TrustedDirectory
A central point of trust for a particular FAPI ecosystem, such as open banking in the UK. The API clients and API providers both trust the TrustedDirectory.
The TrustedDirectory issues the OAuth2.0 software statements and their certificates for API clients and providers.
The directory must host a JWKS endpoint with its public keys it uses to sign the software statements.
It may host JWKS endpoints for the certificates for the software statements to validate API client JWT signatures. If not, it embeds JWKS in the software statements.
Usage
{
"name": string,
"type": "TrustedDirectory",
"config": {
"issuer": config expression<string>,
"softwareStatementClaims": {
"organisationIdClaimName": config expression<string>,
"organisationNameClaimName": config expression<string>,
"softwareIdClaimName": config expression<string>,
"clientNameClaimName": config expression<string>,
"redirectUrisClaimName": config expression<string>,
"rolesClaimName": config expression<string>,
"jwksUriClaimName": config expression<string>,
"jwksClaimName": config expression<string>
},
"secretsProvider": SecretsProvider reference,
"verificationSecretId": configuration expression<secret-id>
}
}
Properties
"issuer"
: configuration expression<string>, required-
The TrustDirectory issuer name.
This must match the
"iss"
claim in software statement assertion JWTs issued by this directory. "softwareStatementClaims"
: _object, required-
The claim names used in the software statements issued by this directory.
"organisationIdClaimName"
: configuration expression<string>, required-
The name of the organization identifier claim.
"organisationNameClaimName"
: configuration expression<string>, required-
The name of the organization name claim.
"softwareIdClaimName"
: configuration expression<string>, required-
The name of the software identifier claim.
"clientNameClaimName"
: configuration expression<string>, required-
The name of the client name claim.
"redirectUrisClaimName"
: configuration expression<string>, required-
The name of the redirect URIs claim.
"rolesClaimName"
: configuration expression<string>, optional-
The name of the roles claim.
Default: Don’t extract roles from the software statements.
"jwksUriClaimName"
: configuration expression<string>, optional-
The name of the claim with the URI for the JWKS.
If this isn’t provided, you must provide the
"jwksUriClaimName"
. "jwksClaimName"
: configuration expression<string>, optional-
The name of the claim that holds the JWKS.
If this isn’t provided, you must provide the
"jwksClaimName"
.
"secretsProvider"
: SecretsProvider reference, required-
The SecretsProvider, such as an JwkSetSecretStore, with this directory’s public keys to verify software statement JWTs.
"verificationSecretId"
: configuration expression<secret-id>, optional-
The verification secret ID of the key for validating the signature of software statement assertion JWTs.
Default:
verify