How To

Creating Your Registration Payload

 

   

The Registration JWT

Your Registration Payload must be provided as a Signed JWT (JSON Web Token), a set of claims signed by the creator that can be decoded and verified using a public certificate by a third party.

A JWT is comprised of 3 parts:

  1. The Header, which contains details on how the JWT has been signed/encoded
  2. The Payload, a number of application specific claims, the details that the signature will be verifying
  3. The Signature, created using your Private Key, used to validate the payload is unmodified using a Public Certificate
The serialized and encoded JWT takes the form header.payload.signature

 
   
   

Creating Your Registration JWT

The steps below outline the process to assemble your Signed JWT / Registration Payload
Create the JWT Header
 

Your JWT Header should include the following:

  1. The 'typ' claim, with a value of 'JWT'
  2. The 'alg' claim, with a value of 'PS256'
  3. The 'kid' claim, which should reflect the Key ID for the Key being used to sign the JWT
   
Create the JWT Payload
 

Your JWT Payload will include a number of claims describing your App. These values will be sourced from a combination of your Software Assertion from the OBIE, Values taken from the Nationwide Well-Known endpoint and the OBIE speecification

Your JWT Payload will also include the Signed Software Assertion (SSA) for your APP, provided by the OBIE. The SSA has a limited lifetime (30 mins). It is advised to use a fresh SSA when assembleing your registration payload.

Please see the Registration Request Format table below for details on the claims that you need to include in the payload, or refer to the OBIE Specification for more in-depth details.
   
Sign the JWT and Verify
 

Using the Signing Key associated with your App, sign the Registration JWT you have assembled in the previous steps.

You can verify the JWT has been signed correctly, using the appropriate key using JWT.io:

 
   
   

Registration Payload Claims

The list below outlines some of the values that should be used in the mandatory claims as part of your registration payload.
Certain values can be obtained from your OBIE provided SSA, and opthers from our Well-Known endpoint.

A full breakdown of the claims can be found in the OBIE DCR Specification

 

software_statement

       

This should be the JWT value of the SSA you receive from the OBIE.

redirect_uris

       

Value of this parameter should match ‘software_redirect_uris’ value in the TPP Software Statement, issued by the OBIE. It must be 2,000 characters or fewer and must not be an IP address.

scope

       

This should match what is on your SSA and should be written as "openid" and then followed by any one or all of the following values depending on your app requirements: "accounts", "payments", “fundsconfirmations”. This should be in a string format

iss 

  

The value should match the 'software_id' from your SSA

software_id

  

Mandatory field, which should be the `software_client_id` value taken from the SSA

exp

       

The expiry date should be in a Unix time stamp format and not wrapped in speech marks e.g "exp": 1536913020. This value must be greater than `iat` value and should be a future time value from the time of your app registration.

aud

       

This should be the Nationwide Org Id - 0015800000jf8aKAAQ

iat

       

This should be the equivalent Unix timestamp value of the time you try the registration. This should be provided in the Unix time stamp format and not wrapped in double quotes e.g "iat": 1536913020

response-types

       

Must be "code id_token" only

jti

       

A unique identifier for the JWT. The value must be a UUIDv4 GUID.

token_endpoint_auth_method

       

Your `token_endpoint_auth_method` value determines the authentication method you will use in requests to the /token endpoint and should be "tls_client_auth" or "private_key_jwt"

id_token_signed_response_alg

       

The expected algorithm that id_tokens will be signed with. Shold be PS256

token_endpoint_auth_signing_alg

       

Mandatory field for registrations if your token_endpoint_auth_method claim is private_key_jwt. Must be PS256

tls_client_auth_subject_dn

       

Mandatory field for registrations if your token_endpoint_auth_method claim is tls_client_auth. Must be the subject DN of your TLS certificate.

 

 
   
   

Verifying the JWT Signature

If you would like to verify the signature of you registration Payload JWT you cna use the steps below to do so on jwt.io

1  
Navigate To You .jwks Endpoint
 

Navigate to the .jwks endpoint for your application. This url can be found in your SSA against the claim 'software_jwks_endpoint'.
This lists all of the Key/Certificate pairs associated with your App, is where we will obtain your public certificate from.
   
2
Download the Public Transport Certificate
  Find the Key that has the 'kid' value you specified in your JWT header, this should have a 'use' value of 'tls'.
Download the Public Certificate for this key using the link in the 'x5u' value.
   
3
Input You JWT Claims ON JWT.io
  Open JWT.io in your browser, and paste your Signed JWT into the 'Encoded' input field on the left hand side of the screen.
This should now update the Header and Payload fields on the right hand side of the screen to reflect the claims you used when creating the JWT.
   
4
Verify your Certificate On JWT.io
  Paste the contents of the Public Certificate (including the Begin and End certificate lines) into the 'Public Key' section of the Verify Signature fields on the right hand side of the screen.
If your JWT payloads has been signed correctly using the appropriate Signing Key, you should see the message 'Signature Verified' below the Encoded JWT field.
   
   

Registration JWT Examples

Example Decoded Registration JWT

{
  "typ" : "JWT",
  "alg" : "PS256",
  "kid" : "anExampleKid"
}
{
  "software_statement" : "eyJhbGciOiJQUzI1NiIsImtpZCI6Ikh6YTl2NWJnR...vlsIOLNPA",
  "aud" : "0015800000jf8aKAAQ",
  "grant_types" : [ 
    "authorization_code""client_credentials""refresh_token" 
  ],
  "scope" : "openid accounts payments",
  "iss" : "VBgoz0UEnwpUoS07JDEzVL",
  "exp" : 1579520051,
  "iat" : 1579170789,
  "token_endpoint_auth_method" : "tls_client_auth",
  "tls_client_auth_subject_dn" : "CN=ExampleTppApp, OU=OBExamples, O=ExampleTPP, C=GB",
  "software_id" : "VBgoz0UEnwpUoS07JDEzVL",
  "jti" : "aff03404-b404-44c6-99f9-b994d0fdf611",
  "redirect_uris" : [
    "https://example-tpp.com/callback"
  ],
  "application_type" : "web",
  "id_token_signed_response_alg" : "PS256",
  "request_object_signing_alg" : "PS256",
  "response_types" : [ 
    "code id_token" 
  ]
}