openbanking

Overview

Using Cloudentity and ApigeeX platforms in conjunction enables faster implementation of secure openbanking solutions for organizations to securely share data with their partners and registered entities as per regulations.

Cloudentity platform provides the capability for consumer consent management, registration and management of third parties, communication with registry etc., while ApigeeX exposes the data APIs and enforces secure access of consumer data APIs as per regulations and compliance. Cloudentity provides the open banking security profile implementation for data holder ecosystem and ApigeeX works in tandem with Cloudentity to ensure data is released only to authorized entities and enforce active consumer consent checks on requested data as per open banking regulations.

Steps

Required systems

• Cloudentity SaaS tenant
• Google Cloud Project
• ApigeeX SaaS tenant. You can provision a free evaluation instance by following these instructions

Configure

Configure Cloudentity and ApigeeX

Configure Cloudentity and ApigeeX to facililate CDR flow, manage customer consents, and issue CDR compliant access tokens. A script is provided to facilitate the creation and configuration of the required resources.

There are three steps required when running the script:

1. Create a Cloudentity Admin workspace
2. GCP Configuration Steps
3. Run Configuration Script

Note: A step-by-step guide for deploying all resources manually can be found here.

Create a Cloudentity Admin workspace

• Create a client in Admin workspace
  • Create a client application in Cloudentity Admin workspace. Detailed instructions can be found at Cloudentity docs.
  • In the newly created client application
    • under the OAuth tab set Grant Types to Client credentials
    • under the OAuth tab set Token Endpoint Authentication Method to Client Secret Basic
    • Make note of the CLIENT ID and CLIENT SECRET which will be used to set environment variables in the next section
    • Make note of your domain, ie my-tenant-domain.us.authz.cloudentity.io
    • Copy your tenant ID - this can be found in the top right under Profile
• Update the environment variables for the Cloudentity setup script
  • In the repository under the deploy folder locate the ce_admin.env file and add the environment variables that were copied previously
    • CLIENT_ID - admin client application id
    • CLIENT_SECRET - admin client application secret
    • DOMAIN - domain - i.e .my-demo-tenant.us.authz.cloudentity.io
    • TENANT_ID - tenant id, i.e. my-demo-tenant
    • WORKSPACE_ID - your desired workspace id without spaces

Next, prepare GCP and ApigeeX

GCP Configuration Steps

1. Prerequisites: In order to run the deployment script you need the following prerequisites:

   • gcloud, Google Cloud CLI tool. Installation instructions: https://cloud.google.com/sdk/docs/install
   • jq. If using Linux, install it by running: sudo apt-get install jq
   • apigeecli, tool to manage Apigee entities. Download the appropriate binary for your platform from https://github.com/apigee/apigeecli/releases

2. In the repository under the deploy folder locate the ce_admin.env file and add the following environment variables from your ApigeeX project:

   • GCP_PROJECT_ID - GCP project ID
   • GCP_REGION - GCP region
   • APIGEE_X_ENDPOINT - host without https:// for the apigeex proxy
   • APIGEE_X_ORG - Optional: only edit if the Apigee instance is associated with a different GCP project than GCP_PROJECT_ID
   • APIGEE_X_ENV - Optional: only edit if not using eval environment

Run Configuration Script

The configuration script performs the following:

• Creates and configures a Demo Consent application and Financroo data recipient application in your Cloudentity workspace for the ApigeeX proxies
• Adds the redirect URI to Cloudentity OAuth server for the Financroo application
• Add the consent application login URL in Cloudentity OAuth server
• Sets the certificates and authentication methods in Cloudentity OAuth server
• Adds ApigeeX artefacts that implement the Banking data APIs. They return mock data
• Deploys Demo consent application as a GCP Cloud Run Function: This application talks to Bank APIs exposed by ApigeeX & Cloudentity APIs to gather and store consent within Cloudentity
• Deploys Demo client as a GCP Cloud Run Function: To test this solution, we will use the Financroo data recipient app. This is a Data Recipient app that can interact with Bank APIs to use customer data after obtaining customer consent

Having configured the Cloudentity apps and ApigeeX proxies, in terminal, enter the following to start the configuration script from the root of the repo:

    cd openbanking
    deploy/setup-ce.sh full-deploy

This script can take awhile depending on your internet connection. Once complete the terminal should show

===================================================================================================
 The demo client app has now been deployed.
 You can test this solution by accessing the
 demo client app at:
   <demo application URL will appear here>
=================================================
Done

Verifying the application.

• Launch financroo URL obtained from above deployment.

• Use test user to login to Financroo. This login is served by Financroo itself with an inbuilt auth test/p@ssw0rd!

• Connect to "Go Bank"

• User will be redirected to "Go Bank" Identity provider which is the mock idp we configured

• Login with user/p@ssw0rd!

• User will be redirected to consent app hosted in GCP to provide consent

  • Select accounts and provide consent. Consent app reaches out to ApigeeX exposed Bank APIs to fetch accounts for this user identified with customer_id

  

• Once consent is collected, and submitted to Cloudentity, Cloudentity mints CDR compliant tokens and redirects user back to financroo app

• Now financroo requests "Go Bank" accounts, balances & transactions APIs using above CDR accessTokens

• Go Bank APIs are exposed & protected by ApigeeX and the user consent and CDR accessToken is issued by Cloudentity. ApigeeX checks with Cloudentity to ensure customer consent is in place before returning data to Financroo

Undeploying the solution

You can remove the CDR workspace by running the following from the openbanking directory

deploy/setup-ce.sh delete-workspace

You can then remove the GCP artefacts by running the following from the openbanking directory

deploy/undeploy_consent_mgmt_solution.sh <PATH_TO_YOUR_ENVIRONMENT_CONFIGURATION_FILE>

Supported Integration Patterns

Cloudentity and ApigeeX can be integrated with multiple patterns. These patterns can be chosen based on the specific non functional requirements within each deployment. Currently this repo supports Pattern 1 shown below

Pattern 1 - ApigeeX handles data traffic with token & consent caching while Cloudentity handles token & consent management

In this model, all the external data API traffic to data holder will be handled by Apigee while the OAuth endpoints are served by Cloudentity domain. In this model Apigee caches the access token and consent information issued by Cloudentity to make data API responses faster and rely on asynchronous webhook notifications from Cloudentity platform to keep a valid map of active consents.

Pattern 2 - ApigeeX handles data and OAuth traffic and proxies to Cloudentity for OAuth, token & consents with optional caching

In this model, all the external traffic to data holder including OAuth endpoints & data API endpoints traverses Apigee. Apigee domain is configured as a vanity domain within Cloudentity and Cloudentity tenant will accept only the traffic from the configured Apigee domain.