The certificate referred to as "client certificate" in this document is the X.509 certificate involved in the SSL/TLS handshake ("mutual TLS"). In PSD2 it is a QWAC (qualified website authentication certificate).
It is not about the signing certificates for HTTP request signature (see HTTP request signature verification for STET).
The plugin "STET PSD2 Authenticator" provides the following features:
- The used client certificate (QWAC) for the TLS connection will be validated according to the configuration.
- Check validity period (if check is enabled).
- Check status of the client certificate (check CRLs and/or OCSPs).
- Check validity of the OAuth Access Token
- Ensures that the OAuth 2.0 Access Token was issued for the technical client identified by the client certificate.
- Extract "organizationIdentifier" (identifying the TPP) from the client certificate's subject DN: This will be available as "username" attribute for later identity propagation.
- Provides the OAuth 2.0 scopes ("aisp", "pisp", "cbpii", "extended_transaction_history") as roles in the resulting authenticated entity. They are used for access control in the Airlock Gateway (WAF) and in the bank's service.
Note that valid OAuth Access tokens are accepted even if the technical client in the database is locked. Make sure the access tokens are only valid for a short period of time. See also OAuth Configuration in Airlock IAM configuration for STET PSD2.
Scope of certificate verification
At least the following certificate verification tasks must be done in Airlock Gateway (WAF) (make sure Airlock Gateway (WAF) is configured accordingly):
- Ensure a client certificate is successfully involved in the SSL/TLS handshake.
- Ensure the issuer of the client certificate is trusted.
- Check OCSP and CRLs (this may also be done in IAM - see below).