Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017 ForgeRock. All rights reserved.
Implementing Open
Banking with ForgeRock
Wayne Blacklock, Customer Engineer
wayne.b...
© 2016 ForgeRock. All rights reserved.
What is Open Banking?
© 2017 ForgeRock. All rights reserved.
Banking Won’t Ever Be The Same
Open Banking
The CMA9 banks must open up their payme...
© 2017 ForgeRock. All rights reserved.
A Whole New World
APIs
Pay for purchases directly using your bank account.
will cha...
© 2017 ForgeRock. All rights reserved.
Starling Bank Hackathon
Many thanks to my partner Rodney Hoinkes
@MABLEapp
© 2017 ForgeRock. All rights reserved.
Open Banking Now
Open Banking is happening today
In January 2018 Open Banking begin...
© 2017 ForgeRock. All rights reserved.
OB / PSD2 Glossary
TPP Third Party Provider PISP or AISP
ASPSP Account Servicing Pa...
© 2016 ForgeRock. All rights reserved.
Open Banking
Powered by ForgeRock
© 2017 ForgeRock. All rights reserved.
OB & Identity
Digital identity is at the very heart of Open Banking.
Authentication...
© 2017 ForgeRock. All rights reserved.
OAuth & OIDC
Open Banking is founded upon the use of the OAuth and OpenID Connect
(...
© 2017 ForgeRock. All rights reserved.
OAuth / OIDC
Open Banking Building Blocks
ForgeRock provides everything you need to...
© 2016 ForgeRock. All rights reserved.
Open Banking Flows
© 2017 ForgeRock. All rights reserved.
TPP Onboarding Flow
TPP Onboarding is based on the use of Software Statement Assert...
© 2017 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
DEMO
TPP Registration Tool
http://forgebank.openrock.org/tppgenerate
© 2017 ForgeRock. All rights reserved.
PISP / AISP Flows in OB
PISP: Payment Initiation Service Provider Flow
1. Request P...
© 2017 ForgeRock. All rights reserved.
PISP / AISP Flows in OB
AISP: Account Information Service Provider Flow
1. Request ...
© 2016 ForgeRock. All rights reserved.
PISP Flow
© 2017 ForgeRock. All rights reserved.
Setup Single Payment Initiation
Payment staging uses OAuth & OIDC flows to retrieve...
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
Authorize Consent
Payment initiation flow makes use of the
paymentID, OIDC hybrid f...
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
Create Payment Submission
Payment submission uses the token issued to the
PISP to i...
© 2016 ForgeRock. All rights reserved.
AISP Flow
© 2017 ForgeRock. All rights reserved.
Setup Account Request
Account staging uses OAuth & OIDC flows to retrieve an access...
© 2017 ForgeRock. All rights reserved.
Authorize Consent
Account information flow makes use of the
accountRequestID, OIDC ...
© 2017 ForgeRock. All rights reserved.
Request Data
Requesting of data uses the access token issued
to the AISP to invoke ...
Upcoming SlideShare
Loading in …5
×

Implementing Open Banking with ForgeRock

1,008 views

Published on

Slides from the Open Banking Tech Talk

https://www.meetup.com/London-Identity-Tech-Talks/events/242088293/

Published in: Technology
  • Be the first to comment

Implementing Open Banking with ForgeRock

  1. 1. © 2017 ForgeRock. All rights reserved. Implementing Open Banking with ForgeRock Wayne Blacklock, Customer Engineer wayne.blacklock@forgerock.com | @WayneBlacklock
  2. 2. © 2016 ForgeRock. All rights reserved. What is Open Banking?
  3. 3. © 2017 ForgeRock. All rights reserved. Banking Won’t Ever Be The Same Open Banking The CMA9 banks must open up their payment and account services to third parties. is cracking banks wide open Customers can leave and take their data with them. Entirely new ways of doing business will emerge. The UK is leading the way.
  4. 4. © 2017 ForgeRock. All rights reserved. A Whole New World APIs Pay for purchases directly using your bank account. will change everything Your bank account as your loyalty card. Intelligence driven payment systems and automation. Share access to your bank account data. Much much more...
  5. 5. © 2017 ForgeRock. All rights reserved. Starling Bank Hackathon Many thanks to my partner Rodney Hoinkes @MABLEapp
  6. 6. © 2017 ForgeRock. All rights reserved. Open Banking Now Open Banking is happening today In January 2018 Open Banking begins in the UK, as a bank you need to be ready for: Onboarding of Third Party service Providers. Consent driven API based payments initiation. Consent driven API based account information sharing. PSD2 will rapidly follow across the rest of Europe.
  7. 7. © 2017 ForgeRock. All rights reserved. OB / PSD2 Glossary TPP Third Party Provider PISP or AISP ASPSP Account Servicing Payment Service Provider Bank AISP Account Information Service Provider Moneysupermarket PISP Payment Initiation Service Provider Amazon SSA Software Statement Assertion TPP Item of Proof PSU Payment Services User You
  8. 8. © 2016 ForgeRock. All rights reserved. Open Banking Powered by ForgeRock
  9. 9. © 2017 ForgeRock. All rights reserved. OB & Identity Digital identity is at the very heart of Open Banking. Authentication Authorization Identity Management API Security OAuth & OIDC Strong Customer Authentication aligned to PSD2 Adaptive risk based authentication Integration with external authentication providers Transaction based authorization Granular authorization policy Integration with decision engines and external services Customer credential store Management of OB elements e.g. TPPs, SSAs Single customer view Protection of payment initiation and account sharing APIs Onboarding of TPPs Payment initiation flows Account information flows OAuth & OIDC are critically important for implementing OB flows
  10. 10. © 2017 ForgeRock. All rights reserved. OAuth & OIDC Open Banking is founded upon the use of the OAuth and OpenID Connect (OIDC) standards and they are used extensively throughout OB. TPP Onboarding Dynamic client registration for TPP onboarding Payment Initiation Service Provider (PISP) Flow OIDC Client Credentials flow for payment staging OIDC Hybrid* flow for payment consent Token validation for API protection Account Information Service Provider (AISP) Flow OIDC Client Credentials flow for account data request OIDC Hybrid* flow for account data consent Token validation for API protection * Hybrid flow used to mitigate risk of authz code swapping attacks
  11. 11. © 2017 ForgeRock. All rights reserved. OAuth / OIDC Open Banking Building Blocks ForgeRock provides everything you need to implement Open Banking and you can swap out any component as required. Workflow Directory Services Authorization API Security Authentication Adaptive Risk Identity Management
  12. 12. © 2016 ForgeRock. All rights reserved. Open Banking Flows
  13. 13. © 2017 ForgeRock. All rights reserved. TPP Onboarding Flow TPP Onboarding is based on the use of Software Statement Assertions (SSAs). TPPs present an SSA received from OB to the ASPSP, this is then validated and an OAuth client created that the TPP can use. Access Management OAuth OIDC Identity Management OB Directory REST API Object Model Config REST API TPP SSA Clients Manage relationships between TPPs, SSAs and Clients in IDM Create OAuth clients automatically using API Validate SSA against OB directory automatically Scripts Register TPP by invoking OAuth Endpoint TPPs PISPs AISPs 1 3 5 4 Identity Gateway Throttling Filter Scripted Filter 2 Validate SSL cert matches client Client Request JWT including SSA JWT
  14. 14. © 2017 ForgeRock. All rights reserved.
  15. 15. © 2016 ForgeRock. All rights reserved. DEMO TPP Registration Tool http://forgebank.openrock.org/tppgenerate
  16. 16. © 2017 ForgeRock. All rights reserved. PISP / AISP Flows in OB PISP: Payment Initiation Service Provider Flow 1. Request Payment Initiation 2. Setup Single Payment Initiation 3. Authorize Consent 4. Create Payment Submission 5. Get Payment Submission Status PISP flow lets you pay directly using your bank account
  17. 17. © 2017 ForgeRock. All rights reserved. PISP / AISP Flows in OB AISP: Account Information Service Provider Flow 1. Request Account Information 2. Setup Account Request 3. Authorize Consent 4. Request Data AISP flow lets you share your bank account data
  18. 18. © 2016 ForgeRock. All rights reserved. PISP Flow
  19. 19. © 2017 ForgeRock. All rights reserved. Setup Single Payment Initiation Payment staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a paymentID to securely invoke staging APIs and setup a payment. Access Management OAuth OIDC TPPs PISP Identity Gateway Payment APIs OAuth Resource Filter Throttling Filter Validate OAuth tokens using endpoints: ● Stateless: JWK ● Stateful: tokeninfo Act as OAuth Authorization Server Act as OAuth Resource Server to protect APIs Enforce throttling controls OIDC Client Credential Flow Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures. Validate tokens OR Validate tokens 1 4 4 3 Access token 2 Return a paymentID5 Invoke APIs
  20. 20. © 2017 ForgeRock. All rights reserved.
  21. 21. © 2017 ForgeRock. All rights reserved. Authorize Consent Payment initiation flow makes use of the paymentID, OIDC hybrid flow and requires SCA Access Management OAuth OIDC TPPs PISP OIDC Hybrid Flow with request JWT with paymentID Authentication Authorization Data Stores Directory Services Risk Engine 3rd Party BiometricIntegrate with 3rd party authentication services SCA with ForgeRock 2FA Integrate with external risk & decision engines Validate user credentials Remote Consent External Consent Capture Identity Management Store consent Strong Customer Authentication (SCA) PSD2 mandates SCA, ForgeRock offers OOTB authentication modules including: TOTP, HOTP, Push Authentication, Adaptive Risk, Device Fingerprinting and many more. The Scripted module allows rapid integration with 3rd party services. 1 2 4 5 6 3 Authz code & ID token 7 Validate ID token & authz code 8 9 Exchange authz code for access token
  22. 22. © 2017 ForgeRock. All rights reserved.
  23. 23. © 2017 ForgeRock. All rights reserved.
  24. 24. © 2017 ForgeRock. All rights reserved. Create Payment Submission Payment submission uses the token issued to the PISP to invoke payment APIs Access Management OAuth OIDC TPPs APIs Enforce throttling controls Identity Gateway Payment APIs OAuth Resource Filter Throttling Filter Enforce throttling controls OR Validate access token Validate access token Validate OAuth tokens using endpoints: ● Stateless: JWK ● Stateful: tokeninfo Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures. Validate paymentId from UserInfo endpoint 1 2 3 3 PISP Invoke payment APIs Invoke APIs
  25. 25. © 2016 ForgeRock. All rights reserved. AISP Flow
  26. 26. © 2017 ForgeRock. All rights reserved. Setup Account Request Account staging uses OAuth & OIDC flows to retrieve an access token, that is used to retrieve a accountRequestID to securely invoke staging APIs and set up an information request Access Management OAuth OIDC TPPs Identity Gateway Account APIs OAuth Resource Filter Throttling Filter Validate OAuth tokens using endpoints: ● Stateless: JWK ● Stateful: tokeninfo Act as OAuth Authorization Server Act as OAuth Resource Server to protect APIs Enforce throttling controls OIDC Client Credential Flow Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures. Validate tokens OR Validate tokens 1 4 4 3 Access token 2 Return a accountRequestID5 AISP Invoke APIs
  27. 27. © 2017 ForgeRock. All rights reserved. Authorize Consent Account information flow makes use of the accountRequestID, OIDC hybrid flow and requires SCA Access Management OAuth OIDC TPPs AISP OIDC Hybrid Flow with request JWT with paymentID Authentication Authorization Data Stores Directory Services Risk Engine 3rd Party BiometricIntegrate with 3rd party authentication services SCA with ForgeRock 2FA Integrate with external risk & decision engines Validate user credentials Remote Consent External Consent Capture Identity Management Store consent Strong Customer Authentication (SCA) PSD2 mandates SCA, ForgeRock offers OOTB authentication modules including: TOTP, HOTP, Push Authentication, Adaptive Risk, Device Fingerprinting and many more. The Scripted module allows rapid integration with 3rd party services. 1 2 4 5 6 3 Authz code & ID token 7 Validate ID token & authz code 8 9 Exchange authz code for access token and store access token
  28. 28. © 2017 ForgeRock. All rights reserved. Request Data Requesting of data uses the access token issued to the AISP to invoke APIs Access Management OAuth OIDC TPPs APIs Enforce throttling controls Identity Gateway Account APIs OAuth Resource Filter Throttling Filter Enforce throttling controls OR Validate access token Validate access token Validate OAuth tokens using endpoints: ● Stateless: JWK ● Stateful: tokeninfo Any API gateway can be used that can invoke the endpoints in AM to validate tokens or token signatures. Retrieve stored access token and invoke request 1 2 3 3 PISP Invoke APIs

×