Dynamic Client Registration (DCR)
- Version 3.2.1
- Protocol: HTTPS
- Sandbox well-known endpoint: see Channel and market specific API documentation
- Production well-known endpoint: see Channel and market specific API documentation
Introduction
This API provides access to the Dynamic Client Registration API
- Register a client by way of a Software Statement Assertion
- Get a client by way of Client ID
- Update a client by way of Client ID
Version
Change log and release history:
|
Version |
Sandbox Status |
Production Status |
|---|---|---|
|
V3.2.1 |
Live |
Live |
Feedback and Support
Dive in and start coding your applications. If you get stuck or require additional support, please contact our team using the Contact Us form found under the Help menu.
Dynamic Client Registration (DCR)
Third Party Registration
Third Parties, also referred to as Third Party Service Providers (TSPs) or Third Party Providers (TPPs) need to register their client with HSBC's Open Banking platform. In order to achieve this, Third Parties need to get their software statement issued as per RFC 7591. HSBC supports v3.2 of Dynamic Client Registration in line with OBIE specifications.
- Please note in version 3.2 of Dynamic Client Registration content-type should be application/jose.
- Please note the audience (aud) value for the DCR request should be the ‘issuer’ value taken from each brands well-known configuration
- Please note the JWT expiry parameter (exp) in the request body should be set to a maximum of 30 mins.
Market Specific Variations
- Hong Kong
-
For APIs in Hong Kong to request access to Production APIs, Third Parties need to submit a request using the Help, Contact Us form in the portal.
- Select 'Open Banking APIs - HK - HSBC Business' or 'Open Banking APIs - HK - HSBC Personal' from the dropdown menu 'Which API does your query relate to?'
- Select 'Production Access' from the dropdown menu 'What does your query relate to?'
On receipt of this information the HSBC support team will review the Third Parties request and begin the process to on-board the Third Party to the Open Banking eco-system. The Software Statement Assertion (SSA) will be securely mailed to the Third Parties registered email address.
- UK/Europe
-
Third Parties need to register with their National Competent Authority (NCA) and to obtain the appropriate certificate based on jurisdiction. Third Parties need to check the address of HSBC's registration endpoint using our well-known endpoints;
Banking Area Production Well-known Endpoint HSBC Personal https://api.ob.hsbc.co.uk/.well-known/openid-configuration HSBC Business https://api.ob.business.hsbc.co.uk/.well-known/openid-configuration Marks and Spencer https://api.ob.mandsbank.com/.well-known/openid-configuration first direct https://api.ob.firstdirect.com/.well-known/openid-configuration HSBC Kinetic https://api.ob.hsbckinetic.co.uk/.well-known/openid-configuration HSBC Corporate (HSBCnet - UK) https://api.ob.hsbcnet.com/.well-known/openid-configuration HSBC Corporate (HSBCnet - CE) https://eu.api.ob.hsbcnet.com/.well-known/openid-configuration - Bahrain
-
Third Parties need to check the address of HSBC's registration endpoint using our well-known endpoints:
Banking Area Production Well-known Endpoint HSBC Personal Banking https://openbanking.hsbc.com.bh/.well-known/openid-configuration Third Parties need to register their client in HSBC's Open Banking platform. In order to achieve this, Third Parties need to get their software statement issued first – as per RFC 7591. More information can be found here.
-
HSBC will perform pre-requisite configuration changes as a part of the registration process.
-
Third Parties should get CSR and CERT files generated. To generate this, Third Parties can use a configuration file which is made available by HSBC.
-
Third Parties are required to issue self-signed OBWAC-style AND OBSEAL-style certificates once a client has generated a valid CSR to be onboarded. Both OBWAC-style and OBSEAL-style certificates must contain the below fields:
-
qcStatement of type in DER format as described in the below sample obwac.cnf and obseal.cnf. At least one qcStatement MUST be in the certificate
-
qcStatement of type qcType. MUST be either qcType Web or qcType Seal
-
Organisational Identifier MUST be in subject name
-
-
For more information on Bahrain QBWAC and QBSEAL certificates please review the Bahrain Digital Signatures section below
-
Third Parties need to trigger POST/register endpoint and with the relevant roles, TPP should select which roles they need to register for - (PIS, AIS, CBPII, ASPSP), and which country they would operate in.
-
Software Statements
A software statement can be issued by any actor that’s trusted by its authorisation server. For holders of OBWAC / OBSEAL certificates, TPPs will be issued with a software statement from the OBIE Directory - see here for more information. TPPs using eIDAS certificates can generate a self-signed software statement (self-signed SSA) - see here for further information. A complete list of all fields required for a self-signed SSA is provided below in the tables
|
Metadata |
Description |
Optional/ |
Source Specification |
|---|---|---|---|
|
`software_id` |
Unique Identifier for TPP Client Software |
M |
[RFC7591] |
|
`iss` |
SSA Issuer |
M |
[RFC7519] |
|
`iat` |
Time SSA issued |
M |
[RFC7519] |
|
`jti` |
JWT ID |
M |
[RFC7519] |
|
Metadata |
Description |
Optional/ |
Field Size |
|---|---|---|---|
|
`software_client_id` |
The Client ID Registered at OB used to access OB resources |
M |
Base62 GUID (22 chars) |
|
`software_client_description` |
Human-readable detailed description of the client |
O |
Max256Text |
|
`software_client_name` |
Human-readable Software Name |
O |
Max40Text |
|
`software_client_uri` |
The website or resource root uri |
O |
Max256Text |
|
`software_version` |
The version number of the software should a TPP choose to register and / or maintain it |
O |
decimal |
|
`software_environment` |
Requested additional field to avoid certificate check |
O |
Max256Text |
|
`software_jwks_endpoint` |
Contains all active signing and network certs for the software |
M |
Max256Text |
|
`software_jwks_revoked_endpoint` |
Contains all revoked signing and network certs for the software |
O |
Max256Text |
|
`software_logo_uri` |
Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties |
O |
Max256Text |
|
`software_mode` |
ASPSP Requested additional field to indicate that this software is `Test` or `Live` the default is `Live`. Impact and support for `Test` software is up to the ASPSP. |
O |
Max40Text |
|
`software_on_behalf_of_org` |
A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another. |
O |
Max40Text |
|
`software_policy_uri` |
A link to the software's policy page |
O |
Max256Text |
|
`software_redirect_uris` |
Registered client callback endpoints as registered with Open Banking |
M |
A string array of Max256Text items |
|
`software_roles` |
A multi value list of PSD2 roles that this software is authorized to perform. |
M |
A string array of Max256Text items |
|
`software_tos_uri` |
A link to the software's terms of service page |
O |
Max256Text |
|
--------- |
------------ |
|
----------- |
|
`organisation_competent_authority _claims` |
Authorisations granted to the organsiation by an NCA |
|
CodeList {`AISP`, `PISP`, `CBPII`, `ASPSP`} |
|
`org_status` |
Included to cater for voluntary withdrawal from OB scenarios |
|
`Active`, `Revoked`, or `Withdrawn` |
|
`org_id` |
The Unique TPP or ASPSP ID held by OpenBanking. |
M |
HSBC Implementaion support |
|
`org_name` |
Legal Entity Identifier or other known organisation name |
O |
Max140Text |
|
`org_contacts` |
JSON array of objects containing a triplet of name, email, and phone number |
O |
Each item Max256Text |
|
`org_jwks_endpoint` |
Contains all active signing and network certs for the organisation |
O |
Max256Text |
|
`org_jwks_revoked_endpoint` |
Contains all revoked signing and network certs for the organisation |
O |
Max256Text |
|
--------- |
------------ |
|
--------- |
|
`typ` |
MUST be set to `JWT` |
M |
|
|
`alg` |
MUST be set to `PS256` |
M |
|
|
`kid` |
The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate. |
M |
|
Software statements are checked by the ASPSP on TPP registration / request for access.
Third Parties performs dynamic registration:
| Software Statement Sample (Full) | { "software_mode": "Live", "software_environment": "TODO", "software_client_uri": "https://TODO.com", "software_logo_uri": "https://TODO.com", "software_policy_uri": "https://TODO.com", "software_tos_uri": "https://TODO.com", "software_on_behalf_of_org": "https://www.tsp.com", "software_client_description": "software statement for testing purposes", "software_jwks_revoked_endpoint": "https://TODO.com", "software_roles": ["AISP"], "org_jwks_endpoint": "https://TODO.com", "org_status": "Active", "org_contacts": [], "organisation_competent_authority_claims": [], "org_id": "5cb8572403f0df001d", "org_name": "ABC Merchant Ltd.", "org_jwks_revoked_endpoint": "https://TODO.com", "software_client_name": "ABC Merchant Ltd.", "iss": "2fNwVYePN8WqqDFvVf7XMN", "iat": 1556445993, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F", "software_client_id": "2qY9COoAhfMrsH7mCyh86T", "software_redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_jwks_endpoint": "https://www.tsp.com/jwks/public.jwks" } |
| Software Statement Sample (Minimal) | { "software_on_behalf_of_org": "https://www.tsp.com", "software_roles": ["AISP"], "org_id": "5cb8572403f0df001d", "org_name": "ABC Merchant Ltd.", "software_client_name": "ABC Merchant Ltd.", "iss": "2fNwVYePN8WqqDFvVf7XMN", "iat": 1556445993, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F", "software_client_id": "2qY9COoAhfMrsH7mCyh86T", "software_redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_jwks_endpoint": "https://www.tsp.com/jwks/public.jwks" } |
| Register payload sample | { iss="", "aud": "https://api.ob.hangseng.com", "scope": "openid accounts", "redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "response_types": ["code id_token"], "grant_types": ["authorization_code", "refresh_token", "client_credentials"], "application_type": "mobile", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "PS256", "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_statement": "{Software Statement signed JWT token}", "exp": 1674206304, "iat": 1555506046, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F" } |
Digital Signatures
Market Variations
- UK/Europe
-
QSEALs or OBSEALS will also be required by TPPs to enable a digital signature feature. Use of a digital signature to sign payloads is mandatory.
Onward Provisioning – TPP / Agent name display options
Please note that TPPs must ensure that they have registered using the appropriate fields so that the correct information is displayed to customers.
Options Display Display Rule Client Name Org Name 'On Behalf Of' Name What will display When <org name> & <Client Name> are available & both are same & <Software on behalf name> not available All (single name and key point) Use <Client Name> as TPP name ABC Company Ltd ABC Company Ltd N/A ABC Company Ltd When <org name> & <Client Name> are available & both are different & <Software on behalf name> not available All (single name and key point) Use <Client Name> as TPP name ABC Trades ABC Company Ltd N/A ABC Trades When <org name> & <Client Name> are available & both are same & <Software on behalf name> is available & is same as well All (single name and key point) Use <Client Name> as TPP name ABC Company Ltd ABC Company Ltd ABC Company Ltd ABC Company Ltd When <org name> & <Client Name> are available & both are different & <Software on behalf name> is available & is same as the <org name> Both names to be displayed(1) <Agent>on behalf of <TPP> Use<softwareOneBehalf> as Agent Use<Client Name> as TPP ABC Trades ABC Company Ltd ABC Company Ltd ABC Company Ltd on behalf of ABC Trades When <org name> & <Client Name> are available & both are different & <Software on behalf name> is available & is same as the <Client Name> All (single name and key point) Use <Client Name> as TPP name ABC Trades ABC Company Ltd ABC Trades ABC Trades When <org name> & <Client Name> are available & both are same & <Software on behalf name> is available & is different from both Both names to be displayed(1) <Agent>on behalf of <TPP> Use<softwareOneBehalf> as Agent Use<Client Name> as TPP ABC Company Ltd ABC Company Ltd OBO Ltd OBO Ltd on behalf of ABC Company Ltd When <org name> & <Client Name> are available & both are different & <Software on behalf name> is available & is different from both Both names to be displayed(1) <Agent>on behalf of <TPP> Use<softwareOneBehalf> as Agent Use<Client Name> as TPP ABC Trades ABC Company Ltd OBO Ltd OBO Ltd on behalf of ABC Trades (1) Both names will always be displayed at the consent set-up step, however, for simplicity, single name may be displayed in some non-key steps within the journey.
- Bahrain OBWAC-style
-
OBWAC-style CSR cab be generated following below steps;
Update the obwac.cnf file
This file is used to generate OBWAC-style CSR using openssl.
Sample obwac.cnf is shown below:
####################################obwac.cnf###########################################
oid_section = new_oids
[ new_oids ]
organizationIdentifier = 2.5.4.97 # OpenSSL may not recognize this OID so need to add.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key: yes or no. yes recommended
default_md = sha256 # MD to use. sha256 recommended
utf8 =yes # Input is UTF-8.
string_mask =utf8only # Emit UTF-8 strings
prompt =no # Prompt for DN. yes or no.
distinguished_name =client_dn # DN template. Mandatory to include organizationIdentifier
req_extensions =client_reqext # Desired extensions. Mandatory to include DER qcStatements
[ client_dn ]
countryName = "BH" # Country code - see doc above
organizationName = "HSBC UK Bank Plc" # Organizational name
organizationIdentifier = "PSDBH-CBB-765112" # Must be in format as shown above
commonName = "00158000016i44JAAQ" # Subject common name
[ client_reqext ]
keyUsage = critical,digitalSignature # Must be critical
extendedKeyUsage = clientAuth, serverAuth # Must be defined as shown above
subjectKeyIdentifier = hash # Hash value to calculate SKI
qcStatements = DER:30793013060604008e4601063009060704008e46010603306206060400819827023058303530330607040081982701020c065053505f50490607040081982701030c065053505f41490607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
#########################################################################################
The items highlighted in RED needs to be modified by TPP.
organizationIdentifier - The organizationIdentifier "PSDBH-CBB-765112" means a certificate issued to a PSP where the authorization number is 765112, authorization was granted by CBB. Other examples can include use of non-alphanumeric characters such as "PSDBE-NBB-1234.567.890" and "PSDFI-FINFSA-1234567-8" and "PSDMT-MFSA-A 12345" (note space character after "A")
create qcStatement for OBWAC-style certificate:
Below are sample qcStatements in DER format based on various TPP roles -
PSP_AS qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701010c065053505f41530c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AI qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_IC qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_AI qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI PSP_AI qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI PSP_AI PSP_IC qcStatements=DER:3081903013060604008e4601063009060704008e4601060330790606040081982702306f304c30110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
The above values can be modified using ASN.1 editor and parser as shown in below screenshots –
Open the sample qcStatement(listed above based on roles) and then edit the details as per your need
After changing the details create the hexadecimal encoding using the “Open data converter” option as shown below;
Copy the generated HEX value in the conf file;
The above screenshots are from ASN.1 tool available at below location –
https://www.sysadmins.lv/projects/asn1editor/default.aspx
Once generated the qcStatement HEX value can also be validated using below tool –
Once the obwac.cnf file is ready, run below command to generate the obwac.csr –
openssl req -new -config obwac.cnf -out obwac.csr -keyout obwac.key
Once the certificate is generated, TPPs must share it with HSBC so that it can be added to the trust store.
- Bahrain OBSEAL-style
-
Similar steps as described above for OBWAC-style needs to be done to generate obseal.csr.
Create the obseal.cnf file:
#########################################obseal.cnf#######################################
oid_section = new_oids
[ new_oids ]
organizationIdentifier = 2.5.4.97 # OpenSSL may not recognize this OID so need to add.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key: yes or no. yes recommended
default_md = sha256 # MD to use. sha256 recommended
utf8 = yes # Input is UTF-8.
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Prompt for DN. yes or no.
distinguished_name = client_dn # DN template. Mandatory to include organizationIdentifier
req_extensions = client_reqext # Desired extensions. Mandatory to include DER qcStatements
[ client_dn ]
countryName = "BH" # Country code - see doc above
organizationName = "HSBC UK Bank Plc" # Organizational name
organizationIdentifier = "PSDBH-CBB-765112" # Must be in format as shown above
commonName = "00158000016i44JAAQ" # Subject common name
[ client_reqext ]
keyUsage = critical,digitalSignature,nonRepudiation # Must be critical
subjectKeyIdentifier = hash # Hash value to calculate SKI
qcStatements =DER:30793013060604008e4601063009060704008e46010602306206060400819827023058303530330607040081982701020c065053505f50490607040081982701030c065053505f41490607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
#########################################################################################
The fields highlighted in RED needs to be updated as per TPP details.
Sample qcStatement values for OBSEAL-style certificate, based on TPP role, are shown below :
PSP_AS qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701010c065053505f41530c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AI qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_IC qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_AI qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI PSP_AI qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI PSP_AI qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_PI PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
PSP_AS PSP_PI PSP_AI PSP_IC qcStatements=DER:3081903013060604008e4601063009060704008e4601060230790606040081982702306f304c30110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242
Use the same steps as described for obwac-style to generate the HEX value for obseal.cnf qcStatement.
Once generated,update the obseal.cnf file and run below command to generate the obseal.csr
openssl req -new -config obseal.cnf -out obseal.csr -keyout obseal.key
Implemented Endpoints
| Endpoints | Markets Implemented | Mandatory |
|---|---|---|
| POST /register | All | Conditional |
| GET/register/{ClientId} | UK/Europe & Bahrain | Optional |
| PUT/register/{ClientId} | UK/Europe & Bahrain | Optional |
| DELETE/register/{ClientId} | None | Optional |
POST /register:
- TPPs must include a complete ClientName and OrganisationName during the registration process. Both names should be:
- Semantically and syntactically correct
- Adhere to data integrity rules including correct capitalisation, consistent use of abbreviations and spacing
- If an agent is acting on behalf of the TPP, the agent name (Trading name of the Agent Company) must be provided within “software_on_behalf_of_org”.
- The audience 'aud' value should be the issuer from the well known endpoint
GET /register:
- This endpoint should be used only to request existing registration details for a client id. The request’s Authorization header should have Bearer token as access_token retrieved from /token with client_credentials grant_type
PUT /register:
- TPPs may use this endpoint to update existing registration details. Relevant checks will be performed to ensure the updates are valid/allowed. An error message will be returned in instance of failures
- The request should contain the response received from the GET /register as a jwt and the request’s Authorization header should have Bearer token as access_token retrieved from /token with client_credentials grant_type
- It is important to note that the entire GET /register payload is expected in PUT /register payload as well. Any value that does not need an update during registration is still expected to be sent in the request.
- Also with respect to scope update, it is expected that all scope for which registration is required is sent. For example, even if TPP is registered with accounts scope, and expects payments to be updated as part of PUT /register, the value in the payload expected is accounts payments. This scope in PUT /register will be considered as a complete replace instead of append to the existing value.
- The following fields can be updated via PUT/register:
| Fields which can be updated using PUT/register |
|---|
|
exp |
| grant_types |
| iat |
| id_token_signed_response_alg |
| iss |
| jti |
| redirect_uris |
| response_types |
| scope |
| software_id |
| software_statement |
| request_object_signing_alg |
| token_endpoint_auth_method |
| token_endpoint_auth_signing_alg |
Supported Authentication Methods
| Method | Supported |
|---|---|
| private_key_jwt | Y (All Markets) |
| client_secret_jwt | N |
| client_secret_basic | N |
| client_secret_post | N |
| tls_client_auth | Y (UK/Europe & Bahrain) |
Clarification on Scope parameter
|
Endpoint |
Journey |
Scopes |
Notes |
|---|---|---|---|
|
/register |
PIS |
"scope": "openid payments" |
A Journey needs to be chosen based on TPP specialization |
|
AIS |
"scope": "openid accounts" |
||
|
CoF |
"scope": "openid fundsconfirmations" |
||
|
PIS, AIS, CoF |
"scope": "openid payments accounts "fundsconfirmations" |
||
|
/token with "client_credentials" grant type |
PIS |
"scope": "payments" |
OpenID should not be included in client credentials |
|
AIS |
"scope": "accounts" |
||
|
CoF |
"scope": " fundsconfirmations "
|
||
|
/authorize |
PIS |
"scope":"openid payments" |
A Journey needs to be chosen based on TPP specialization |
|
AIS |
"scope":"openid accounts" |
||
|
CoF |
"scope":"openid fundsconfirmations" |
||
|
|
Please note that when calling the “token” endpoint with grant_type: “authorization_code” or “refresh_token” you must not send “scope” parameter. If you do, this will result in the error code “invalid_request” |
||
Please note that the audience, “aud” value in JWT for the /token endpoint should be https://<banking area>/obie/open-banking/v1.1/oauth2/token.
For example: https://api.ob.hsbc.co.uk/obie/open-banking/v1.1/oauth2/token for HSBC Personal.
private_key_jwt
@private_key_jwt
tls_client_auth
If MTLS tls_client_auth is used the tls_client_auth_subject_dn claim in the registration JWT must contain the full DN (Distinguished Name) of the transport certificate that the TPP will present to the ASPSP token endpoint to establish mutual TLS connection. The order of the attributes must also be the same as in the certificate subject value. Please note that this should not include the word ‘Subject’, but only the DN value inside the ‘Subject’ object field.
For example, a valid value would be:
CN=00158000016i44JAAQ,2.5.4.97=#131050534447422D4643412D373635313132,O=HSBC UK Bank Plc,C=GB
Expected format of tls_client_auth_subject_dn follows a string representation -- as defined in [RFC4514] -- of the DN. Please refer to https://tools.ietf.org/html/rfc4512#section-2 for formal definition of DN, RDN and attribute value assertion (AVA).
Currently supported short names for attribute types (descriptor - https://tools.ietf.org/html/rfc4514#section-2)
CN (2.5.4.3)
C (2.5.4.6)
L (2.5.4.7)
S (2.5.4.8)
ST (2.5.4.8)
O (2.5.4.10)
OU (2.5.4.11)
T (2.5.4.12)
IP (1.3.6.1.4.1.42.2.11.2.1)
STREET (2.5.4.9)
DC (0.9.2342.19200300.100.1.25)
DNQUALIFIER (2.5.4.46)
DNQ (2.5.4.46)
SURNAME (2.5.4.4)
GIVENNAME (2.5.4.42)
INITIALS (2.5.4.43)
GENERATION (2.5.4.44)
EMAIL (1.2.840.113549.1.9.1)
EMAILADDRESS (1.2.840.113549.1.9.1)
UID (0.9.2342.19200300.100.1.1)
SERIALNUMBER (2.5.4.5)
Multiple keywords are available for one OID.
Attribute types not present on above list should be encoded as the dotted-decimal encoding, a “numericoid”, of its OBJECT IDENTIFIER. The “numericoid” is defined in [RFC4512].
Example:
1.3.6.1.4.1.311.60.2.1.3=PL
Full Example:
CN=[value],serialNumber=[value],OU=[value],O=[value],C=[value],ST=[value],2.5.4.97=[value],2.5.4.15=[value],1.3.6.1.4.1.311.60.2.1.3=[value]
*[value] represents any value – it is a placeholder for real value.
Message signing
x-jws-signature
The iss value from x-jws-signature must match with full DN of the certificate.