HTTP request signature verification for STET

This document describes how to use the plugin (within the Loginapp's one-shot feature HTTP request authentication (One-Shot flow)) in order to provide STET compliant HTTP signature verification.

The described plugin provides the ability to check HTTP signatures according to the internet draft Signing HTTP Messages as required in STET.

This documentation gives examples and lists the HTTP headers that need to be verified as specified in the STET v1.4.1.3 specification.

The documentation may be used as an example but does not guarantee that the legal PSD2 requirements are met. Please ensure the correct configuration by examining the latest PSD2 specifications.

Plugin features

Two certificates of the TPP are involved in STET:

  • The signing certificate used to sign HTTP requests
  • The client certificate used in the SSL/TLS handshake (also called "mutual TLS").

The plugin HTTP Signature Verification Credential Extractor provides the following features:

  • Extract the original HTTP request (using Airlock environment cookies).
  • Check HTTP request signature:
    • Verify the signature itself: the set of headers that must be signed can be defined by the IAM configuration
    • Verify the signature was created with a signing certificate issued by a trusted issuer
    • Check CRLs and OCSPs to verify the validity of the TPPs signing certificate
  • Extract the client certificate and OAuth Access Token for later authentication of the TPP
  • Verify that the signing certificate and the client certificate have been issued for the same TPP.
  • Every step may fail and result in the bank API request being blocked.