Mais conteúdo relacionado Semelhante a Implementing Open Banking with ForgeRock (20) Mais de ForgeRock Identity Tech Talks (15) Implementing Open Banking with ForgeRock1. © 2017 ForgeRock. All rights reserved.
Implementing Open
Banking with ForgeRock
Wayne Blacklock, Customer Engineer
wayne.blacklock@forgerock.com | @WayneBlacklock
3. © 2017 ForgeRock. All rights reserved.
Banking Won’t Ever Be The Same
Open Banking
The CMA9 banks must open up their payment and
account services to third parties.
is cracking
banks wide
open
Customers can leave and take their data with them.
Entirely new ways of doing business will emerge.
The UK is leading the way.
4. © 2017 ForgeRock. All rights reserved.
A Whole New World
APIs
Pay for purchases directly using your bank account.
will change everything
Your bank account as your loyalty card.
Intelligence driven payment systems and automation.
Share access to your bank account data.
Much much more...
5. © 2017 ForgeRock. All rights reserved.
Starling Bank Hackathon
Many thanks to my partner Rodney Hoinkes
@MABLEapp
6. © 2017 ForgeRock. All rights reserved.
Open Banking Now
Open Banking is happening today
In January 2018 Open Banking begins in the UK, as a bank you need to be
ready for:
Onboarding of Third Party service Providers.
Consent driven API based payments initiation.
Consent driven API based account information sharing.
PSD2 will rapidly follow across the rest of Europe.
7. © 2017 ForgeRock. All rights reserved.
OB / PSD2 Glossary
TPP Third Party Provider PISP or AISP
ASPSP Account Servicing Payment Service
Provider
Bank
AISP Account Information Service Provider Moneysupermarket
PISP Payment Initiation Service Provider Amazon
SSA Software Statement Assertion TPP Item of Proof
PSU Payment Services User You
9. © 2017 ForgeRock. All rights reserved.
OB & Identity
Digital identity is at the very heart of Open Banking.
Authentication Authorization Identity
Management
API Security OAuth & OIDC
Strong Customer
Authentication
aligned to PSD2
Adaptive risk based
authentication
Integration with
external
authentication
providers
Transaction based
authorization
Granular
authorization policy
Integration with
decision engines and
external services
Customer credential
store
Management of OB
elements e.g. TPPs,
SSAs
Single customer view
Protection of payment
initiation and account
sharing APIs
Onboarding of TPPs
Payment initiation
flows
Account information
flows
OAuth & OIDC are critically important for implementing OB flows
10. © 2017 ForgeRock. All rights reserved.
OAuth & OIDC
Open Banking is founded upon the use of the OAuth and OpenID Connect
(OIDC) standards and they are used extensively throughout OB.
TPP Onboarding
Dynamic client registration for TPP onboarding
Payment Initiation
Service Provider
(PISP) Flow
OIDC Client Credentials flow for payment staging
OIDC Hybrid* flow for payment consent
Token validation for API protection
Account Information
Service Provider
(AISP) Flow
OIDC Client Credentials flow for account data request
OIDC Hybrid* flow for account data consent
Token validation for API protection
* Hybrid flow used to mitigate risk of authz code swapping attacks
11. © 2017 ForgeRock. All rights reserved.
OAuth / OIDC
Open Banking Building Blocks
ForgeRock provides everything you need to implement Open Banking and
you can swap out any component as required.
Workflow
Directory
Services
Authorization API Security
Authentication
Adaptive
Risk
Identity
Management
13. © 2017 ForgeRock. All rights reserved.
TPP Onboarding Flow
TPP Onboarding is based on the use of Software Statement Assertions (SSAs). TPPs present
an SSA received from OB to the ASPSP, this is then validated and an OAuth client created that
the TPP can use.
Access Management
OAuth
OIDC
Identity Management
OB Directory
REST
API
Object Model
Config REST API
TPP SSA
Clients
Manage
relationships
between TPPs,
SSAs and Clients
in IDM
Create OAuth clients
automatically using API
Validate SSA
against OB
directory
automatically
Scripts
Register TPP by
invoking OAuth
Endpoint
TPPs
PISPs AISPs
1
3
5
4
Identity Gateway
Throttling Filter
Scripted Filter
2
Validate SSL
cert matches
client
Client Request
JWT including
SSA JWT
15. © 2016 ForgeRock. All rights reserved.
DEMO
TPP Registration Tool
http://forgebank.openrock.org/tppgenerate
16. © 2017 ForgeRock. All rights reserved.
PISP / AISP Flows in OB
PISP: Payment Initiation Service Provider Flow
1. Request Payment Initiation
2. Setup Single Payment Initiation
3. Authorize Consent
4. Create Payment Submission
5. Get Payment Submission Status
PISP flow lets you pay directly using your bank account
17. © 2017 ForgeRock. All rights reserved.
PISP / AISP Flows in OB
AISP: Account Information Service Provider Flow
1. Request Account Information
2. Setup Account Request
3. Authorize Consent
4. Request Data
AISP flow lets you share your bank account data
19. © 2017 ForgeRock. All rights reserved.
Setup Single Payment Initiation
Payment staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a
paymentID to securely invoke staging APIs and setup a payment.
Access Management
OAuth
OIDC
TPPs
PISP
Identity Gateway
Payment APIs
OAuth Resource Filter
Throttling Filter Validate OAuth tokens using
endpoints:
● Stateless: JWK
● Stateful: tokeninfo
Act as OAuth
Authorization
Server
Act as OAuth
Resource Server to
protect APIs
Enforce throttling
controls
OIDC Client
Credential Flow
Any API gateway can be used that can
invoke the endpoints in AM to validate
tokens or token signatures.
Validate tokens
OR
Validate tokens
1
4
4
3
Access token 2
Return a paymentID5
Invoke APIs
21. © 2017 ForgeRock. All rights reserved.
Authorize Consent
Payment initiation flow makes use of the
paymentID, OIDC hybrid flow and requires SCA
Access
Management
OAuth
OIDC
TPPs
PISP
OIDC Hybrid Flow with request
JWT with paymentID
Authentication
Authorization
Data
Stores
Directory
Services
Risk Engine
3rd Party
BiometricIntegrate with 3rd party
authentication services
SCA with ForgeRock 2FA
Integrate with
external risk &
decision engines
Validate user credentials
Remote
Consent
External Consent
Capture
Identity Management
Store consent
Strong Customer Authentication (SCA)
PSD2 mandates SCA, ForgeRock offers OOTB
authentication modules including: TOTP, HOTP, Push
Authentication, Adaptive Risk, Device Fingerprinting and
many more. The Scripted module allows rapid integration
with 3rd party services.
1
2
4
5
6
3
Authz code &
ID token 7
Validate ID
token &
authz code
8
9 Exchange authz code for access token
24. © 2017 ForgeRock. All rights reserved.
Create Payment Submission
Payment submission uses the token issued to the
PISP to invoke payment APIs
Access Management
OAuth
OIDC
TPPs
APIs
Enforce throttling
controls
Identity Gateway
Payment APIs
OAuth Resource Filter
Throttling Filter
Enforce throttling
controls
OR
Validate access
token
Validate access
token
Validate OAuth tokens using
endpoints:
● Stateless: JWK
● Stateful: tokeninfo
Any API gateway can be used that can
invoke the endpoints in AM to validate
tokens or token signatures.
Validate
paymentId
from
UserInfo
endpoint
1
2
3
3
PISP
Invoke payment APIs Invoke APIs
26. © 2017 ForgeRock. All rights reserved.
Setup Account Request
Account staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a
accountRequestID to securely invoke staging APIs and set up an information request
Access Management
OAuth
OIDC
TPPs
Identity Gateway
Account APIs
OAuth Resource Filter
Throttling Filter Validate OAuth tokens using
endpoints:
● Stateless: JWK
● Stateful: tokeninfo
Act as OAuth
Authorization
Server
Act as OAuth
Resource Server to
protect APIs
Enforce throttling
controls
OIDC Client
Credential Flow
Any API gateway can be used that can
invoke the endpoints in AM to validate
tokens or token signatures.
Validate tokens
OR
Validate tokens
1
4
4
3
Access token 2
Return a accountRequestID5
AISP
Invoke APIs
27. © 2017 ForgeRock. All rights reserved.
Authorize Consent
Account information flow makes use of the
accountRequestID, OIDC hybrid flow and requires
SCA
Access
Management
OAuth
OIDC
TPPs
AISP
OIDC Hybrid Flow with request JWT with
paymentID
Authentication
Authorization
Data
Stores
Directory
Services
Risk Engine
3rd Party
BiometricIntegrate with 3rd party
authentication services
SCA with ForgeRock 2FA
Integrate with
external risk &
decision engines
Validate user credentials
Remote
Consent
External Consent
Capture
Identity Management
Store consent
Strong Customer Authentication (SCA)
PSD2 mandates SCA, ForgeRock offers OOTB
authentication modules including: TOTP, HOTP, Push
Authentication, Adaptive Risk, Device Fingerprinting and
many more. The Scripted module allows rapid integration
with 3rd party services.
1
2
4
5
6
3
Authz code &
ID token 7
Validate ID
token &
authz code
8
9
Exchange authz code for access token
and store access token
28. © 2017 ForgeRock. All rights reserved.
Request Data
Requesting of data uses the access token issued
to the AISP to invoke APIs
Access Management
OAuth
OIDC
TPPs
APIs
Enforce throttling
controls
Identity Gateway
Account APIs
OAuth Resource Filter
Throttling Filter
Enforce throttling
controls
OR
Validate access
token
Validate access
token
Validate OAuth tokens using
endpoints:
● Stateless: JWK
● Stateful: tokeninfo
Any API gateway can be used that can
invoke the endpoints in AM to validate
tokens or token signatures.
Retrieve stored
access token and
invoke request
1
2
3
3
PISP
Invoke APIs