Message Signing & Authorisation Redirect
The first release includes two standalone implementations for:
- The Open Banking message signing specification;
- The authorisation redirect from a Third Party Provider (TPP) to a bank (ASPSP).
Along with mutual TLS, the Open Banking specification defines message signing as an additional measure to ensure non-repudiation for specific, sensitive API endpoints from both TPPs and ASPSPs.
The Open Banking signing algorithm stipulates a library compliant with RFC 7515 (critical headers) and RFC 7797 (un-encoded/detached payload). At the time of writing this blog post, the Jose4J Java library by Brian Campbell is one of the few that comply with both of the mentioned RFCs. We have packed the specification into a small user interface as shown below.
The next tool is used to generate the redirect of the end user to their bank to authenticate and authorise an access request. The redirection is specific to the access request and therefore needs to be generated for each consent journey. The small application allows easy configuration of the TPP and ASPSP specific settings and makes the generation of the redirect more user friendly.
For more information about using the tools, details about the requirements and features, see the project pages at:
- https://github.com/ctxis/OpenBanking-MessageSigning
- https://github.com/ctxis/OpenBanking-AuthorisationRedirect
Please look out for the next release for the Open Banking Burp Suite extension. We are currently finalising the release version.
The Open Banking tools have been released under the MIT license, by downloading you are agreeing to the terms of the license which can be found within the Github projects.
Burp Extension
The Open Banking Burp Extension offers the following tools for testing Open Banking implementations:
- Manual and automatic message signing;
- User redirect generator;
- Authorisation token catcher.
Next to the features already offered with the standalone tools described above, Burp Suite allowed us to implement an easy way to automatically sign messages and listen for the authorisation code in the proxy requests.
Please refer to the project page for more information about the Burp Suite extension including details about the requirements, video demonstration and offered features:
The Open Banking tools have been released under the MIT license, by downloading you are agreeing to the terms of the license which can be found within the Github projects.