update the consent.
+
+| Method | Endpoint                                            | Security Protocol | Scopes Required            | OAuth Flow            |
+|--------|-----------------------------------------------------|-------------------|----------------------------|-----------------------|
+|  GET   | `/external/authentication/v1/resources/{resourceId}`| OAuth 2.0         | `external:resources:read`  | Client Credentials    |
+|  PATCH |`/external/authentication/v1/resources/{resourceId}` | OAuth 2.0         | `external:resources:write` | Client Credentials    |
+
+### Participant Management User API
+
+This API is for consumer consent dashboard to get and update the consent.
+
+| Method | Endpoint                                            | Security Protocol | Scopes Required                 | OAuth Flow            |
+|--------|-----------------------------------------------------|-------------------|---------------------------------|-----------------------|
+|  GET   | `/participant/user/v1/consents/{consentId}`         | OAuth 2.0         | `participantuser:consents:read` | Client Credentials    |
+|  PATCH |`/participant/user/v1/consents/{consentId}`          | OAuth 2.0         | `participantuser:consents:write`| Client Credentials    |
+|  GET   |`/participant/user/v1/consents`                      | OAuth 2.0         | `participantuser:consents:read` | Client Credentials    |
+
+## Conclusion
+
+This API security approach ensures that sensitive financial data is exchanged securely and that only authorized clients and users can access the system's resources. By following the **FDX (Financial Data Exchange) standard** and adhering to the **FAPI Advanced** security profile, we provide a robust and scalable security model that meets the highest standards for financial-grade API security.

content/en/docs/Overview/consent-admin-dashboard.md

@@ -0,0 +1,52 @@
+---
+title: "Consent Admin Dashboard"
+linkTitle: "Consent Admin Dashboard"
+weight: 11
+date: 2024-11-06
+---
+
+The Consent Admin Dashboard allows banks' back-office users to view and/or manage the consents of the customers initiated through the open banking channel. Features and options available within this application depend on the back-office user access level, which can be one of two types:
+
+* **View Access**: Allows the user to view data only.
+* **Admin Access**: Enables the user to view and modify data.
+
+## Dashboard Overview
+
+The dashboard displays all consent-related data in a table format, supporting features such as filtering and search. Users can filter the data by Status, Consent Type, and Owner, and perform a search by Consent ID at the top of the table.
+![alt text](/Images/consent-admin/image-1.png)
+
+## Features and Options
+
+### Filter Options
+
+* Users can filter the table data based on Status, Consent Type, and Owner.
+* Multiple filters can be applied simultaneously.
+* A **Reset** button is provided to restore filters to their default settings.
+  ![alt text](/Images/consent-admin/image-2.png)
+
+### Export Data
+
+* The dashboard allows users to export selected consent data by selecting specific rows using checkboxes, and then generating the export files of the chosen data.
+  ![alt text](/Images/consent-admin/image-3.png)
+
+### Search by Consent ID
+
+* Users can perform searches by entering unique Consent IDs, which narrow down the results to specific consent items.
+  ![alt text](/Images/consent-admin/image-4.png)
+
+### Modifying Consent Status
+
+* Users with Admin Access can modify the status of certain consents. By clicking on the ellipsis icon (three dots) in each row, a menu with possible status actions is presented:
+    * For "On Hold" status, users can change them to **Revoked**, **Active**.
+    * For "Active" status, users can change them to **Revoked**, **On Hold**.
+      ![alt text](/Images/consent-admin/image-5.png)
+    * "Initiated," "Revoked," "Expired," or "Consumed" consent statuses can not be edited.
+      ![alt text](/Images/consent-admin/image-6.png)
+
+### Viewing Consent Details
+
+* Users can view detailed consent information by clicking on rows in the table or selecting the **View** option from the ellipsis menu.
+* The details page shows comprehensive information that may not be visible in the table view and allows users with appropriate access to change eligible statuses where applicable.
+
+This Details page provides a comprehensive view and control panel for managing consent data based on user access levels.
+![alt text](/Images/consent-admin/image-7.png)