ForgeRock is pleased to announce the release of version 3.1.0-DaftPunk of the ForgeRock Open Banking Reference Implementation; release date: 29/04/2019. This is a feature release that contains bug fixes, improvements and features.
- Issue #1005: Implement MATLS token endpoint auth method Important Information Affected API/UI: AS Well-known, Dynamic registration, Token Endpoint Description: MATLS token endpoint authentication method is now supported. The well-know will now list the supported auth method 'tls_client_auth', allowing you to register/edit your OIDC client with this method. Once you got your OIDC client setup to use this new matls auth method, you can then call the token endpoint as before with this new authentication method in place. This consist of only presenting your client certificate and no other form of credential
- Edit my OIDC client via dynamic registration Important Information Affected API/UI: Dynamic registration PUT Description: The dynamic registration PUT is now implemented as per the OIDC spec. It will allow you to edit your OIDC clients without having to get a new OIDC client ID.
- RS domain change The RS domain has now change to matls.rs.aspsp.ob.forgerock.financial for the apis requiring matls. We did this change so it's easier for you to notice which endpoints is expecting MATLS or not.
A new postman collection and environment are now available. You can find them in our published postman service https://postman.ob.forgerock.financial
- Issue #1096 Validate the amount and currency values on payments
- Issue #1083: Invalid signature for detached JWS Important Information Affected API/UI: JWKMS detached signature validation Description: Every detached JWS with the 'crit' header would failed the signature validation by the JWKMS. This fix will now exclude the OB JWS headers claims from the signature validation.
- Issue #963: Open banking specs discrepancy in FR Sandbox Important Information Every endpoints now got the group-name in the URL. Example /open-banking/v3.1/pisp/domestic-payment-consents
- Issue #956: Severity: Medium - Getting 500 "Internal Server error" when uploading file in File Payment Important Information Affected API/UI: RS API Description: The payment files API should now accept all valid files with matching control sums. If control sums do not match the TPP will receive a meaningful error message.
- Issue #978: Wrong error code returns when consent status is incorrect Important Information Affected API: RS ASPSP Description: The RS APIs will now return 401 when a consent is invalid or expired
- Issue #941: Severity: Medium - Domestic Standing Orders with invalid date format returns 415 instead of 400 Important Information Affected API: RS ASPSP Description: When an invalid date in passed in a json request in a consent flow, the API will return an HTTP: 400 Bad Request
- Issue #926: Severity: Medium - Mandatory field “Meta” is missing in international payment fund confirmations response Important Information Affected API/UI: RS API Description: All payment fund confirmation responses will contain the 'Meta' field in the json response.
- Issue #921: Invalid date field on a consent returns 415
- Issue #828: On Standing Order API, StandingOrderStatusCode field is missing on FR Important Information Affected API/UI: RS ASPSP Description: If account permission with both 'basic' and 'detail' is requested by the TPP and authorised by the PSU, then all fields available for the 'detail' permission will be displayed.
- Issue #827: Creditor Account details are missing in Scheduled Payments response Important Information Affected API/UI: RS ASPSP Description: If account permission with both 'basic' and 'detail' is requested by the TPP and authorised by the PSU, then all fields available for the 'detail' permission will be displayed.
- Issue #817: Access token and authorise needs to accept the token endpoint as audience in JWT Important Information The client assertion JWT is now accepting the token endpoint as value for the audience claim.
- Issue #815: SSA without contacts is created a NPE
- Issue #791: Data API allows duplicate balances to be created but then fails when editing them
- Issue #721: 403 response - international payments without optional field ExchangeRateInformation
- Issue #536: Severity: Medium - Passing incorrect value to the Request header 'x-fapi-customer-last-logged-time' returns 200 Important Information Affected API/UI: RS ASPSP Description: Passing an invalid value for the 'x-fapi-customer-last-logged-time' on any account/Payment API will return 400 Bad Request.
- Issue #322: Allow Remote Consent Service to send a redirect URL to the TPP on error Important Information Affected API/UI: Remote Consent Service Description: If there is a problem with an invalid consent (e.g. wrong account number) during the PSU authorisation process, the Remote Consent Service will redirect back to the TPP app (using redirect URL) and include the error in the URL parameters.