Solved: PSD2 consent administration

meintpost · 05-02-2017 03:58 AM

Hi,

We're working on exposing our PSD2 API via Apigee using ForgeRock/OpenAM as an IdP and letting Apigee handle 3-legged OAuth flow. Part of our PSD2 approach is that we will present a consent UI where the customer can select which accounts are exposed and what type of interaction is allowed (account info and/or payments). We want to store the customer consent choices when allowing 3rd parties accessing their account information and/or doing payments on their behalf. Does Apigee (Cloud version) have possibilities in storing these consent choices (authorizations) or would you rather store this in the IdP?

Kind regards

Meint

anilsr

@Meint Post , Welcome to Apigee Communtiy !

Yes, Apigee supports this functionality out of the box using scopes. You can mention what scopes are permitted in API Product when you package APIs. When users authorize app they will be presented with consent choices which are nothing but scopes. When access token is generated this information is captured as part of access token metadata. You can use this information to validate which APIs app might get access to when access token is presented. Verify Access token policy retrieves this information & available part of flow variables in the run time for validation. It's standard OAuth2.0 3 legged workflow and Apigee supports same out of the box.

You can find more information related to working with scopes here. Hope it helps. Keep us posted if you have any further queries.

View solution in original post

anilsr

@Meint Post , Welcome to Apigee Communtiy !

Yes, Apigee supports this functionality out of the box using scopes. You can mention what scopes are permitted in API Product when you package APIs. When users authorize app they will be presented with consent choices which are nothing but scopes. When access token is generated this information is captured as part of access token metadata. You can use this information to validate which APIs app might get access to when access token is presented. Verify Access token policy retrieves this information & available part of flow variables in the run time for validation. It's standard OAuth2.0 3 legged workflow and Apigee supports same out of the box.

You can find more information related to working with scopes here. Hope it helps. Keep us posted if you have any further queries.

meintpost

Thanks Anil!

anilsr

@Meint Post , Glad it's helpful. Keep us posted moving forward if any.

pratyush_mohapa

@Meint Post,

I too have to integrate with forgerock from APIGEE Saas as well as private cloud.

Can you tell me how have you integrated it.

Regards,

Pratyush

meintpost

Hi Pratyush,

we haven't done this work yet, we're in the investigation phase. How we plan to do it is to use the Apigee recommended way which is to use OpenID Connect, token handling and consent administration at Apigee and to use Forgerock as the IdP. Apigee has the capabilities for this and the integration appears to be relatively straightforward. So during an OpenID Connect authentication Apigee will check the provided user credentials with Forgerock to check there is a matching account and if so provide the necessary tokens to the customer to allow access to the API's. We are planning to have Apigee inject a HTTP Header once authentication was successful to communicate the consent settings to our backend services so the backend service can deal correctly with the API requests coming from the client application.

I hope this helps

Kind regards

Meint