openbankingtoolkit / openbanking-aspsp Goto Github PK
View Code? Open in Web Editor NEWForgeRock OpenBanking ASPSP
License: Apache License 2.0
ForgeRock OpenBanking ASPSP
License: Apache License 2.0
To meet the CDR spec we must implement the listPayees.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-payees
To meet the CDR spec we must implement the listBalancesSpecificAccounts.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-balances-for-specific-accounts
To meet the CDR spec we must implement the listScheduledPayments.
The code here https://consumerdatastandardsaustralia.github.io/standards/#get-scheduled-payments-bulk
To meet the CDR spec we must implement the listProducts.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-products
Description
Improvements to ensure that Event Notification API works properly:
Specifications
Check APIs List
As an OB sandbox PSU user
I want the Data API to support the versions implemented of the OBIE spec
so that I can import / export and test against each version
We have had a few customer issues where it has been impossible to determine why TPPs were having trouble with these endpoints. Logging needs to be sufficient to allow us to determine why a specific call resulted in an OBErrorReponseException is called.
We aslo need to make sure that there is sufficient granularity and information in the OBErrorResponseExceptions to make sure that TPPs can easily diagnose why a call failed. This will reduce support effort for our customers, and also the support load on our team from our customers.
To meet the CDR spec we must implement the listScheduledPaymentsSpecificAccounts.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-scheduled-payments-for-specific-accounts
The payments endpoints FundsConfirmation have a wrong grant_type set
When TPP request an access token with "grant_type": "authorization_code" the implementation expect an access_token with "grant_type": "client_credential" .
The documentation api spec 3.1.6 define "grant_type": "authorization_code" for the below endpoints:
We should generate and not check into git the models from the swagger for CDR. This means that they'll always be up to date and less maintenance.
To meet the CDR spec we must implement the listDirectDebitsSpecificAccounts.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-direct-debits-for-specific-accounts
We should not validate SSA software ID against the CN of the transport certificates as the eIDAS standard does not enforce this
discussion: https://open-banking-global.slack.com/archives/CBB3PBYDC/p1579682353044700
Can register with non-forgerock eIDAS certificate
To meet the CDR spec we must implement the listBalancesBulk.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-bulk-balances
The interface implemented on rs-store for fundsConfirmations doesn't work properly.
To meet the CDR spec we must implement the listDirectDebitsBulk.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-bulk-direct-debits
Dependabot couldn't authenticate with https://jcenter.bintray.com.
You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.
The payment read/write APIs version 3.1 to 3.1.2 response with wrong version of links.self
because the controller implementation it's an extension of minor version and then the link.self
version it's the version of the extended controller.
Example:
// version 3.1
"Links": {
"Self": "https://api.alphabank.com/open-banking/v3.1/pisp/domestic-payment-consents/58923/funds-confirmation"
},
"Meta": {}
// version 3.1.2
"Links": {
"Self": "https://api.alphabank.com/open-banking/v3.1/pisp/domestic-payment-consents/58923/funds-confirmation"
},
"Meta": {}
It's expected "Self": "....../.../v3.1.2/....."
instead of "Self": "....../.../v3.1/....."
link.self
through all APIs.When modifying the UI code, the PR pipeline is also checking the java code, which is quite slow.
An improvement could be to only do some java code check if the java code has been updated.
Running the Postman End 2 End (Generated) tests against master there is an exception thrown when running the Test account flow/Account API v3.1.1/account/Get accounts (v1.1)
test.
stack_trace: "java.lang.IllegalArgumentException: No enum constant uk.org.openbanking.datamodel.payment.OBExternalAccountIdentification2Code.UK.OBIE.SortCodeAccountNumber
at java.base/java.lang.Enum.valueOf(Unknown Source)
at uk.org.openbanking.datamodel.payment.OBExternalAccountIdentification2Code.valueOf(OBExternalAccountIdentification2Code.java:23)
at com.forgerock.openbanking.common.services.openbanking.converter.account.OBCashAccountConverter.toOBCashAccount1(OBCashAccountConverter.java:159)
at com.forgerock.openbanking.common.services.openbanking.converter.account.FRAccountConverter.toOBAccount1(FRAccountConverter.java:126)
at com.forgerock.openbanking.common.services.openbanking.converter.account.FRAccountConverter.toAccount1(FRAccountConverter.java:75)
at com.forgerock.openbanking.aspsp.rs.store.api.openbanking.account.v1_1.account.AccountsApiController.lambda$getAccounts$0(AccountsApiController.java:116)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source)
at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
at com.forgerock.openbanking.aspsp.rs.store.api.openbanking.account.v1_1.account.AccountsApiController.getAccounts(AccountsApiController.java:116)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Hello Ben,
Thank you for the update.
It's not clear what is the path prefix you wish to link to JCenter.
For example, in the screenshot below, you can see that com/forgerock/openbanking/aspsp/forgerock-openbanking-aspsp does not contain the needed content as explained earlier this week
Moreover, it appears that there other path prefixes does not contain files at all. For example:
com/forgerock/openbanking/aspsp/forgerock-openbanking-cdr-aspsp-rs
com/forgerock/openbanking/aspsp/forgerock-openbanking-cdr-aspsp-as-gateway
/com/forgerock/openbanking/aspsp/forgerock-openbanking-cdr-aspsp-rs
etc..
To be able to submit the request successfully, you have to add the needed files (for all submodules) and only then, you will be able to link your package.
Furthermore, if it's a POM project, you should mark the checkbox of "is pom project" after you click Add to JCenter and make sure all submodules are updated accordingly.
As you may know, a POM project should contain the tag inside the pom set to “pom” (pom).
Here is a link with information about Including Your Package in JCenter.
I hope this clarifies but if not, please let me know and I'll share more details.
Best regards,
Guy Cohen
JFrog Support
The version field in the response of the OIDC well-known endpoint is currently the hightest version of the OB Read/Write APIs that is supported. This doesn't make much sense because a better place to see which versions of the OB APIs are implemented is by looking at the rs discovery endpoint, which contains all the versions for all of the APIs.
What makes more sense is if the OIDC well-known endpoint refers to the version of the Dynamic Client Registration that is implemented.
The OB Dynamic Client Registration specs are here;
https://openbankinguk.github.io/dcr-docs-pub/v3.3/dynamic-client-registration.html
Check the end to end postman file to introduce the change related with the support the test using the CLIENT_CREDENTIALS gran type for few payment methods (GET) that was protected with the wrong grant type AUTHORIZATION_CODE
In order for the toolkit to enable banks to implement open banking standards, the RS API will need to be integrated with the banks RS store.
The banks RS APIs will not conform to the APIs the Toolkits RS API is expected to call, therefore the banks will need to implement a gateway which will be responsible for taking a validated request from the Toolkits RS API and calling the banks RS APIs to fetch or update resources.
We should adopt industry standards for defining said interfaces.
To meet the CDR spec we must implement the getPayeeDetail.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-payee-detail
To meet the CDR spec we must implement the getTransactionDetail.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-transaction-detail
Spec is here;
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077806765/Aggregated+Polling+-+v3.1.2#AggregatedPolling-v3.1.2-Basics
From the command line run curl -k --location --request GET 'https://rs.aspsp.master.forgerock.financial/open-banking/discovery' | jq '.'
| grep 'EventAggregatedPolling'
output will be;
"EventAggregatedPolling": "https://matls.rs.aspsp.master.forgerock.financial/open-banking/v3.1.2/event",
Output should be;
"EventAggregatedPolling": "https://matls.rs.aspsp.master.forgerock.financial/open-banking/v3.1.2/events",
To meet the CDR spec we must implement the getProductDetail.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-product-detail
The /dto classes are the generated DCR classes generated from the swagger found here;
https://github.com/OpenBankingUK/client-registration-api-specs/tree/v3.2
I have a concern that we don't totally support DCR registration specs. For example the OB DCR spec says
the ASPSP MUST return a client registration error response to the TPP conforming to Section 3.2.2 of [RFC7591]
https://openbankinguk.github.io/dcr-docs-pub/v3.2/dynamic-client-registration.html#error-structure
Find that spec here;
https://tools.ietf.org/html/rfc7591#section-3.2.2
The code didn't do that. I have made changes to fix that for the register journey, but I think the whole of our DCR implementation needs checking to compliance against this spec. I'll create a new issue for that.
Originally posted by @BohoCode in #318 (comment)
Tasks;
Version of API being called is controlled by a section of the URL path containing major version and the x-min-v and x-v headers as described in the following spec;
https://consumerdatastandardsaustralia.github.io/standards/#http-headers
This could be addressed using spring's request mapping with headers;
https://www.baeldung.com/spring-requestmapping#1-requestmapping-with-the-headers-attribute
In order for the rs-api to be a useful resource, ASPSP's should be able to easily integrate with their back end. Having an OpenAPI spec will allow ASPSP's to generate a microservice, this services will call their own APIs in order to satisfy the open banking API requests.
As a ASPSP developer, I want to be able to integrate the toolkit with my bank, so that I can fulfil open banking requests
To access Aggregated Polling API the access token must have a specific scopes.
The defined scopes to access Aggregated Polling API are different between versions.
Scopes by version table
Scope | version | document |
---|---|---|
eventpolling | 3.1.2 | AggregatedPolling-v3.1.2-Scopes |
eventpolling | 3.1.3 | AggregatedPolling-v3.1.3-Scopes |
accounts, fundsconfirmations | 3.1.4 | AggregatedPolling-v3.1.4-Scopes |
accounts, fundsconfirmations | 3.1.5 | AggregatedPolling-v3.1.5-Scopes |
accounts, fundsconfirmations | 3.1.6 | AggregatedPolling-v3.1.6-Scopes |
accounts, fundsconfirmations | 3.1.7 (no implemented yet) | AggregatedPolling-v3.1.7-Scopes |
End To End Tests (Generated)
collection and apply fixes if necessaryDescription
The object returned by each Event Notifications API
version are wrong or null in some cases:
v3.0
spec not define the Links and Meta sections (in that case it's ok)v3.1
and v3.1.1
the Links
and Meta
section returned null valuesv3.1.3
to v3.1.6
returned the Links.self
version v3.1.2Specifications
Example
{
.....
},
"Links": {
"Self": "https://api.alphabank.com/open-banking/v3.1/callback-urls/"
},
"Meta": {}
}
Check APIs List
Expected:
Links
and Meta
section defined by the Spec must be return the proper api version in Links.self
sectionWhen the UI is built it should update the ob-deploy repo's `client_releases/master-dev/releases.json' file to deploy the new version.
To meet the CDR spec we must implement the listDirectDebits.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-direct-debits-for-account
Customer Issue: 48067
The response from the /open-banking/v3.1/aisp/accounts
endpoint returns the following sample data;
"Data": {
"Account": [
{
"AccountId": "0cdaa0d0-0875-492d-be47-df617a1d42fe",
"Currency": "GBP",
"AccountType": "Personal",
"AccountSubType": "CreditCard",
"Account": [
{
"SchemeName": "PAN",
"Identification": "525302******7553",
"Name": "Mr Zak Matusak"
}
]
},
{
"AccountId": "1957ee43-faae-4601-bb73-140259039e38",
"Currency": "GBP",
"AccountType": "Personal",
"AccountSubType": "CurrentAccount",
"Nickname": "NickZero",
"Account": [
{
"SchemeName": "SortCodeAccountNumber",
"Identification": "80064711123468",
"Name": "Mr Zak Matusak"
}
]
} ...
As you will notice, "SchemeName” is appearing as SortCodeAccountNumber. This should appear as UK.OBIE.SortCodeAccountNumber.
The specification relating to jwt signing for the Event Read/Write APIs may be found here;
https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/event-notification-api-profile.html#event-notification-message-signing
Specifically this section is of interest;
Event Notification Message Signing
Event Notifications are signed for non-repudiation using the approach defined in the R/W API specification, with the following difference:The JWT's signature (JWS) is sent in the HTTP body of the request, as opposed to a detached JWS sent in the HTTP header.
Currently the event APIs use the same jwt verification methods as the payment APIs which expect the jwt to be in the header of the request rather than the body.
We have had a few customer issues where it has been impossible to determine why TPPs where having trouble with these endpoints. Logging needs to be sufficient to allow us to determine why a specific call resulted in an OBErrorReponseException is called.
We also need to make sure that there is sufficient granularity and information in the OBErrorResponseExceptions to make sure that TPPs can easily diagnose why a call failed. This will reduce support effort for our customers, and also the support load on our team from our customers.
When user (PSU) declines the consent using cancel button the UI doesn't show a notice page to confirm it and the current implementation raise and 500 error.
Sections
Consent Dashboard & Revocation
ASPSPs should advise PSUs that they should contact the associated AISP to
inform them of the cancellation of access and/or understand the consequences of
doing so.
To meet the CDR spec we must implement the listScheduledPaymentsBulk.
The documentation https://consumerdatastandardsaustralia.github.io/standards/#get-scheduled-payments-bulk
The code here listScheduledPaymentsBulk
A Tpp can get the callback url accessing by newer api.
An ASPSP must allow a callback-url resource to be accessed in a newer version.
Example: Access to callback resource created in v3.0 from v3.1 or newer
Change the response when doesn't exist callback url resources.
A TPP must not access a callback-url on an older version, via the CallbackUrlId for a callback-url created in a newer version
When the tpp request the callback URL resources:
List of tasks required to implement this story:
We have a customer issue where isn't clear to determine why TPPs were having trouble with /api/rcs/consent/decision/ endpoint.
Logging needs to be sufficient to allow us to determine why a specific call resulted in an OBErrorReponseException is called.
We also need to make sure that there is sufficient granularity and information in the OBErrorResponseExceptions to make sure that TPPs can easily diagnose why a call failed. This will reduce support effort for our customers, and also the support load on our team from our customers.
The Payment Context Code is a field that exists in the Risk object that is supplied with the payment-order consent and payment-order resources. The Risk object is currently implemented by the OBRisk1 class. See https://openbankinguk.github.io/read-write-api-site3/v3.1.5/profiles/payment-initiation-api-profile.html#obrisk1.
The specifications state that this field has a 0..1 association with the OBRisk1 class, and is therefore optional. There is a requirement from some implementations that it should be possible to configure this field to be a required field. i.e. a 1..1 field.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.