12.6.3.5.1. Plugin features

The certificate referred to as "client certificate" in this document is the X.509 certificate involved in the SSL/TLS handshake ("mutual TLS"). In PSD2 it is a QWAC (qualified website authentication certificate).

It is not about the signing certificates for HTTP request signature (see 12.6.3.4. HTTP request signature verification for STET).

The plugin "STET PSD2 Authenticator" provides the following features:

  • The used client certificate (QWAC) for the TLS connection will be validated according to the configuration.
    • Check validity period (if check is enabled).
    • Check status of the client certificate (check CRLs and/or OCSPs).
  • Check validity of the OAuth Access Token
  • Note that valid OAuth Access tokens are accepted even if the technical client in the database is locked. Make sure the access tokens are only valid for a short period of time. See also OAuth Configuration in 12.6.3.3. Airlock IAM configuration for STET PSD2.

  • Ensures that the OAuth 2.0 Access Token was issued for the technical client identified by the client certificate.
  • Extract "organizationIdentifier" (identifying the TPP) from the client certificate's subject DN: This will be available as "username" attribute for later identity propagation.
  • Provides the OAuth 2.0 scopes ("aisp", "pisp", "cbpii", "extended_transaction_history") as roles in the resulting authenticated entity. They are used for access control in the Airlock Gateway (WAF) and in the bank's service.

Scope of certificate verification

At least the following certificate verification tasks must be done in Airlock Gateway (WAF) (make sure Airlock Gateway (WAF) is configured accordingly):

  • Ensure a client certificate is successfully involved in the SSL/TLS handshake. 
  • Ensure the issuer of the client certificate is trusted.
  • Check OCSP and CRLs (this may also be done in IAM - see below).