Payment Initiation APIs

(1 review)

Payload Signing

This section provides steps for signing the payload and generating a valid x-jws-signature.

Step 1: Identify the private key and corresponding signing certificate to be used for signing

The signer must use a private key that has a corresponding digital certificate (that contains the corresponding public key) issued by OB. The signing certificate must be valid at the time of creating the JWS.

Step 2: Form the JOSE Header

The JOSE Header for the signature must contain the following fields

ClaimDescription
algPS256 is the supported algorithms used for signing JWS
typThis is an optional claim. If it is specified, it must be set to the value "JOSE"
ctyThis is an optional claim. If it is specified, it must be set to the value "json" or "application/json".
kidThis must match the certificate id of the certificate selected in step 1.
http://openbanking.org.uk/iatThis must be a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names)
http://openbanking.org.uk/issThis must be a string containing the id of the TPP. This must match the dn of the signing certificate. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names)
http://openbanking.org.uk/tanThis must be a string that consists of a domain name that is registered to and identifies the Trust Anchor that hosts the public counter-part of the key used for signing.
For example, when using the Open Banking Directory, the value must be openbanking.org.uk
critThis must be a string array consisting of the values "http://openbanking.org.uk/tan", "http://openbanking.org.uk/iat", "http://openbanking.org.uk/iss". This indicates that the JWS signature validator must understand and process the three additional claims.

Sample JOSE Header

{
  "alg": "PS256",
  "kid": "rt0rxv7lo86ohb6wNLDheQrEfyY",
  "http://openbanking.org.uk/iat": 1676304306,
  "http://openbanking.org.uk/iss": "organisationID/clientId",
  "http://openbanking.org.uk/tan": "openbanking.org.uk",
  "crit": [
    "http://openbanking.org.uk/iat",
    "http://openbanking.org.uk/tan",
    "http://openbanking.org.uk/iss"
  ],
  "cty": "application/json",
  "typ": "JOSE"
}
Step 3: Compute the JWS

The signer must compute the signature as a detached JWS as defined in RFC 7515.

detachedJWS = base64Encode( JOSEHeader) + ".." + base64Encode ( encrypt (privateKey, base64Encode(json)))
Step 4: Add the JWS as a HTTP header

The signer must include an HTTP header called x-jws-signature with its value set to the signature computed in Step 3.

x-jws-signature: V2hhdCBoYXRoIGdvZCB3cm91Z2h0ID8=..QnkgR2VvcmdlLCBzaGUncyBnb3QgaXQhIEJ5IEdlb3JnZSBzaGUncyBnb3QgaXQhIE5vdyBvbmNlIGFnYWluLCB3aGVyZSBkb2VzIGl0IHJhaW4/

Reviews