Signature scope
12.6.2.3.2.1. Defining the signature scope

The scope of the signature - i.e. the set of headers and optionally the body that are verified to be part of the signature - is specified by the configuration. It is defined by the following properties:

  • "Digest": defines whether a hash value of the HTTP request body is added to the HTTP headers.
  • "Signature Header Verifications": defines the set of HTTP headers of the request that must be part of the signature. It supports the following types:
    • "Mandatory HTTP Signature Header": The header must be part of the signature unless an additional condition (presence of another header or presence of a request body) is not met.
    • "Whitelist HTTP Signature Header": Ensures that only the whitelisted headers are in the signature.

According to the NextGenPSD2 specification (V1.3 - 20181019) - section 12.2 ("Requirements on the "Signature" Header") - the following settings should be used:

IAM Config Property
Value
Description
Digest
"HTTP Instance Digest Verification" with allowed algorithms SHA-256 and SHA512.
Ensures that the HTTP request body - if present - is hashed. The hash value is transferred as HTTP header "Digest".
Signature Headers
Verifications
Values of type "Mandatory HTTP Signature Header":
Header Name
Mandatory if ...
Digest
if HTTP body is present (see Description)
Date
always mandatory
X-Request-ID
always mandatory
PSU-ID
must be part of the signature if "PSU-ID" header is present in request
PSU-Corporate-ID
must be part of the signature if "PSU-Corporate-ID" header is present in request
TPP-Redirect-URI
must be part of the signature if "TPP-Redirect-URI" header is present in request
To define the "Header Name" within the signature header plugins, use the plugin type "String HTTP Signature Header".
Ensure that HTTP headers are part of the signature.
The NextGenPSD2 specification states that the "Digest" header must always be present, even if there is no body in the request. The recommended setting, i.e. only require the Digest header if there is a body, may be more robust in practice.
Value of type "Whitelist HTTP Signature Headers":
Header Name
Digest
X-Request-ID
PSU-ID
PSU-Corporate-ID
Date
TPP-Redirect-URI
Ensures that no other than the listed headers are part of the signature.