search

GluuFederation / oxAuth

OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)
https://gluu.org/docs/ce
MIT License
423 stars 150 forks source link

FAPI Conformance Suite #961

Closed nynymike closed 4 years ago

nynymike commented 5 years ago

We need to make sure we can comply with these requirements: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/23856067/OB+OIDC+Conformance+Suite

yuriyz commented 5 years ago

We can't run OB OIDC Conformance Suite because we don't have MTLS support, https://github.com/GluuFederation/oxAuth/issues/946

yuriyz commented 5 years ago

we stuck with this ticket. We have 2 problems:

  1. what is expected by test suite here? 

    "resource": {
    "resourceUrl": "https://FIXME-your-resource-server.com/open-banking/v1.1/",
    "institution_id": "value for x-fapi-financial-id header (ie. the banks org id in the directory)"
}

  2. When run simple discovery suite shows blank error

image

yuriyz commented 5 years ago

From mail

For resourceUrl: this needs to point at base folder (inc. version
number) in a resource server that implements the OB accounts API consent
creation and ‘get accounts’ endpoints.

See:

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937656404/Read+Write+Data+API+Specification+-+v3.1

And:

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937820271/Account+and+Transaction+API+Specification+-+v3.1

The implementations of these can be pretty minimal if you’re not
aiming to provide a full bank implementation.

(The obvious next question is: why do I need a resource server; there
are two reasons:

a) because an OB compliant AS won’t issue an access token unless you
give it a intent_id in the request object, which is obtained from the
resource server as per my second link, and
b) because without a resource server we can’t test MTLS access token
binding is correctly implemented
)

For institution_id - this should be the value your AS is expecting in
the x-fapi-financial-id hitp header; if your AS isn’t integrated to
the OB sandbox then you can pick whatever value you like.

For the error message: No idea; it looks like it got some kind of error
from the backend API which for some reason it hasn’t reported; switch
on network recording in the browser and see what went on. If it is still
reproducible and looks like a real bug feel free to raise a bug report
at
https://gitlab.com/fintechlabs/fapi-conformance-suite/issues/new?nav_source=navbar
with the FULL reproduction steps.
yuriyz commented 4 years ago

FAPI RW tests are passed. We will need to pass CIBA related tests when it's ready.

yuriyz commented 4 years ago

4.2 is certified for FAPI R/W OP w/ MTLS and FAPI R/W OP w/ Private Key. It can be checked on public page here https://openid.net/certification/.