Directory 2.0 Technical Overview v1.5

Version Control

VersionDateAuthorComments
DRAFT 1 Open Banking Directory Team

Initial Release.

This document supersedes the Open Banking Directory Specification v1.3Technical details in the OB Directory Specification v1.3 have for the most part been moved to the Directory API Swagger Specification, and this document should be read in conjunction with this specification, which can be accessed via the GitHub link below:

Draft v1.1 Open Banking Directory Team

General

Links to the Directory API Swagger Specification within the document content have been replaced with  the GitHub link above.

Links to the Directory Sandbox Usage document within the document have been replaced with links to Open Banking Directory Usage - eIDAS release (Directory Sandbox).

Added Appendix C - Certificate profiles with an embedded document that outlines the general procedure to generate Certificate Signing Requests (CSR) for Open Banking Public Key Infrastructure (PKI). This includes example DER encoded QC Statements for all combinations of PSD2 roles.

Manage Certificates and Keys

Replaced the P19 Support for eIDAS Certificates in the OBIE Ecosystem link with a reference to Appendix C documentation in the section eIDAS Certificate Properties.

Replaced the Certificate Profiles link with a reference to Appendix C documentation in the section Open Banking ETSI Conformant Certificates.

Draft v1.2 Open Banking Directory Team

Update to Appendix A - SCIM resources Swagger specification, replacing the linked text with a GitHub link:

v1.3 Open Banking Directory Team

Copy enhancements to the following sections:

Introduction

Primacy of FCA Register and registers maintained by other National Competent Authorities

Use of eIDAS Certificates

Open Banking Certificate Authority

Open Banking Non-ETSI Certificate Properties

Revocation of Account Servicing Payment Service Providers Certificates

Updated the associations for QSeal and OB Seal in the table in the section Manage Certificates and Keys - Overview.

Updated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.1.

v1.4 Open Banking Directory TeamUpdated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.2.
1.5 Open Banking Directory TeamUpdated Appendix C - Certificate profiles with an updated version of OpenSSL eIDAS PSD2 Certificate Signing Request Profiles, now v2.3

Overview

Introduction

The Open Banking Directory is the key Architectural Component that enables Third Party Providers (TPPs)to enrol onto the Open Banking Directory and initiate interactions through APIs with Account Servicing Payment Service Providers (ASPSPs). At its core the Directory is an identity and access management service providing identity information supporting natural persons, organisations and software identity classes.

The Open Banking Directory will provide the necessary functional capabilities required for Third Party Providers (TPPs) that successfully enrolled with Open Banking to identify and onboard with ASPSPs so that they can use the APIs provided by the ASPSPs. . ASPSPs can utilise technical information contained within the Directory to validate organisation and software identity (active/inactive), QTSP validity and member state NCA register status (including passport information).

The functional capabilities can be broken up broadly into three capability groups:

  • Manage Identities and Access: The ability to issue and manage identity records for organisation and natural persons that interact with the Open Banking Directory
  • Manage Certificates and Keys: The ability to upload, manage and remove eIDAS certificates (QWACs and QSeals), signing keys and encryption keys. The ability to issue, manage and revoke OB digital certificates.
  • Manage Directory Information: The ability to update and find information maintained in the Directory - either through APIs and / or a self-service user interface (UI) delivered as a web application.

Design Principles

Adoption of Open Industry Standards

As far as feasible, the design of the Open Banking Directory will be based on industry standards that are open and widely adopted rather than building a new standard from scratch.

Primacy of FCA Register and registers maintained by other National Competent Authorities

Participants must be authorised or registered with their competent authority. The FCA Register will be the primary source of participants that can be added to the Open Banking Directory with PSD2 Authorizations in the UK. Participants that have a passport through their national competent authority register to operate in the UK can also be added to the Open Banking Directory.

Use of eIDAS Certificates

The OB solution allows for the use of eIDAS certificates as a means of asserting firm identities during the onboarding process. Participants holding a QWAC will be able to dynamically register whilst asserting their regulatory status and assured identity. Open Banking will add the additional member state authorisations to an organisation record as this information is not provided under eIDAS. 

High Level Use Cases

TPP only

ASPSP only


TPP and ASPSP

Entity Class Model and Visibility

Entity Class Model

Dynamic Client Registration with Open Banking

TPPs with valid eIDAS (QWAC) certificates will be able to dynamically register in Production with the Directory by using the Directory API. Please refer to the Directory API Swagger Specification for details regarding the API, which can be accessed via the GitHub link below:

  The process for enrolling on the Sandbox, and to Production via the non-dynamic route, is documented separately in Enrolling onto the Open Banking Directory - How To Guide.

Manage Certificates and Keys

Overview

The following matrix shows the possible associations between transport, signing and encryption materials, and organisations/software statements.


QWACQSealOB WACOB SealOB TransportOB SigningSigning KeysEncryption Keys

Associated with

Organisation





Associated with

Software Statement

eIDAS Certificate Properties

eIDAS certificates (QWACs and QSeals) can be uploaded and associated to software statements. This can be done via the Directory Front End Interface or programmatically via the Directory API. Examples of QWACS and QSeals with details of their properties are provided in Appendix C - Certificate Profiles.

Open Banking Certificate Authority

The Open Banking  Certificate Authority (CA) engages with trust service provider, who supports OBIE in the provision of a technical managed service on its behalf.  The  Trust Service provider supports OBIE in the provision of  ETSI conformant certificates (OB WACS and OB Seals) and non-ETSI conformant certificates (OB transport and OB signing certificates).

Open Banking ETSI Conformant Certificates

The properties for OB WACS and OB Seals are detailed in Appendix C - Certificate Profile.

Open Banking Non-ETSI Certificate Properties

The certificates will have the properties listed in the following table.


Logical Field NameDescription
VersionAll certificates will be X.509 v3 certificates
Serial NumberThe serial number for the certificate
Signature Algorithm

The signature algorithm used for signing the certificate.

Certificates will be RSA certificates.

Issuer

A DN representing the issuer of the certificate (Open Banking).

The structure of the DN is to be confirmed.

Validity

The date range for which the certificate will be valid
Subject

A distinct name identifying the subject of the certificate.

DN: C=GB O=OpenBanking OU=organisation_id CN=software_statement_id

Public KeyThe public key corresponding to the private key with which the certificate was signed.

Key Usage

An indication of whether the key will be used for transport (MATLS), encryption or signing.

Domain names

List of domain names that are valid for the certificate

CRL URL

A hyperlink referring to the CRL for the CA that issued the certificate.

OCSP URL

A url referring to the OCSP service for the CA that issued the certificate

Supported Ciphers

The Open Banking Directory will only support the generation of certificates using RSA.

The FAPI Read Write Specification specifies the algorithms that should be used for TLS (Section 8.5) and for digital signatures (Section 8.6).

Section 8.5 states that only the following ciphers should be supported for TLS:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

For avoidance of doubt, this only applies to the TLS connection between the ASPSP and the TPP and Participants and OB. TPPs and ASPSPs must establish their own standards for TLS connections with PSUs through apps, browsers and other PSU devices.

Section 8.6 states that only PS256 or ES256 should be supported for signing. As the Open Banking certificates are RSA certificates, Open Banking will only support PS256 for signing SSAs and SSO ID Tokens. Participants could upload PS256 or ES256 keys as signing or encryption materials for software statements. ASPSPs advertise support for algorithms on their well known endpoints and TPPs will need to use algorithms supported by them.

References to standards

The design decisions for these capabilities have been based on the following standards:

The FAPI Read Write Specification: http://openid.net/specs/openid-financial-api-part-2.html

RFC 6960 - OCSP: https://tools.ietf.org/html/rfc6960

RFC 6818 - CRL: https://tools.ietf.org/html/rfc6818

Server Name Indication: https://tools.ietf.org/html/rfc6066

Issue Open Banking Certificates

Using the Directory Front End Interface

Using the Directory Front End Interface, Primary Technical Contacts will be able to paste in a Certificate Signing Request (CSR) that they wish to associate with a given software record. The CSR will be validated ensuring:

  • Distinguished Name and all attributes contained within are correct for the given software statement.
  • The keys used are of appropriate length and support the required algorithms

The Directory will store the issued public certificates in PEM format as well as returning them via both the API and DFI.

Should a Primary Technical Contact wish to roll or replace certificates used this will be a simple matter of associating another certificate with an existing software statement.

More than one certificate for a given software statement for both signing and encryption purposes can be active at any time.

Step by step instructions have been published in the updated Open Banking Directory Usage - eIDAS release (Directory Sandbox).

Using the Directory API

Alternatively, participants can issue certificates programmatically via the Directory API. Step by step instructions have been published in the updated Open Banking Directory Usage - eIDAS release (Directory Sandbox). Also, please refer to the Directory API Swagger Specification for details regarding the API, which can be accessed via the GitHub link below:

Revoke Open Banking Certificates

Revocation of Account Servicing Payment Service Providers Certificates

Should an ASPSP lose their regulatory status for a given role or voluntarily withdraw from Open Banking, all software that was registered with that role contained in the collection of software_roles will also be removed. Additionally, all Authorization Server Information that describes technically how to interact with the ASPSP will be removed. 

Revocation of Third Party Providers Certificates

Should a Third Party Provider lose authorisation/registration for a given role or voluntarily withdraw from Open Banking, all software that was registered with that role contained in the collection of software_roles will also be removed. 

Effect of revocation on software statements

Software Statements associated with organisations have the following characteristics:

  • Are immutable with the exception of the certificates, signing and encryption keys and corresponding (KeyID fields), Active status flags and redirect_uri's that are append only.

Should a software statement be revoked then:

  • The status field will be changed to inactive.
  • The KeyIDs for signing, encryption and transport materials cleared of any values.
  • Any OB issued certificates associated with this software statement revoked from the OB CA which will result in a new CRL being generated and this certificate returning revoked states from the OCSP service.
  • The certificates or keys associated with this software statement will be removed from the active JWKS and will be moved to the revoked (inactive) JWKS.

Check Certificate Status

ASPSPs have four mechanisms available to them to identify the revocation of TPPs and/or their apps:

  • Check certificate revocations through OCSP
  • Check certificate revocations through CRL
  • Check certificate / key presence on active JWKS hosted by Open Banking
  • Call SCIM APIs to identify the state of the participant

OCSP

Open Banking's CA will provide an OCSP endpoint. Its location will be minted into certificates issued by the CA into the authority information access extension specified above.

CRL

As a backup, should OCSP be unavailable, the certificate authority will mint multiple CRL locations as per the specification above.

OB will host these CRL endpoints on public Content Delivery Networks. These CRLs will be served over HTTPS and HTTP.

HTTP clients MUST support SNI (Server Name Indication) in order to access the https resources.

A new CRL will be generated when a certificate is revoked and made available on the CDN as close to real time as possible. 

Should there be a discrepancy in speed of propagation between hosting locations, then the order in which the CRL end points will be minted in the CA will be from the fastest to the slowest.

Open Banking Certificate Lookup

The Directory will provide a publicly available store of all OB issued digital certificates implemented as a set of JSON Web Key Stores (JWKS). 

Key Stores

The Directory will provide a number of key stores:

  • A key store for each organisation containing their active certificates, signing and encryption keys
  • A key store for each organisation containing their inactive certificates, signing and encryption keys
  • A key store for each software statement containing its active certificates, signing and encryption keys
  • A key store for each software statement containing its inactive certificates, signing and encryption keys

Additionally, The Directory will also publish all the certificates that it issues as PEM files in a specified folder.

JWK Structure

Each key store will consist of a JSON object with a root attribute of keys. This will be an array of JSON Web Keys with the following claims:

ClaimDescription
kty

Key type. 

This can be EC or RSA

use

Usage for the certificate

This can be sig, tls or enc

key_opsThe key operations supported by this public key contained in the certificate
kid

The SHA-1 hash of the JWK Fingerprint

x5u

A URL that can be used to retrieve the PEM file for the corresponding X.509 certificate.

The PEM file will contain the entire certificate chain

x5c

This will consist of an array with a single element.

The element will be a base64 representing of the X.509 certificate's PEM format representation.

(The JWKS standard allows us to provide a certificate chain as the other elements of the array. However, in order to constrain the size of the JWK, we will only provide the certificate without its chain. If the consumer requires the entire chain, it can be downloaded through the x5u claim.

x5tThe SHA-1 hash of the DER Encoded Certificate https://tools.ietf.org/html/rfc7515.html#section-4.1.7
x5t#s256

The SHA-256 hash of the DER Encoded Certificate https://tools.ietf.org/html/rfc7515.html#section-4.1.8

Open Banking Certificate Lifecycle

Certificate Generation

When a PSP generates a certificate (through the DFI or API software statement creation process), the following JWKS actions will be carried out:

  • The JWK will be added to the organisation's active JWKS
  • The JWK will be added to the software statement's active JWKS
  • A PEM fill will be generated and added to the active PEM folder

Certificate Expiry

At the end of each day, a batch process will check for certificates that have expired and will carry out the following JWKS related actions:

  • The certificate will be removed from the organisation's active JWKS
  • The certificate will be removed from the software statement's active JWKS
  • The certificate will be added to the organisation's inactive JWKS
  • The certificate will be added to the software statement's inactive JWKS

Certificate Revocation

When a certificate is revoked, the following JWKS related actions will be carried out.

  • The certificate will be removed from the organisation's active JWKS
  • The certificate will be removed from the software statement's active JWKS
  • The certificate will be added to the organisation's inactive JWKS
  • The certificate will be added to the software statement's inactive JWKS

This is in addition to CRL and OCSP changes that will be carried out by the CA.

Accessing Open Banking's Signing Certificates

The certificates used by Open Banking for signing software statements can be retrieved through the active and inactive stores just like any other organisation.

However, instead of an organisation id, the parameter value should be "OpenBanking".

The JWK x5u parameter can subsequently be used to retrieve PEM representations of the certificates.


Manage Directory Information

Generate Software Statement Assertion

A TPP-PTC can generate and download a software statement assertion through the Open Banking Directory User Interface.

Alternatively, an SSA for a given software statement can be accessed from the SSA API end-point.

Step by step instructions are provided in the Open Banking Directory Usage - eIDAS release (Directory Sandbox) document.

Retrieving a Signed Software Statement (Software Statement Assertion)

Allows authenticated clients to retrieve a Software Statement Assertion for the given software_id.

To access this endpoint the requesting party must have an access token.

A Software Statement Assertion can only be generated if the Software Statement and its owning TPP are active. If either of the two are marked as inactive, an error will be returned.

Step by step instructions are provided in the Open Banking Directory Usage - eIDAS release (Directory Sandbox) document.

Retrieving a software statement using SCIM APIS

As an alternative to retrieving a Software Statement Assertion, or at any point in time, an ASPSP can retrieve the software statement through the SCIM APIs.

As an example, the following SCIM query retrieves a TPP if the following conditions are met

  • The TPP has a software statement with the given id
  • The Software Statement has the Active flag set to true
  • The TPP has a Competent Authority Claim valid for the member-state GBR
  • The TPP has a role of PISP
  • The TPP authorisation is still Active
https://api.openbanking.cc/scim/v2/OBThirdPartyProviders
	?filter=(urn:openbanking:softwarestatement:1.0:SoftwareStatements
		[Id eq "acfa0d4a-cb33-4867-9bb7-374ca7222b65" 
		and Active eq true]
	) and 
		urn:openbanking:competentauthorityclaims:1.0:Authorisations[
			MemberState eq "GBR" 
			and Psd2Role eq "PISP" 
			and Status eq "Active"
		])
	&attributes=totalResults

Discover ASPSPs

A TPP can discover details of all the ASPSPs onboarded onto the Open Banking Directory by using the APIs described in the section Get PSP Identity Record.

Get PSP Identity Record

The Open Banking Directory provides a set of APIs to allow participants to query identity records of all the participants on the Directory.

The APIs are implemented as a set of SCIM resources.

In order to access the resource, the participant must first get an access token through a client credentials grant.

Scopes

NameDescription
AccountsReadAccessRead access to OBAccounts resource
ASPSPReadAccessSearch on OBAccountPaymentServiceProviders for match on Organisation Id returns ASPSP record minus Personal Account Roles Information
AuthoritiesReadAccessRead access to OBAuthorities resource
QTSPReadAccessRead access to the OBQualifiedTrustServiceProviders resource
TPPReadAccessBulk search on OBThirdPartyproviders returns TPP record plus personal account roles information
TPPReadAllSearch for OBThirdPartyProviders for match on Organisation Id returns TPP record minus personal Account Roles Information

Mapping of Scopes to External Actors


AccountsReadAccessASPSPReadAccessTPPReadAccessTPPReadAllAuthoritiesReadAccessQTSPReadAccessClient Type 
Account Servicing Payment Service Provider (ASPSP)NOYESNOYESYESYES

 ASPSP Client

Third Party Providers / Trusted Third Parties (TPP)NOYESYESNOYESYES TPP Client


End-points

ResourceHTTP OperationEndpointScopeResponse ObjectFine Grained Policy
OBAccountsGETGET /scim/v2/OBAccountsAccountsReadAccessOBAccountOnly the authenticated user's object can be retrieved from this end point.

OBAccountPaymentServiceProviders

GETGET /scim/v2/OBAccountPaymentServiceProvidersASPSPReadAccessOBAccountPaymentServiceProviders

The PersonalAccountRoles values will only be retrieved if the authenticated user is a PTC or an STC for that organization.

Retrieves only the ASPSPs that the PTC or STC is associated with.

ASPSPReadAll

The PersonalAccountRoles values will only be retrieved if the authenticated user is a PTC or an STC for that organization.

Retrieves all ASPSPs.

OBThirdPartyProvidersGETGET /scim/v2/OBThirdPartyProvidersTPPReadAccessOBThirdPartyProviders

The PersonalAccountRoles values will only be retrieved if the authenticated user is a PTC or an STC for that organization.

Retrieves only the TPPs that the PTC or STC is associated with.

OBAuthoritiesGETGET /scim/v2/OBThirdPartyProvidersAuthoritiesReadAccessOBThirdPartyProviders

Retrieves all OBAuthorities.

OBQualifiedTrustServiceProvidersGETGET /scim/v2/OBQualifiedTrustServiceProvidersQTSPReadAccessOBQualifiedTrustServiceProvidersNone

Appendix A - SCIM resources Swagger specification

The SCIM Swagger Specification provides a Swagger specification for the endpoints above and can be accessed via the GitHub link below:

Appendix B - ASPSPs Only

Validate Access Token - Use of Open Banking as an Identity Provider

ASPSPs have the option of using Open Banking as an OIDC Provider (OP).

The endpoints for the Open Banking OIDC provider APIs can be identified using the authorization_endpoint, token_endpoint and registration_endpoint fields from the Directory's .well-known configuration.

The OB identity provider should be used to bootstrap a TPP's Primary Technical Contact onto the ASPSP API Gateway.

OB Directory will not support fine grained roles and permissions, all users will be identified only as TPP-PTCs.

Registration

ASPSPs that require the use of this feature should raise a service request through the service desk. 

The ASPSPs must specify:

  • One or more redirect URIs 
  • The client authentication method that they intend to use.

OIDC Profile Claims

Once a user authenticates using the Open Banking Directory as an identity provider, the id_token that is issued will consist of the following claims.

ClaimTypeExample valueDescription
substringxccsdlkj128789432

Unique Identifier for the Authenticated User

usernamestringxccsdlkj128789432The credential used by the user while logging in. This could be their email address or sales-force id.
emailstringjo.bloggs@openbanking.org.uk
phone_numberstring+44 5173 130 443

A contact phone number (mobile) for the user also used as a second means for a authentication during password resets

tpp_associations_liststring array

[

    "0020E000008jgBfQFX", 

    "0020E000008jgB6&8X"

  ]

A list of the TPP org_id's that this user is associated with in either a PTC or STC capacity.


family_namestringBloggsSurname or Family name
given_namestring

Jo


First name
namestringJo BloggsRequested name string.
tpp_associatedboolean

account_verifiedboolean

aspsp_association_liststring array

aspsp_associatedboolean

The claims can also be accessed through the UserInfo end-point provided by OB (which can be discovered through the Directory's .well-known configuration).

Appendix C - Certificate Profiles

Document

Description
OpenSSL eIDAS PSD2 Certificate Signing Request Profiles v2.3

This document outlines the general procedure to generate Certificate Signing Requests (CSR) for Open Banking Public Key Infrastructure (PKI). It focuses on the method required to generate a CSR for Open Banking ETSI like certificates (OBWAC, OBSeal). It includes configuration files to generate CSRs for OBWAC and OBSeal certificates using OpenSSL. Also, example DER encoded QC Statements for all combinations of PSD2 roles.