Before Third Party Providers (TPPs) can request a customers' consent to access account data, they must first register with Mettle.
As a TPP, you will need to have the correct certificate when registering, otherwise a 400 response will be returned.
You will require the 'Signature' and 'Transport' keys from when your TPP registered with the Open Banking (or equivalent) directory.
For full details of the register endpoint of the Open Banking Dynamic Client Registration specification, see the OAuth api documentation.
Submit a POST, where the body is a JWS (signed JWT), to the registration_endpoint from the .well-known endpoint, using your 'Transport' certificate.
You can create a JWS at jwt.io.
{
"alg": "PS256",
"kid": "<The key ID of your 'Signature' key>",
"typ": "JWT"
}
{
"iss": "<The name/ID your TPP was registered with in the directory>",
"iat": <Timestamp of when this JWT was issued>,
"exp": <Timestamp of when this JWT will expire>,
"aud": "0015800000jfwxXAAQ",
"jti": "<A UUID>",
"redirect_uris": [ "<A subset of the URLs from your SSA>" ],
"token_endpoint_auth_method": "<Either 'tls_client_auth' or 'client_secret_post'>",
"response_types": [ <One or more of the 'response_types_supported' from our well-known endpoint> ],
"software_id": [ "<The software id from your SSA>" ],
"scope": [ <One or more of the 'scopes_supported' from our well-known endpoint> ],
"grant_types": [ <One or more of the 'grant_types_supported' from our well-known endpoint> ],
"application_type": "web",
"id_token_signed_response_alg": "PS256",
"request_object_signing_alg": "PS256",
"token_endpoint_auth_signing_alg": "PS256",
"tls_client_auth_dn": "<The 'subject' of your 'Transport' certificate, only required for 'tls_client_auth'>",
"software_statement": "<Your SSA, see below>"
}
Your 'Signature' public and private keys will be verified against the key found by the kid in the JWKS specified by the software_jwks_endpoint in the SSA.
Mettleās OBIE ID is 0015800000jfwxXAAQ. This should be used in the aud field when registering with us.
Although we accept client_secret_post as an authentication method, we prefer tls_client_auth.
Your tls_client_auth_dn should look something like:
CN=5cdc037561606b006868a76d, OU=5cc0636106f0cf001d966ac6, O=ForgeRock, L=Bristol, ST=Avon, C=UK/2.5.4.97=PSDGB-5cc0636106f0cf001d966ac6
Consents will only be granted if you have the correct scope. If no scope is specified, we will assign openid and you will not be allowed to create any consents.
Your SSA is another JWS which will be created for you when you register your TPP with the directory.
It will contain many details about the software with which you are accessing our customer's data. Below we have highlighted the information that will be checked during registration:
{
"alg": "<Either "PS256" or "ES256">",
"kid": "<The key ID that can be found in the JWKS for the issuer>",
"typ": "JWT"
}
{
...,
"iss": "<Must be one of: "OpenBanking Ltd" (for production or sandbox) or "ForgeRock" (sandbox only)>"
"software_mode": "<Must be one of: "Live" (for production) or "Test" (for sandbox)>",
"exp": <Timestamp of when this JWT will expire>,
"software_id": [ "<The id of this software>" ],
"software_jwks_endpoint": "<The JWKS that will be used verify the signature of the request above>",
"software_redirect_uris": [ <A list of urls that can be used when redirecting the PSU after consenting> ],
"org_id": "<Must match the 'org unit' (OU) in your request's certificate>",
...
}
The signature will be verified against the key found by the kid in the JWKS for the issuer.
Below are the JWKS that are used to verify the SSA:
| Name | Mode | URL |
|---|---|---|
| OpenBanking Ltd | Live | https://keystore.openbanking.org.uk/keystore/openbanking.jwks |
| OpenBanking Ltd | Test | https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks |
| ForgeRock | Test | https://service.directory.ob.forgerock.financial/api/directory/keys/jwk_uri |