From 156b966ec4b0a0a5d52964046cd05f88eec038b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Tue, 9 Apr 2024 11:11:13 +0200 Subject: [PATCH 1/6] docfix/Fix OAuth 2.0 glossary item typo --- obp-api/src/main/scala/code/api/util/Glossary.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala index 39b8931aa6..e347974208 100644 --- a/obp-api/src/main/scala/code/api/util/Glossary.scala +++ b/obp-api/src/main/scala/code/api/util/Glossary.scala @@ -2177,7 +2177,7 @@ object Glossary extends MdcLoggable { glossaryItems += GlossaryItem( - title = "OAuth 2 with Google", + title = "OpenID Connect with Google", description = s""" | From 99e8786450e1f52ac9d993f09bb1c45b33c3f3d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Tue, 9 Apr 2024 12:56:03 +0200 Subject: [PATCH 2/6] docfix/Add How OpenID Connect Works glossary item --- .../main/scala/code/api/util/Glossary.scala | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala index e347974208..5d53177fb0 100644 --- a/obp-api/src/main/scala/code/api/util/Glossary.scala +++ b/obp-api/src/main/scala/code/api/util/Glossary.scala @@ -3235,6 +3235,38 @@ object Glossary extends MdcLoggable { description = s"""An acronym for OpenID Connect (OIDC) is an identity authentication protocol that is an extension of open authorization (OAuth) 2.0 to standardize the process for authenticating and authorizing users when they sign in to access digital services.""".stripMargin) + glossaryItems += GlossaryItem( + title = "How OpenID Connect Works", + description = + s"""The OpenID Connect protocol, in abstract, follows these steps: + | + |* End user navigates to a website or web application via a browser. + |* End user clicks sign-in and types their username and password. + |* The RP (Client) sends a request to the OpenID Provider (OP). + |* The OP authenticates the User and obtains authorization. + |* The OP responds with an Identity Token and usually an Access Token. + |* The RP can send a request with the Access Token to the User device. + |* The UserInfo Endpoint returns Claims about the End-User. + |#### Authentication + |The secure process of establishing and communicating that the person operating an application or browser is who they claim to be. + |#### Client + |A client is a piece of software that requests tokens either for authenticating a user or for accessing a resource (also often called a relying party or RP). + |A client must be registered with the OP. Clients can be web applications, native mobile and desktop applications, etc. + |#### Relying Party (RP) + |RP stands for Relying Party, an application or website that outsources its + |user authentication function to an IDP. + |#### OpenID Provider (OP) or Identity Provider (IDP) + |An OpenID Provider (OP) is an entity that has implemented the OpenID Connect and OAuth 2.0 protocols, + |OP’s can sometimes be referred to by the role it plays, such as: a security token service, + |an identity provider (IDP), or an authorization server. + |#### Identity Token + |An identity token represents the outcome of an authentication process. + |It contains at a bare minimum an identifier for the user (called the sub aka subject claim) + |and information about how and when the user authenticated. It can contain additional identity data. + |#### User + |A user is a person that is using a registered client to access resources. + | """.stripMargin) + glossaryItems += GlossaryItem( title = "OAuth 2.0", description = From 7f1fe7d0f3d34f72458305c25610486a327938b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Wed, 10 Apr 2024 11:28:07 +0200 Subject: [PATCH 3/6] docfix/Tweak CIBA glossary item --- obp-api/src/main/scala/code/api/util/Glossary.scala | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala index 5d53177fb0..4bcbb1b7d4 100644 --- a/obp-api/src/main/scala/code/api/util/Glossary.scala +++ b/obp-api/src/main/scala/code/api/util/Glossary.scala @@ -3228,7 +3228,9 @@ object Glossary extends MdcLoggable { title = "CIBA", description = s"""An acronym for Client-Initiated Backchannel Authentication. - |For more details about it please take a look at the official specification: [OpenID Connect Client Initiated Backchannel Authentication Flow](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)""".stripMargin) + |For more details about it please take a look at the official specification: [OpenID Connect Client Initiated Backchannel Authentication Flow](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) + |Please note it is a cross-device protocol and SHOULD not be used for same-device scenarios. + |If the Consumption Device and Authorization Device are the same device, protocols like OpenID Connect Core [OpenID.Core](https://openid.net/specs/openid-connect-core-1_0.html) and OAuth 2.0 Authorization Code Grant as defined in [RFC6749](https://www.rfc-editor.org/info/rfc6749) are more appropriate.""".stripMargin) glossaryItems += GlossaryItem( title = "OIDC", From e6e74cda3c2a5d04bbb08b591bed71c3bcca526f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Wed, 10 Apr 2024 11:45:59 +0200 Subject: [PATCH 4/6] docfix/Tweak How OpenID Connect Works glossary item --- obp-api/src/main/scala/code/api/util/Glossary.scala | 1 + 1 file changed, 1 insertion(+) diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala index 4bcbb1b7d4..5b3ef41564 100644 --- a/obp-api/src/main/scala/code/api/util/Glossary.scala +++ b/obp-api/src/main/scala/code/api/util/Glossary.scala @@ -3249,6 +3249,7 @@ object Glossary extends MdcLoggable { |* The OP responds with an Identity Token and usually an Access Token. |* The RP can send a request with the Access Token to the User device. |* The UserInfo Endpoint returns Claims about the End-User. + |### Terminology |#### Authentication |The secure process of establishing and communicating that the person operating an application or browser is who they claim to be. |#### Client From 12530ebe4470f3f7fd245aa0c3d93a8ab1fdef7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Wed, 10 Apr 2024 14:43:04 +0200 Subject: [PATCH 5/6] docfix/Add FAPI 2.0 to the glossary item --- .../main/scala/code/api/util/Glossary.scala | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala index 5b3ef41564..0f08f8bc07 100644 --- a/obp-api/src/main/scala/code/api/util/Glossary.scala +++ b/obp-api/src/main/scala/code/api/util/Glossary.scala @@ -3275,6 +3275,32 @@ object Glossary extends MdcLoggable { description = s"""OAuth 2.0, is a framework, specified by the IETF in RFCs 6749 and 6750 (published in 2012) designed to support the development of authentication and authorization protocols. It provides a variety of standardized message flows based on JSON and HTTP.""".stripMargin) + glossaryItems += GlossaryItem( + title = "FAPI", + description = + s"""An acronym for Financial-grade API.""".stripMargin) + + glossaryItems += GlossaryItem( + title = "FAPI 1.0", + description = + s"""The Financial-grade API is a highly secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability. + |The Financial-grade API security profile can be applied to APIs in any market area that requires a higher level of security than provided by standard [OAuth](https://datatracker.ietf.org/doc/html/rfc6749) or [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html). + |Financial-grade API Security Profile 1.0 consists of the following parts: + | + |* Financial-grade API Security Profile 1.0 - Part 1: Baseline + |* Financial-grade API Security Profile 1.0 - Part 2: Advanced + | + |These parts are intended to be used with RFC6749, RFC6750, RFC7636, and OIDC. + |""".stripMargin) + + glossaryItems += GlossaryItem( + title = "FAPI 2.0", + description = + s"""FAPI 2.0 has a broader scope than FAPI 1.0. + |It aims for complete interoperability at the interface between client and authorization server as well as interoperable security mechanisms at the interface between client and resource server. + |It also has a more clearly defined attacker model to aid formal analysis. + |Please note that FAPI 2.0 is still in draft.""".stripMargin) + private def getContentFromMarkdownFile(path: String): String = { val source = scala.io.Source.fromFile(path) From 117651f0c6ce786142b9eb9fed33496982baf2b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Wed, 10 Apr 2024 14:59:43 +0200 Subject: [PATCH 6/6] docfix/Add Available FAPI profiles to the glossary item --- .../src/main/scala/code/api/util/Glossary.scala | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala index 0f08f8bc07..323eb4584b 100644 --- a/obp-api/src/main/scala/code/api/util/Glossary.scala +++ b/obp-api/src/main/scala/code/api/util/Glossary.scala @@ -3302,6 +3302,20 @@ object Glossary extends MdcLoggable { |Please note that FAPI 2.0 is still in draft.""".stripMargin) + glossaryItems += GlossaryItem( + title = "Available FAPI profiles", + description = + s"""The following are the FAPI profiles which are either in use by multiple implementers or which are being actively developed by the OpenID Foundation’s FAPI working group: + | + |* FAPI 1 Implementers Draft 6 (OBIE Profile) + |* FAPI 1 Baseline + |* FAPI 1 Advanced + |* Brazil Security Standard + |* FAPI 2 + |* FAPI 2 Message Signing: + |""".stripMargin) + + private def getContentFromMarkdownFile(path: String): String = { val source = scala.io.Source.fromFile(path) val lines: String = try source.mkString finally source.close()