PingGateway

TrustedDirectory

A central point of trust for a particular FAPI ecosystem, such as open banking in the UK. The API clients and API providers both trust the TrustedDirectory.

The TrustedDirectory issues the OAuth2.0 software statements and their certificates for API clients and providers.

The directory must host a JWKS endpoint with its public keys it uses to sign the software statements.

It may host JWKS endpoints for the certificates for the software statements to validate API client JWT signatures. If not, it embeds JWKS in the software statements.

Usage

{
  "name": string,
  "type": "TrustedDirectory",
  "config": {
    "issuer": config expression<string>,
    "softwareStatementClaims": {
      "organisationIdClaimName": config expression<string>,
      "organisationNameClaimName": config expression<string>,
      "softwareIdClaimName": config expression<string>,
      "clientNameClaimName": config expression<string>,
      "redirectUrisClaimName": config expression<string>,
      "rolesClaimName": config expression<string>,
      "jwksUriClaimName": config expression<string>,
      "jwksClaimName": config expression<string>
    },
    "secretsProvider": SecretsProvider reference,
    "verificationSecretId": configuration expression<secret-id>
  }
}

Properties

"issuer": configuration expression<string>, required

The TrustDirectory issuer name.

This must match the "iss" claim in software statement assertion JWTs issued by this directory.

"softwareStatementClaims": _object, required

The claim names used in the software statements issued by this directory.

"organisationIdClaimName": configuration expression<string>, required

The name of the organization identifier claim.

"organisationNameClaimName": configuration expression<string>, required

The name of the organization name claim.

"softwareIdClaimName": configuration expression<string>, required

The name of the software identifier claim.

"clientNameClaimName": configuration expression<string>, required

The name of the client name claim.

"redirectUrisClaimName": configuration expression<string>, required

The name of the redirect URIs claim.

"rolesClaimName": configuration expression<string>, optional

The name of the roles claim.

Default: Don’t extract roles from the software statements.

"jwksUriClaimName": configuration expression<string>, optional

The name of the claim with the URI for the JWKS.

If this isn’t provided, you must provide the "jwksUriClaimName".

"jwksClaimName": configuration expression<string>, optional

The name of the claim that holds the JWKS.

If this isn’t provided, you must provide the "jwksClaimName".

"secretsProvider": SecretsProvider reference, required

The SecretsProvider, such as an JwkSetSecretStore, with this directory’s public keys to verify software statement JWTs.

"verificationSecretId": configuration expression<secret-id>, optional

The verification secret ID of the key for validating the signature of software statement assertion JWTs.

Default: verify

More information

org.forgerock.openig.fapi.trusteddirectory.TrustedDirectory