View
316
Download
1
Embed Size (px)
Citation preview
© 2017 ForgeRock. All rights reserved.
Implementing Open Banking with ForgeRock
Wayne Blacklock, Customer [email protected] | @WayneBlacklock
© 2016 ForgeRock. All rights reserved.
What is Open Banking?
© 2017 ForgeRock. All rights reserved.
Banking Won’t Ever Be The Same
Open Banking The CMA9 banks must open up their payment and account services to third parties.
is crackingbanks wide
open
Customers can leave and take their data with them.
Entirely new ways of doing business will emerge.
The UK is leading the way.
© 2017 ForgeRock. All rights reserved.
A Whole New World
APIs Pay for purchases directly using your bank account.
will change everythingYour bank account as your loyalty card.Intelligence driven payment systems and automation.Share access to your bank account data.Much much more...
© 2017 ForgeRock. All rights reserved.
Starling Bank Hackathon
Many thanks to my partner Rodney Hoinkes
@MABLEapp
© 2017 ForgeRock. All rights reserved.
Open Banking Now
Open Banking is happening todayIn January 2018 Open Banking begins in the UK, as a bank you need to be ready for:
Onboarding of Third Party service Providers.Consent driven API based payments initiation.Consent driven API based account information sharing.
PSD2 will rapidly follow across the rest of Europe.
© 2017 ForgeRock. All rights reserved.
OB / PSD2 Glossary
TPP Third Party Provider PISP or AISP
ASPSP Account Servicing Payment Service Provider
Bank
AISP Account Information Service Provider Moneysupermarket
PISP Payment Initiation Service Provider Amazon
SSA Software Statement Assertion TPP Item of Proof
PSU Payment Services User You
© 2016 ForgeRock. All rights reserved.
Open Banking Powered by ForgeRock
© 2017 ForgeRock. All rights reserved.
OB & IdentityDigital identity is at the very heart of Open Banking.
Authentication
Authorization
Identity Management
API Security
OAuth & OIDC
Strong Customer Authentication aligned to PSD2
Adaptive risk based authentication
Integration with external authentication providers
Transaction based authorization
Granular authorization policy
Integration with decision engines and external services
Customer credential store
Management of OB elements e.g. TPPs, SSAs
Single customer view
Protection of payment initiation and account sharing APIs
Onboarding of TPPs
Payment initiation flows
Account information flows
OAuth & OIDC are critically important for implementing OB flows
© 2017 ForgeRock. All rights reserved.
OAuth & OIDCOpen Banking is founded upon the use of the OAuth and OpenID Connect (OIDC) standards and they are used extensively throughout OB.
TPP Onboarding Dynamic client registration for TPP onboarding
Payment InitiationService Provider (PISP) Flow
OIDC Client Credentials flow for payment stagingOIDC Hybrid* flow for payment consentToken validation for API protection
Account InformationService Provider (AISP) Flow
OIDC Client Credentials flow for account data requestOIDC Hybrid* flow for account data consentToken validation for API protection
* Hybrid flow used to mitigate risk of authz code swapping attacks
© 2017 ForgeRock. All rights reserved.
OAuth / OIDC
Open Banking Building BlocksForgeRock provides everything you need to implement Open Banking and you can swap out any component as required.
Workflow
Directory Services Authorization API Security
Authentication
Adaptive Risk
Identity Management
© 2016 ForgeRock. All rights reserved.
Open Banking Flows
© 2017 ForgeRock. All rights reserved.
TPP Onboarding FlowTPP Onboarding is based on the use of Software Statement Assertions (SSAs). TPPs present an SSA received from OB to the ASPSP, this is then validated and an OAuth client created that the TPP can use.
Access Management
OAuth OIDC
Identity Management
OB Directory
REST API Object Model
Config REST API
TPP SSA
Clients
Manage relationships between TPPs, SSAs and Clients in IDM
Create OAuth clients automatically using API
Validate SSA against OB directory automatically
Scripts
Register TPP by invoking OAuth Endpoint
TPPs
PISPs AISPs
1
3
5
4 Identity Gateway
Throttling Filter
Scripted Filter
2
Validate SSL cert matches client
Client Request JWT including SSA JWT
© 2017 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
DEMOTPP Registration Tool
http://forgebank.openrock.org/tppgenerate
© 2017 ForgeRock. All rights reserved.
PISP / AISP Flows in OBPISP: Payment Initiation Service Provider Flow
1. Request Payment Initiation2. Setup Single Payment Initiation3. Authorize Consent4. Create Payment Submission5. Get Payment Submission Status
PISP flow lets you pay directly using your bank account
© 2017 ForgeRock. All rights reserved.
PISP / AISP Flows in OBAISP: Account Information Service Provider Flow
1. Request Account Information2. Setup Account Request3. Authorize Consent4. Request Data
AISP flow lets you share your bank account data
© 2016 ForgeRock. All rights reserved.
PISP Flow
© 2017 ForgeRock. All rights reserved.
Setup Single Payment InitiationPayment staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a paymentID to securely invoke staging APIs and setup a payment.
Access Management
OAuth OIDC
TPPs
PISP
Identity Gateway
Payment APIs
OAuth Resource Filter
Throttling Filter Validate OAuth tokens using endpoints:
● Stateless: JWK● Stateful: tokeninfo
Act as OAuth Authorization Server
Act as OAuth Resource Server to protect APIs
Enforce throttling controls
OIDC Client Credential Flow
Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.
Validate tokens
ORValidate tokens
1
4
4
3
Access token 2
Return a paymentID5
Invoke APIs
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
Authorize ConsentPayment initiation flow makes use of the paymentID, OIDC hybrid flow and requires SCA
Access Management
OAuth OIDC
TPPs
PISP
OIDC Hybrid Flow with request JWT with paymentID
Authentication
AuthorizationData Stores
Directory Services
Risk Engine
3rd Party BiometricIntegrate with 3rd party
authentication services
SCA with ForgeRock 2FA
Integrate with external risk & decision engines
Validate user credentials
Remote Consent
External Consent Capture
Identity Management
Store consent
Strong Customer Authentication (SCA)
PSD2 mandates SCA, ForgeRock offers OOTB authentication modules including: TOTP, HOTP, Push Authentication, Adaptive Risk, Device Fingerprinting and many more. The Scripted module allows rapid integration with 3rd party services.
1
2
4
5
6
3
Authz code & ID token 7
Validate ID token & authz code
8
9 Exchange authz code for access token
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
Create Payment SubmissionPayment submission uses the token issued to the PISP to invoke payment APIs
Access Management
OAuth OIDC
TPPs
APIsEnforce throttling controls
Identity Gateway
Payment APIs
OAuth Resource Filter
Throttling Filter
Enforce throttling controls
OR
Validate access token
Validate access token
Validate OAuth tokens using endpoints:
● Stateless: JWK● Stateful: tokeninfo
Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.
Validate paymentId from UserInfo endpoint
1
2
3
3
PISP
Invoke payment APIs Invoke APIs
© 2016 ForgeRock. All rights reserved.
AISP Flow
© 2017 ForgeRock. All rights reserved.
Setup Account RequestAccount staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a accountRequestID to securely invoke staging APIs and set up an information request
Access Management
OAuth OIDC
TPPs
Identity Gateway
Account APIs
OAuth Resource Filter
Throttling Filter Validate OAuth tokens using endpoints:
● Stateless: JWK● Stateful: tokeninfo
Act as OAuth Authorization Server
Act as OAuth Resource Server to protect APIs
Enforce throttling controls
OIDC Client Credential Flow
Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.
Validate tokens
ORValidate tokens
1
4
4
3
Access token 2
Return a accountRequestID5
AISP
Invoke APIs
© 2017 ForgeRock. All rights reserved.
Authorize ConsentAccount information flow makes use of the accountRequestID, OIDC hybrid flow and requires SCA
Access Management
OAuth OIDC
TPPs
AISP
OIDC Hybrid Flow with request JWT with paymentID
Authentication
AuthorizationData Stores
Directory Services
Risk Engine
3rd Party BiometricIntegrate with 3rd party
authentication services
SCA with ForgeRock 2FA
Integrate with external risk & decision engines
Validate user credentials
Remote Consent
External Consent Capture
Identity Management
Store consent
Strong Customer Authentication (SCA)
PSD2 mandates SCA, ForgeRock offers OOTB authentication modules including: TOTP, HOTP, Push Authentication, Adaptive Risk, Device Fingerprinting and many more. The Scripted module allows rapid integration with 3rd party services.
1
2
4
5
6
3
Authz code & ID token 7
Validate ID token & authz code
8
9 Exchange authz code for access token and store access token
© 2017 ForgeRock. All rights reserved.
Request DataRequesting of data uses the access token issued to the AISP to invoke APIs
Access Management
OAuth OIDC
TPPs
APIsEnforce throttling controls
Identity Gateway
Account APIs
OAuth Resource Filter
Throttling Filter
Enforce throttling controls
OR
Validate access token
Validate access token
Validate OAuth tokens using endpoints:
● Stateless: JWK● Stateful: tokeninfo
Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.
Retrieve stored access token and invoke request
1
2
3
3
PISP
Invoke APIs