This repository contains an example based on the Open Banking Brazil profile that demonstrates how to use a Pre-Processing Procedure to validate a DCR request.
The Open Banking Brazil (AKA Open Banking Brasil or OBB) ecosystem provides a central repository, the "directory" for accredited and trusted clients as well as authorization servers. Registered clients can then retrieve a signed software statement from the directory, aka the software statement assertion (SSA), a signed JWT. The client includes this token in the Dynamic Client Registration request and authenticates using mutual TLS. The Authorization Server is obliged to verify the software statement assertion according to the specification. The Curity Identity Server version 6.5 and later support Pre-Processing Procedures for DCR endpoints that can be used to validate and manipulate incoming DCR requests. Learn more about using Pre-Processing Procedures for DCR Request Validation in Open Banking by checking out the related article in Curity's resource library.
Please refer to the profile documentation for the details:
To make this repository self contained the deployment makes use of a mocked infrastructure that simulates the Open Banking Brazil trust management. In particular the public key infrastructure (PKI) created as part of the deployment contains the following certificate authorities, each with its own scope:
- CA that issues server certificates:
trusted-ca - CA that issues client certificates:
accredited-ca - CA that issues software statements:
ssa-ca
However, certificates and keys used in the Open Banking Brazil Sandbox environment are also included. As a result, the scripts provided in this repository can be adapted to work for integration testing the DCR flow in the sandbox environment.
This deployment will only work for Curity Identity Server version 6.5 and higher.
Aquire a license that includes support for FAPI features and copy the license file to config/license.json.
- Server certificate and related key for the runtime service of the Curity Identity Server:
example.tls.p12 - Trusted issuer of client certificates:
accredited-ca.issuer.cer - Signature verification key/certificate for the entity signing the software statement assertions:
ssa-ca.issuer.cer
- Client certificate and related key for testing:
example.client.p12 - Trustchain to validate server certificate during testing:
trusted-ca.trustchain.pem - Private and public key for signing a software statement used for testing:
ssa-ca.issuer.keyandssa-ca.issuer.pub
- Create the required certificates:
./1-create-certs.sh - Configure and run the server with the certificates, TLS and trust settings:
./2-deploy.sh
The client must provide a software statement during the Dynamic Client Registration process. So, first create a software statement signed by one of the CAs created during deployment.
- Navigate to oauth.tools
- Start a new flow called
Create JWT. - Select
PS256from the dropdown in the Signature area. - Copy the public key from
certs/ssa-ca.issuer.pubinto the field for the Public Key. - Copy the private key from
certs/ssa-ca.issuer.keyinto the field for the Private Key. - Prepare the content of the software statement and DCR request:
./3-prepare-software-statement-data.sh - Copy the content of the file
software-statement/software-statement.jsoninto the field for the Body. - Save the Body.
- Click on
Generate JWT. - Copy the resulted JWT (there's a
Copy to Clipboardbutton in the upper right corner of the box). - Open
dcr-request.json. - Replace the string "Place JWT here" with the JWT from the clipboard.
- Save
dcr-request.json.
Run 4-register-DCR-client.sh to register a client using the client certificate for MTLS and the software statement created before.
If successful, the server will return the client metadata that it registered.
If you want to contribute, fork the repository. Copy the git pre-commit hook script into the local .git folder of your repository:
cp hooks/pre-commit .git/hooks/
The script prevents you from checking in a license by accident during development.
Please visit curity.io for more information about the Curity Identity Server.