Open Banking UK integration (Draft)
This wiki page contains a brief description about how to integrate Open Banking UK from OBConnect with Gluu Authorization Server.
In order to process this authorization flow, all actors in the sequence diagram are:
- PSU: User processing the authorization.
- AISP: OBConnect component responsible to init the authorization flow.
- ASPSP Authorisation Server: Server responsible to process authn and authz which should be Gluu AS inside the bank platform.
- ASPSP Resource Server: A set of services inside the bank infraestructure that contains data related to bank accounts, consents, transactions, etc.
Based on the diagram, first AISP should register a new consent entity in the resource server which should be processed using client credentials and TLS with Mutual Authentication.
Once consent is created, PSU should be redirected to the authorization server (Gluu AS) and process common authz code flow or it could also be processed using CIBA flow. After authorization, AISP will be able to access to the resource server using access token issued.
During the initial analysis we found that this screen should be part of the authorization process:
More about CIBA: https://gluu.org/docs/gluu-server/4.2/admin-guide/ciba
This page should be part of the authorization flow and Gluu AS supports this dynamic content using interception scripts, it would be required to create a custom JSF page for that specific step in the project with that custom brand and sections. Data showed in the screen should be gotten from resource server, therefore in the same interception script, it should call two services, one of them to load consent already registered and bank accounts associated with the PSU.
https://gluu.org/docs/gluu-server/4.2/admin-guide/custom-script
https://gluu.org/docs/gluu-server/4.2/developer-guide/tips-cust-script-pages
Most important sections related to this custom Open Banking UK should be: Consent Gathering and Person Authentication. To show custom authorization page, should be used getPageForStep method that should point to the new JSF page and also prepareForStep method to load required data from consent service and bank account service.
Open Banking UK uses consent id to process authorization flow and Gluu AS supports custom parameters in authorization flow, it should be previously configured in the server as an allowed custom parameter and authorization server will share that value between the whole flow. OBConnect can validate that custom parameter and depending on the value, ASPSP should load all permissions previously registered.
This custom parameter can be used in normal request with query params and also can be used in JWT request object. Custom parameters are also in the context inside interception scripts. In general you can see the list of supported parameters in Gluu AS, custom params can be sent also as query params.
https://gluu.org/docs/gluu-server/4.2/api-guide/openid-connect-api/#parameters
Since Open Banking UK docs say that communication between AISP and ASPSP, mutual authentication should be configured and Gluu AS supports this configuration, basically it can be done using Apache instance already installed in Gluu AS. To understand more about the configuration take a look to the next resources:
https://gluu.org/docs/gluu-server/4.2/fe/mtls/
https://gluu.org/docs/gluu-server/4.2/admin-guide/fapi-ciba/#client-authentication
After authentication and authorization steps, based on Open Banking UK documentation, resource server should have a list of different resources such as:
- Accounts
- Balances
- Transactions
- Beneficiaries
- Direct Debits
- Standing Orders
- Products
- Offers
- Parties
- Scheduled Payments
- Statements
Communication between AISP and the resource server is out of this scope, since Gluu should be only the authorization server.