-
Notifications
You must be signed in to change notification settings - Fork 1
IG Scripts
The prebuilt ScriptableFilters and ScriptableHandlers for IG are located in the secure-api-gateway-ob-uk repository. You can access them by navigating to config > 7.2.0 > securebanking > ig > scripts > groovy.
These ScriptableFilters and ScriptableHandlers are used in the prebuilt routes alongside OOTB filters and handlers.
This filter adds a detached signature to the HTTP response.
- Filter source: AddDetachedSig.groovy
- Process type: RESPONSE
- Filter processing:
- The detached signature is a signed JWT with the response entity as the payload. The JWT is added as a response header with the payload removed.
- If there is an error creating the signed JWT or the detached signature has the wrong number of dots, an
Internal Server Erroris returned.
This filter adds the gateway access token to the downstream request.
- Filter source: AddGatewayAuthorization.groovy
- Process type: REQUEST
- Filter processing:
- Copies the IG bearer token to the token request so that it is accessible from the Identity Cloud or AM token modification script.
- If token request authorization isn't available for whatever reason, an
Internal Server Erroris returned.
This filter ensures the client certificate includes the required AISP or PISP role for the current route; the role type is configured in the routeArgRole parameter.
- Filter source: ApiClientRoleCheck.groovy
- Process type: REQUEST
- Filter processing:
- Checks the transport certificate for the roles appropriate to the request.
- Retrieves the client certificate from the attributes context - clientCertificate.roles object:
- If the configured role matches the ones from the client certificate roles, the processing is allowed to continue.
- If there are no roles found on the client certificate, a
Bad Requestresponse is returned. - If the configured role doesn't match the ones from the client certificate, a
Forbiddenresponse is returned.
This filter updates the AS well-known configuration returned by Identity Cloud or AM.
- Filter source: ASWellKnownFilter.groovy
- Process type: RESPONSE
- Filter processing:
- Modifies the well-known response to restrict the supported auth methods to the ones defined in the tokenEndpointAuthMethodsSupported filter arg.
- Modifies the well-known response to replace the IG hostname with the MTLS hostname for the endpoints defined in the mtlsEndpoints arg.
This filter prepares the consent audit trail in JSON format.
- Filter source: AuditConsent.groovy
- Process type: REQUEST
This filter ensures that the access token required for accessing the API must have at last one scope of configured 'allowedScopes'
- Filter source: VerifyAccessTokenScopes.groovy
- Process type: REQUEST
- Filter Processing:
- Requires the filter
OAuth2ResourceServerFilterto inject the access token in the OAuth2Context before validate the scopes - Get the
access_token infofrom the OAuth2Context and validates the scopes against the allowed scopes configured
- Requires the filter
This filter registers the TPP organisation and OAuth 2.0 client in Identity Cloud or IDM.
- Filter source: CreateApiClient.groovy
- Process type: REQUEST
- Filter processing:
- Reads the OIDC dynamic registration response and creates the apiClientOrg managed object in Identity Cloud or IDM.
- If there isn't any registration data in the response, a
Bad Requestresponse is returned.
- If there isn't any registration data in the response, a
- Reads the OIDC dynamic registration response and creates the apiClientOrg managed object in Identity Cloud or IDM.
The filter verifies that the current access token's grant type is allowed in the allowedGrantType field.
- Filter source: GrantTypeVerifier.groovy
- Process type: REQUEST
- Filter processing:
- If the grant type value is validated, continue the filter chain.
- If the grant type does not correspond to the configured one, a
401 Unauthorizederror is returned and the filter chain is interrupted.
This filter creates the SSA payload.
- Filter source: JwkmsBuildSSA.groovy
- Process type: REQUEST
- Filter processing:
- Checks that the client certificate contains all the required details.
- If the certificate itself is missing, or does not contain a CN or org identifier, a
Bad Requestresponse is returned. - If the org identifier is the wrong length, a
Forbiddenresponse is returned.
- If the certificate itself is missing, or does not contain a CN or org identifier, a
- Builds the SSA payload.
- Checks that the client certificate contains all the required details.
This filter checks the jwks_uri against a list of authorised JWKS hosts.
- Filter source: JWKSProxyProcessRequest.groovy
- Process type: REQUEST
- Filter processing:
- If the proxy URL is badly formatted, a
Bad Requestresponse is returned. - If the authorised JWKS hosts list is missing or cannot be parsed, an
Internal Server Erroris returned. - If one of the authorised hosts is not permitted, a
Forbiddenresponse is returned.
- If the proxy URL is badly formatted, a
This filter checks for an Open Banking compliant header and adds one if it's missing, and also ensures the response is compliant.
- Filter source: ObResponseCheck.groovy
- Process type: RESPONSE
- Filter processing:
- Ensures that the response has a FAPI interaction ID header. If the response doesn't already contain the
x-fapi-interaction-idheader, then the filter will generate a random one. - Verifies the response status. If the status is in the client or server error response families and the error is not compliant with the Open Banking Specifications, the response body is modified accordingly.
- Ensures that the response has a FAPI interaction ID header. If the response doesn't already contain the
This filter retrieves the certificate from the header, processes it and saves it to the clientCertificate object.
- Filter source: ParseCertificate.groovy
- Process type: REQUEST
- Filter processing:
- Retrieves a certificate from the configured header on the parameter routeArgCertificateHeader.
- If the header is not found, an error response is returned.
- If the header is found, the value is URL decoded and then initialised as an X.509 certificate. The resulting object is saved to the attributes context under the clientCertificate object.
- Retrieves a certificate from the configured header on the parameter routeArgCertificateHeader.
This filter checks the incoming detached signature and saves it to the route state. If the detached signature is for an unencoded payload, validation is also performed.
- Filter source: ProcessDetachedSig.groovy
- Process type: REQUEST
- Filter processing:
- The filter only applies if the request method is POST.
- Parses API version from the inbound request.
- If the API version cannot be parsed from the inbound request, a
Bad Requestresponse is returned.
- If the API version cannot be parsed from the inbound request, a
- Builds the JWT from the detached header.
- If the detached signature header is missing from the inbound request or the detached signature has the wrong number of dots, a
Bad Requestresponse is returned.
- If the detached signature header is missing from the inbound request or the detached signature has the wrong number of dots, a
- Retrieves the JWS header and checks it for the b64 claim:
- If the b64 claim exists and is set to false, and the API version is 3.1.3 or lower, then it is accepted and the detached signature is validated as a non-base64 payload.
- If the b64 claim exists and the API version is 3.1.4 or higher, then it is rejected.
- If the b64 claim does not exist and the API version is 3.1.4 or higher, then it is accepted and the detached signature is validated as a standard base64 payload.
This filter verifies the registration request and prepares the Identity Cloud or AM dynamic client registration JSON.
- Filter source: ProcessRegistration.groovy
- Process type: REQUEST
- Filter processing:
- Checks that all the needed details are available in the client certificate for registration.
- If the client certificate is missing or doesn't contain roles, a
Bad Requestresponse is returned.
- If the client certificate is missing or doesn't contain roles, a
- Parses the incoming registration JWT and extracts the SSA.
- If the registration has expired, it contains unsupported response types, there is no SSA or the issuer claim is invalid, a
Bad Requestresponse is returned.
- If the registration has expired, it contains unsupported response types, there is no SSA or the issuer claim is invalid, a
- Updates the OIDC registration request.
- If the JWKS URI host is in the list of private JWKS hosts, then the request is proxied back through IG.
- If the proxied JWKS host cannot be parsed, an
Internal Server Erroris returned. - If the JWKS URI is invalid, a
Bad Requestresponse is returned.
- If the proxied JWKS host cannot be parsed, an
- If the JWKS URI host is not in the list of private JWKS hosts, then a
Bad Requestresponse is returned because it must contain a valid JWKS endpoint.
- If the JWKS URI host is in the list of private JWKS hosts, then the request is proxied back through IG.
- The SSA and registration JWT is then stored for signature checks.
- Checks that all the needed details are available in the client certificate for registration.
This filter resolves the location of the consent request JWT for calls to the RCS Backend (API).
- Filter source: RcsApiConsentRequestJwtResolver.groovy
- Process type: REQUEST
- Filter processing:
- For calls to the /details endpoint (which populates the UI), the JWT is included in the POST body as a raw string.
- For calls to the /decision endpoint (which submits the consent decision), the JWT is included in the consentJwt field of a JSON object in the POST body.
This filter checks the consent submitted matches the consent from the access token.
- Filter source: RequestEntityConsentIdValidator.groovy
- Process type: REQUEST
This filter checks the consentId in the URI path matches the access token.
- Filter source: RequestPathConsentIdValidator.groovy
- Process type: REQUEST
This filter gets the intent ID from the access token claims found on the OAuth2 context and saves it on the attributes context.
- Filter source: SaveIntentIdOnAttributesContext.groovy
- Process type: REQUEST
This handler converts the incoming JWK set to PEM encoded TLS client certificate and key.
- Handler source: JwkmsGetTlsCert.groovy
- Process type: REQUEST
- Handler processing:
- If the request body cannot be parsed as a JWK set, the TLS key cannot be found in the JWK set, or the private key and/or certificate chain cannot be found in the TLS JWK, a
Bad Requestresponse is returned.
- If the request body cannot be parsed as a JWK set, the TLS key cannot be found in the JWK set, or the private key and/or certificate chain cannot be found in the TLS JWK, a
This handler generates certificates and keys, and returns them as a JWK set.
- Handler source: JwkmsIssueCert.groovy
- Process type: REQUEST
This handler signs claims using the signing key from the incoming JWK set.
- Handler source: JwkmsSignClientClaims.groovy
- Process type: REQUEST
This handler fetches OAuth 2.0 client details from Identity Cloud or IDM.
- Handler source: RepoApiClient.groovy
- Process type: REQUEST
- Handler processing:
- If the client ID cannot be parsed from the inbound request, a
Bad Requestresponse is returned.
- If the client ID cannot be parsed from the inbound request, a
This handler fetches user information from Identity Cloud or IDM.
- Handler source: RepoUser.groovy
- Process type: REQUEST
- Handler processing:
- If the API client ID cannot be parsed from the inbound request, a
Bad Requestresponse is returned.
- If the API client ID cannot be parsed from the inbound request, a
This handler sets the content type for the JWT to text/plain.
- Handler source: SetContentTypeToPlainText.groovy
- Process type: REQUEST
-
The Secure API Gateway (SAPI-G) Documentation
- SAPI-G Implementation Status
- Understanding SAPI-G
- Deployment
- Protect Custom APIs using SAPI-G
- Testing
- Troubleshooting