Expand | ||||
---|---|---|---|---|
| ||||
|
1. Introduction
This document aims to explain the role of the Trust Framework in the Open Finance UAE Program and how technical users from LFIs and TPPs are expected to interact with it. Its content is derived from the https://docs.connect.raidiam.io/ Documentation, which is referenced multiple times within this document.
The Sandbox Trust Framework can be accessed at the following link:
Web Application : https://web.sandbox.directory.openfinance.ae/
OIDC Discovery API : https://auth.sandbox.directory.openfinance.ae/.well-known/openid-configuration
...
Sign Participation Documents
To fully onboard on the Ecosystem all participants - LFIs, TPPs and VASPs, are expected to issue and sign the Ecosystem participation Document on Docusign.
Ensure Server Certificates are Valid:
Generate transport, signing and encryption certificates on the Trust Framework; rotating them at least once every 12 months (certificate expiration is set at 13 months).
Ensure Published APIs are Valid and Certified:
Publish the API endpoints and ensure the correct version is available before any defined ecosystem go-live date.
Ensure server metadata is always up to date, including server logo, server description and customer-facing name.
Integrate with Directory for Onboarding:
Integrate with the Trust Framework registration endpoints, ensuring all clients registered are onboarded and validated following the ecosystem Registration Framework
Integrate Authentication:
Integrate with the Trust Framework JWKS endpoints, recovering client public keys when validating message signatures and executing message encryption.
Integrate with the Directory OCSP/CRL services, verifying that used certificates are valid and up-to-date.
...
Once registered in the Trust Framework, the Authorization Server can be recovered via the Trust Framework APIs, notably the Participants Public API.
...
Participants can register https://docs.connect.raidiam.io/xwL5-api-resources for the products and services they offer on the schema. Only approved API endpoints and versions for go-live should be added to the Trust Framework.
...
LFIs are required to register their acquired certifications under the “Server Certifications” for every Data Provider/Server registered under the Trust Framework
The Certification Framework defines that LFIs must obtain their LFI Customer Experience Certification following the steps outlined on the Certification Framework.
...
There are three types of server certificates, each serving different purposes. Detailed information about server certificates can be found in the Certificate Standard https://openfinanceuae.atlassian.net/wiki/x/1ICQD .
Instructions on creating server certificates are available at https://docs.connect.raidiam.io/manage-certificates-for-organisation
...
5.1 Creating an Account
Refer to the https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.1-Creating-an-Account section.
5.2 Signing the Terms & Conditions Document
...
Access to the Production Environment will be granted once the document is signed and reviewed by the AlTareq team.
Refer to the https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.2-Signing-the-Terms-%26-Conditions-Document section for more details.
5.3 Onboarding Additional Users
Refer to the https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.3-Onboarding-Additional-Users section.
5.4 Registering Applications
The Applications Resource allows Organisations to register details of their OpenID Relying Parties (Clients), which interact with OAuth 2.0 Authorization Servers to access protected APIs. The interaction rules are outlined in the Security Profile - FAPI https://openfinanceuae.atlassian.net/wiki/x/TYCQD document.
When creating an Application in the Trust Framework, participants can select the regulatory roles for the client, which define the types of APIs the client can access. The instructions on how to create new Applications Can be found on https://docs.connect.raidiam.io/add-and-manage-applications
...
Field Name | Field Description | Example |
---|---|---|
Client Name | The name of the application as it will appear to end users | Finance Tracker Pro |
Description | A detailed description of the application, highlighting its key features, functionalities, and benefit | Finance Tracker Pro helps users manage their personal finances by tracking income, expenses, and savings goals. Features include budget planning, expense categorization, and financial reporting |
Client Info URI | The URL pointing to the application’s webpage. This should direct users to a webpage where they can find more detailed information about the application, including its features, pricing, and support. | |
Logo URI | The URL pointing to the application’s logo in PNG or JPEG format. This logo will be displayed alongside the application name and description on the platform, providing a visual identifier for users. |
5.4.
...
5 Shari’ah compliance flag
When registering/editing an Application a Field called “Flags” is available to be edited by the User.
...
Details about how the Shari'ah compliance will be informed to the end users can be seen on : https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1finalstandardsv1dot1final/pages/151850813210800446/Common+Rules+and+Guidelines#21.-Shari%E2%80%99ah-compliance-of-TPP
5.4.
...
6 Registering Certifications
Clients are only authorized to Operate on the Ecosystem once they have passed their full set of certifications defined on the Certification Framework, including their FAPI 2.0 UAE Relying Party Certification.
...
There are three types of client certificates, each with specific use cases. Detailed information about client certificates can be found in the Certificate Standard https://openfinanceuae.atlassian.net/wiki/x/1ICQD
Instructions on creating server certificates are available at https://docs.connect.raidiam.io/manage-certificates-for-organisationapplication
Servers must validate the certificates and signatures used by clients on each new connection and authentication request. If a client uses a revoked or expired certificate, the server will deny the request.
...
The Technical Requirements around API and Server discovery are outlined on the security standards, on the Registration Framework https://openfinanceuae.atlassian.net/wiki/x/i4CQD
5.6.2 Establishing Connection with Servers
After retrieving all the resources, clients can call the Authorization Server token and PAR endpoints, as outlined in the Security Profile - FAPI https://openfinanceuae.atlassian.net/wiki/x/TYCQD document.
Note: Clients are not required to undergo an active registration step in the Registration Framework; servers will accept all incoming valid requests from clients.
...
In essence, Organisation Flags outline the expected products or services that an LFI should share, while https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.4.24-Registering-API-Resources reflect what they are currently sharing.
...
API Name | Endpoint | Usage | Instructions / Swagger |
---|---|---|---|
Participants | Sandbox : https://data.sandbox.directory.openfinance.ae/participants Production : https://data.directory.openfinance.ae/participants | Provides details about all the Servers that have been registered on the Trust Framework, including :
| https://docs.connect.raidiam.io/find-data-providers-via-public-api |
Keystores | Sandbox : https://keystore.sandbox.directory.openfinance.ae/<org_id>/<app_id>/application.jwks Production : https://keystore.directory.openfinance.ae/<org_id>/<app_id>/application.jwks | Provides details about the certificates generated by the Trust Framework PKI. To verify details about client certificates, replace the <org_id> with the value of the Organisation UUID of the participant on the TF and the <app_id> with the value of the Client UUID To verify details about server certificates, remove the <app_id> from the URI path and provide only the the <org_id> with the value of the Organisation UUID of the participant | https://docs.connect.raidiam.io/public-and-private-keys#bz_0v |
PKI Chain | Provides the issuer and root certificates in | https://docs.connect.raidiam.io/public-key-infrastructure#lwJo2 | |
API Resources | Sandbox : https://web.sandbox.directory.openfinance.ae/config/apiresources Production : https://web.directory.openfinance.ae/config/apiresources | Provides the list of API Families that can be published on the TF. This API returns a JSON file which includes:
|
6.2.2 mTLS Protected APIs
...
Instructions on how to generate an Application are described on https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#5183468280#5.4-Registering-Applications
To access these protected APIs, the participant must first generate an access token with the directory: software
scope by calling the token endpoint using the client_credentials
grant type. Instructions for obtaining the token can be found on https://docs.connect.raidiam.io/client-credentials-flow-obtain-access-token#YzDfh
...