© 2017 ForgeRock. All rights reserved.

Implementing Open Banking with ForgeRock

Wayne Blacklock, Customer Engineerwayne.blacklock@forgerock.com | @WayneBlacklock

© 2016 ForgeRock. All rights reserved.

What is Open Banking?

© 2017 ForgeRock. All rights reserved.

Banking Won’t Ever Be The Same

Open Banking The CMA9 banks must open up their payment and account services to third parties.

is crackingbanks wide

open

Customers can leave and take their data with them.

Entirely new ways of doing business will emerge.

The UK is leading the way.

© 2017 ForgeRock. All rights reserved.

A Whole New World

APIs Pay for purchases directly using your bank account.

will change everythingYour bank account as your loyalty card.Intelligence driven payment systems and automation.Share access to your bank account data.Much much more...

© 2017 ForgeRock. All rights reserved.

Starling Bank Hackathon

Many thanks to my partner Rodney Hoinkes

@MABLEapp

© 2017 ForgeRock. All rights reserved.

Open Banking Now

Open Banking is happening todayIn January 2018 Open Banking begins in the UK, as a bank you need to be ready for:

Onboarding of Third Party service Providers.Consent driven API based payments initiation.Consent driven API based account information sharing.

PSD2 will rapidly follow across the rest of Europe.

© 2017 ForgeRock. All rights reserved.

OB / PSD2 Glossary

TPP Third Party Provider PISP or AISP

ASPSP Account Servicing Payment Service Provider

Bank

AISP Account Information Service Provider Moneysupermarket

PISP Payment Initiation Service Provider Amazon

SSA Software Statement Assertion TPP Item of Proof

PSU Payment Services User You

© 2016 ForgeRock. All rights reserved.

Open Banking Powered by ForgeRock

© 2017 ForgeRock. All rights reserved.

OB & IdentityDigital identity is at the very heart of Open Banking.

Authentication

Authorization

Identity Management

API Security

OAuth & OIDC

Strong Customer Authentication aligned to PSD2

Adaptive risk based authentication

Integration with external authentication providers

Transaction based authorization

Granular authorization policy

Integration with decision engines and external services

Customer credential store

Management of OB elements e.g. TPPs, SSAs

Single customer view

Protection of payment initiation and account sharing APIs

Onboarding of TPPs

Payment initiation flows

Account information flows

OAuth & OIDC are critically important for implementing OB flows

© 2017 ForgeRock. All rights reserved.

OAuth & OIDCOpen Banking is founded upon the use of the OAuth and OpenID Connect (OIDC) standards and they are used extensively throughout OB.

TPP Onboarding Dynamic client registration for TPP onboarding

Payment InitiationService Provider (PISP) Flow

OIDC Client Credentials flow for payment stagingOIDC Hybrid* flow for payment consentToken validation for API protection

Account InformationService Provider (AISP) Flow

OIDC Client Credentials flow for account data requestOIDC Hybrid* flow for account data consentToken validation for API protection

* Hybrid flow used to mitigate risk of authz code swapping attacks

© 2017 ForgeRock. All rights reserved.

OAuth / OIDC

Open Banking Building BlocksForgeRock provides everything you need to implement Open Banking and you can swap out any component as required.

Workflow

Directory Services Authorization API Security

Authentication

Adaptive Risk

Identity Management

© 2016 ForgeRock. All rights reserved.

Open Banking Flows

© 2017 ForgeRock. All rights reserved.

TPP Onboarding FlowTPP Onboarding is based on the use of Software Statement Assertions (SSAs). TPPs present an SSA received from OB to the ASPSP, this is then validated and an OAuth client created that the TPP can use.

Access Management

OAuth OIDC

Identity Management

OB Directory

REST API Object Model

Config REST API

TPP SSA

Clients

Manage relationships between TPPs, SSAs and Clients in IDM

Create OAuth clients automatically using API

Validate SSA against OB directory automatically

Scripts

Register TPP by invoking OAuth Endpoint

TPPs

PISPs AISPs

1

3

5

4 Identity Gateway

Throttling Filter

Scripted Filter

2

Validate SSL cert matches client

Client Request JWT including SSA JWT

© 2017 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

DEMOTPP Registration Tool

http://forgebank.openrock.org/tppgenerate

© 2017 ForgeRock. All rights reserved.

PISP / AISP Flows in OBPISP: Payment Initiation Service Provider Flow

1. Request Payment Initiation2. Setup Single Payment Initiation3. Authorize Consent4. Create Payment Submission5. Get Payment Submission Status

PISP flow lets you pay directly using your bank account

© 2017 ForgeRock. All rights reserved.

PISP / AISP Flows in OBAISP: Account Information Service Provider Flow

1. Request Account Information2. Setup Account Request3. Authorize Consent4. Request Data

AISP flow lets you share your bank account data

© 2016 ForgeRock. All rights reserved.

PISP Flow

© 2017 ForgeRock. All rights reserved.

Setup Single Payment InitiationPayment staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a paymentID to securely invoke staging APIs and setup a payment.

Access Management

OAuth OIDC

TPPs

PISP

Identity Gateway

Payment APIs

OAuth Resource Filter

Throttling Filter Validate OAuth tokens using endpoints:

● Stateless: JWK● Stateful: tokeninfo

Act as OAuth Authorization Server

Act as OAuth Resource Server to protect APIs

Enforce throttling controls

OIDC Client Credential Flow

Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.

Validate tokens

ORValidate tokens

1

4

4

3

Access token 2

Return a paymentID5

Invoke APIs

© 2017 ForgeRock. All rights reserved.

© 2017 ForgeRock. All rights reserved.

Authorize ConsentPayment initiation flow makes use of the paymentID, OIDC hybrid flow and requires SCA

Access Management

OAuth OIDC

TPPs

PISP

OIDC Hybrid Flow with request JWT with paymentID

Authentication

AuthorizationData Stores

Directory Services

Risk Engine

3rd Party BiometricIntegrate with 3rd party

authentication services

SCA with ForgeRock 2FA

Integrate with external risk & decision engines

Validate user credentials

Remote Consent

External Consent Capture

Identity Management

Store consent

Strong Customer Authentication (SCA)

PSD2 mandates SCA, ForgeRock offers OOTB authentication modules including: TOTP, HOTP, Push Authentication, Adaptive Risk, Device Fingerprinting and many more. The Scripted module allows rapid integration with 3rd party services.

1

2

4

5

6

3

Authz code & ID token 7

Validate ID token & authz code

8

9 Exchange authz code for access token

© 2017 ForgeRock. All rights reserved.

© 2017 ForgeRock. All rights reserved.

© 2017 ForgeRock. All rights reserved.

Create Payment SubmissionPayment submission uses the token issued to the PISP to invoke payment APIs

Access Management

OAuth OIDC

TPPs

APIsEnforce throttling controls

Identity Gateway

Payment APIs

OAuth Resource Filter

Throttling Filter

Enforce throttling controls

OR

Validate access token

Validate access token

Validate OAuth tokens using endpoints:

● Stateless: JWK● Stateful: tokeninfo

Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.

Validate paymentId from UserInfo endpoint

1

2

3

3

PISP

Invoke payment APIs Invoke APIs

© 2016 ForgeRock. All rights reserved.

AISP Flow

© 2017 ForgeRock. All rights reserved.

Setup Account RequestAccount staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a accountRequestID to securely invoke staging APIs and set up an information request

Access Management

OAuth OIDC

TPPs

Identity Gateway

Account APIs

OAuth Resource Filter

Throttling Filter Validate OAuth tokens using endpoints:

● Stateless: JWK● Stateful: tokeninfo

Act as OAuth Authorization Server

Act as OAuth Resource Server to protect APIs

Enforce throttling controls

OIDC Client Credential Flow

Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.

Validate tokens

ORValidate tokens

1

4

4

3

Access token 2

Return a accountRequestID5

AISP

Invoke APIs

© 2017 ForgeRock. All rights reserved.

Authorize ConsentAccount information flow makes use of the accountRequestID, OIDC hybrid flow and requires SCA

Access Management

OAuth OIDC

TPPs

AISP

OIDC Hybrid Flow with request JWT with paymentID

Authentication

AuthorizationData Stores

Directory Services

Risk Engine

3rd Party BiometricIntegrate with 3rd party

authentication services

SCA with ForgeRock 2FA

Integrate with external risk & decision engines

Validate user credentials

Remote Consent

External Consent Capture

Identity Management

Store consent

Strong Customer Authentication (SCA)

PSD2 mandates SCA, ForgeRock offers OOTB authentication modules including: TOTP, HOTP, Push Authentication, Adaptive Risk, Device Fingerprinting and many more. The Scripted module allows rapid integration with 3rd party services.

1

2

4

5

6

3

Authz code & ID token 7

Validate ID token & authz code

8

9 Exchange authz code for access token and store access token

© 2017 ForgeRock. All rights reserved.

Request DataRequesting of data uses the access token issued to the AISP to invoke APIs

Access Management

OAuth OIDC

TPPs

APIsEnforce throttling controls

Identity Gateway

Account APIs

OAuth Resource Filter

Throttling Filter

Enforce throttling controls

OR

Validate access token

Validate access token

Validate OAuth tokens using endpoints:

● Stateless: JWK● Stateful: tokeninfo

Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures.

Retrieve stored access token and invoke request

1

2

3

3

PISP

Invoke APIs