swagger: '2.0' info: title: Dynamic Client Registration API description: > This specification defines the APIs for a TPP to submit a Software Statement Assertion to an ASPSP for the purpose of creating OAuth clients that are registered with ASPSP. termsOfService: 'https://www.openbanking.org.uk/terms' contact: name: Service Desk email: ServiceDesk@openbanking.org.uk license: name: open-licence url: 'https://www.openbanking.org.uk/open-licence' version: v3.1-RC1 schemes: - https consumes: - application/jwt produces: - application/json paths: /register: post: summary: Register a client by way of a Software Statement Assertion description: Endpoint will be secured by way of Mutual Authentication over TLS tags: - Client Registration - Conditional parameters: - $ref: '#/parameters/ClientRegistration' responses: '201': $ref: '#/responses/OBClientRegistration1' '400': $ref: '#/responses/400Error' '/register/{ClientId}': get: summary: Get a client by way of Client ID tags: - Client Registration - Optional parameters: - $ref: '#/parameters/ClientId' - $ref: '#/parameters/Authorization' responses: '200': $ref: '#/responses/OBClientRegistration1' '401': $ref: '#/responses/401Error' '403': $ref: '#/responses/403Error' security: - TPPOAuth2Security: [] put: summary: Update a client by way of Client ID tags: - Client Registration - Optional parameters: - $ref: '#/parameters/ClientRegistration' - $ref: '#/parameters/ClientId' - $ref: '#/parameters/Authorization' responses: '200': $ref: '#/responses/OBClientRegistration1' '400': $ref: '#/responses/400Error' '401': $ref: '#/responses/401Error' '403': $ref: '#/responses/403Error' security: - TPPOAuth2Security: [] delete: summary: Delete a client by way of Client ID tags: - Client Registration - Optional parameters: - $ref: '#/parameters/ClientId' - $ref: '#/parameters/Authorization' responses: '204': description: Client deleted '401': $ref: '#/responses/401Error' '403': $ref: '#/responses/403Error' '405': $ref: '#/responses/403Error' security: - TPPOAuth2Security: [] parameters: Authorization: in: header name: Authorization type: string required: true description: 'An Authorisation Token as per https://tools.ietf.org/html/rfc6750' ClientId: name: ClientId description: The client ID in: path type: string required: true ClientRegistration: name: requestBody description: A request to register a Software Statement Assertion with an ASPSP in: body schema: type: string format: OBClientRegistration1 responses: OBClientRegistration1: description: Client registration schema: allOf: - $ref: '#/definitions/OBRegistrationProperties1' - required: - client_id 400Error: description: Request failed due to client error schema: $ref: '#/definitions/RegistrationError' 401Error: description: Request failed due to unknown or invalid Client or invalid access token headers: WWW-Authenticate: description: 'Response header field specified in https://tools.ietf.org/html/rfc6750' type: string pattern: ^Bearer .* 403Error: description: 'The client does not have permission to read, update or delete the Client' 405Error: description: Method Not Allowed definitions: SupportedAlgorithms: type: string enum: - RS256 - PS256 - ES256 OBRegistrationProperties1: type: object required: - redirect_uris - token_endpoint_auth_method - grant_types - software_statement - application_type - id_token_signed_response_alg - request_object_signing_alg - tls_client_auth_dn properties: client_id: description: OAuth 2.0 client identifier string type: string minLength: 1 maxLength: 36 client_secret: description: OAuth 2.0 client secret string type: string minLength: 1 maxLength: 36 client_id_issued_at: description: >- Time at which the client identifier was issued expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC type: integer format: int32 minimum: 0 client_secret_expires_at: description: >- Time at which the client secret will expire expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC. Set to 0 if does not expire type: integer format: int32 minimum: 0 redirect_uris: type: array items: type: string format: uri minLength: 1 maxLength: 256 token_endpoint_auth_method: type: string enum: - private_key_jwt - tls_client_auth grant_types: type: array items: type: string enum: - client_credentials - authorization_code - refresh_token minItems: 1 response_types: type: array items: type: string enum: - code - code id_token software_id: type: string scope: type: array items: type: string minLength: 1 maxLength: 32 software_statement: type: string format: JWT application_type: type: string enum: - web - mobile id_token_signed_response_alg: $ref: '#/definitions/SupportedAlgorithms' request_object_signing_alg: $ref: '#/definitions/SupportedAlgorithms' token_endpoint_auth_signing_alg: $ref: '#/definitions/SupportedAlgorithms' tls_client_auth_dn: type: string minLength: 1 maxLength: 128 OBClientRegistration1: allOf: - type: object required: - iss - iat - exp - aud - jti properties: iss: description: Unique identifier for the TPP. Implemented as Base62 encoded GUID type: string pattern: '^[0-9a-zA-Z]{1,18}$' minLength: 1 maxLength: 18 iat: description: >- The time at which the request was issued by the TPP expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC type: integer format: int32 exp: description: >- The time at which the request expires expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC type: integer format: int32 aud: description: | The audience for the request. This should be the unique identifier for the ASPSP issued by the issuer of the software statement. Implemented as Base62 encoded GUID type: string pattern: '^[0-9a-zA-Z]{1,18}$' minLength: 1 maxLength: 18 jti: description: Unique identifier for the JWT implemented as UUID v4 type: string pattern: >- ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$ minLength: 36 maxLength: 36 - $ref: '#/definitions/OBRegistrationProperties1' RegistrationError: type: object required: - error properties: error: type: string enum: - invalid_redirect_uri - invalid_client_metadata - invalid_software_statement - unapproved_software_statement error_description: type: string minLength: 1 maxLength: 500 securityDefinitions: TPPOAuth2Security: type: oauth2 flow: application description: >- TPP client credential authorisation flow with the ASPSP. No scopes defined as per specification tokenUrl: 'https://authserver.example/token'