docs: add openbanking docs to flex (#1817)

* docs: add openbanking docs to flex Signed-off-by: Amro Misbah <[email protected]> * docs: remove commented instructions --------- Signed-off-by: Amro Misbah <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
GluuFederation · Sep 19, 2024 · fffdb75 · fffdb75
1 parent 4870151
commit fffdb75
Show file tree

Hide file tree

Showing 11 changed files with 726 additions and 0 deletions.
diff --git a/docs/openbanking/configuration-instructions.md b/docs/openbanking/configuration-instructions.md
@@ -0,0 +1,19 @@
+## Generate/install keys and certs for Gluu Open Banking Identity Platform 
+
+This section covers details about setting up the keys and certificates in Cloud-Native distribution.
+
+* For MTLS keys, see the document that demonstrates [enabling mTLS in nginx ingress](https://gluu.org/docs/openbanking/install-cn/#enabling-mtls-in-ingress-nginx).
+
+Remember, MTLS is needed not only for the TPPs to call the authorization and token endpoints for OpenID Connect flows, but also by clients that are calling the configuration API.
+
+## Add/Update Custom Scripts: 
+
+To add or update custom scripts, you can use either `jans-cli` or `curl`. 
+
+* `jans-cli` in interactive mode, `option 13` enables you to manage custom scripts. For more info, see the [docs](https://gluu.org/docs/openbanking/jans-cli/).
+
+* `jans-cli` in command line argument mode is more conducive to scripting and automation. To display the available operations for custom scripts, use `config-cli.py --info CustomScripts`. See the [docs](https://gluu.org/docs/openbanking/jans-cli) for more info.
+
+* To use `curl` see these [docs](https://gluu.org/docs/openbanking/curl/#managing-scripts-with-curl)
+
+Note: If using VM installation you can normally find `jans-cli.py` in the `/opt/jans/jans-cli/` folder. 
diff --git a/docs/openbanking/curl.md b/docs/openbanking/curl.md
@@ -0,0 +1,85 @@
+# Managing scripts with CURL
+
+## Curl Prerequisites
+
+- Gluu open banking distribution
+- client-id
+- client-secret
+- client certificate
+- client key
+
+## Getting the prerequisites
+
+1.  Get a client id  and its associated password. Here, we will use the client id and secret created for config-api. 
+    ```bash
+    TESTCLIENT=$(kubectl get cm cn -n <namespace> --template={{.data.jca_client_id}})
+    TESTCLIENTSECRET=$(kubectl get secret cn -n <namespace> --template={{.data.jca_client_pw}} | base64 -d)
+    ```
+
+1. `client.crt` and `client.key` are the certificate and key files respectively for MTLS.
+
+    Use your `ca.crt` and `ca.key` that was provided during setup to generate as many client certificates and keys as needed.
+
+    If you have an existing helm deployment, you can retrieve `ca.crt` and `ca.key` using the following commands:
+    ```bash
+    kubectl get secret cn -n <namespace> --template={{.data.ssl_ca_cert}} | base64 -d > ca.crt
+    kubectl get secret cn -n <namespace> --template={{.data.ssl_ca_key}} | base64 -d > ca.key
+    ```
+
+
+1.  Generate client.crt and client.key files:
+    ```bash
+    openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking'
+    openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
+    ```
+
+## CURL operations
+
+1.  The curl commands to list, add, or update custom script require a token, so first call the token endpoint to get the token using:
+
+    ```bash
+    curl -u $TESTCLIENT:$TESTCLIENTSECRET https://<FQDN>/jans-auth/restv1/token -d  "grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly" --cert client.crt --key client.key
+    ```
+
+    Example:
+
+    ```bash
+    curl -u '1801.bdfae945-b31d-4d60-8e47-16518153215:rjHoLfjfsv2G2qzGEasd1651813aIXvCi61NU' https://bank.gluu.org/jans-auth/restv1/token -d  "grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly" --cert apr22.crt --key apr22.key
+    {"access_token":"ad34ac-8f2d-4bec-aed3-343adasda2","scope":"https://jans.io/oauth/config/scripts.readonly","token_type":"bearer","expires_in":299}
+    ```
+
+1. Save the `access_token` for use in subsequent commands.
+
+1.  Use different scope values as per the requirement:
+
+    1.  View scripts information: https://jans.io/oauth/config/scripts.readonly
+
+    1.  Manage scripts-related information: https://jans.io/oauth/config/scripts.write
+
+    1.  Delete scripts-related information: https://jans.io/oauth/config/scripts.delete
+
+1.  Use the obtained access token to perform further operations on custom scripts as given in subsequent text:
+
+    1.  Use the following command to display details of all the available custom scripts:
+
+        ```bash
+        curl -X GET https://<FQDN>/jans-config-api/api/v1/config/scripts -H "Accept: application/json" -H "Authorization:Bearer <access_token>" -H "Content-Type: application/json"
+        ```
+
+        Example:
+
+        ```bash
+        curl -X GET https://bank.gluu.org/jans-config-api/api/v1/config/scripts -H "Accept: application/json" -H "Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2" -H "Content-Type: application/json"
+        ```     
+
+    1.  The following command will add a new custom script (Obtain token with write scope) and if it is successful it will display the added script in JSON format. The scriptformat.json file has script details according to the custom script schema. It should have the entire script inside the scriptformat.json as a string value under the script field. Converting a multiline script into a string requires converting newlines into \n. So curl is not a suitable choice for adding new script, jans-cli is a better option.    
+
+        ```bash
+        curl -X POST "https://<FQDN>/jans-config-api/api/v1/config/scripts" -H  "Accept: application/json" -H "Authorization:Bearer <access_token>" -H "Content-Type: application/json" --data @/home/user/scriptformat.json
+        ```
+
+        Example:
+
+        ```bash
+        curl -X POST "https://bank.gluu.org/jans-config-api/api/v1/config/scripts" -H  "Accept: application/json" -H "Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2" -H "Content-Type: application/json" --data @/home/user/scriptformat.json
+        ```
diff --git a/docs/openbanking/img/PKI_Infra.png b/docs/openbanking/img/PKI_Infra.png
diff --git a/docs/openbanking/img/cn/gluucloudnative-OB distribution.svg b/docs/openbanking/img/cn/gluucloudnative-OB distribution.svg
diff --git a/docs/openbanking/img/open-banking-topology.png b/docs/openbanking/img/open-banking-topology.png
diff --git a/docs/openbanking/index.md b/docs/openbanking/index.md
@@ -0,0 +1,39 @@
+# Gluu Open Banking Identity Platform
+
+## Overview
+
+The Gluu Open Banking Identity Platform is a specific profile of the Gluu Server that is packaged and configured for certain use cases:  
+
+* Dynamic Client Registration using software statements  
+* Payment Authorization  
+* Identity - eKYC  
+* Client Initiated Authentication (mobile/out-of-band)  
+
+Other services needed by enterprises--but not by banks--have been disabled. The goal is to reduce the security surface area to make the platform easy to deploy, easy to keep up to date, and easy to rollout new features with zero downtime.
+
+This is a cloud-native distribution. Cloud-native is essential for auto-scaling, high availability, and operational automation. For development and testing we also support its VM distribution, where the [Installation](https://docs.gluu.org/vreplace-flex-version/openbanking/install-vm/) Section has more details about it.
+
+This distribution of Gluu is based on the [Linux Foundation Janssen Project](https://jans.io) at the Linux Foundation, the [most certified](https://openid.net/certification) OpenID Platform available.
+
+
+## Components
+
+![component topology](./img/open-banking-topology.png)
+
+* **Open Banking OpenID Provider**: Based on the Janssen Auth-Server, this internet-facing component provides the FAPI OpenID Connect API for dynamic  client registration, transaction authorization, and CIBA.
+* **Config API**: Service which configures the OpenID Provider. The Client must present an access token authorized by a trusted issuer with certain scopes.  
+* **Cloud Database**: Database used to store configuration, client metadata, tokens, and other information required for the operation of the OpenID Provider.
+* **Open Banking API Gateway**: An Internet facing gateway for the core open banking API, should enforce the presence of a token with certain scopes.
+* **Open Banking API**: The core banking API.
+* **Internal Authentication and Consent Service**: An OpenID Provider, SAML IDP, or another authentication service that provides access to actual customer information. This service may handle the consent, or delegate consent to another service.
+* **User Accounts**: A database where the user account information is held
+* **Bank Regulatory Directory**: This is hosted by the federation operator which publishes public key material and other metadata about participants in the open  banking ecosystem.
+* **Fintech / Payment Processor**: A service that wants to call the Open Banking API or to get data or to process a payment.  
+
+# PKI infrastructure
+
+![Overview](./img/PKI_Infra.png)
+
+# Cloud-Native Architecture
+
+![Overview](./img/cn/gluucloudnative-OB%20distribution.svg)