consumerdataright / mock-register Goto Github PK

Describe the bug
Noticed a major bug in around the JWKS generation. The kid and x5t values need swapped.
SSA JWTs have the incorrecct kid values. They are using the x5t value.

To Reproduce
Steps to reproduce the behavior:

1. See endpoint response for /cdr-register/v1/jwks
2. See endpoint response for /cdr-register/v1/banking/data-recipients/brands/F3F0C40B-9DF8-491A-AF1D-81CB9AB5F021/software-products/6F7A1B8E-8799-48A8-9011-E3920391F713/ssa

Expected behaviour
kid values and x5t values to follow standards defined in
https://datatracker.ietf.org/doc/html/rfc7517
https://datatracker.ietf.org/doc/html/rfc7638

Additional context
Example of values that need swapped
"kid": "AA24F185EE3F67504808FC4E26B135B99E63BDA9",
"x5t": "qiTxhe4_Z1BICPxOJrE1uZ5jvak",

Can we get an ETA on the fix please?
Thanks for the repo.

Is your feature request related to a problem? Please describe.
We want to deploy CDR Mock Register container in a remote location for test purposes. So that we need to change hostname value of "jwks_uri" attribute of SSA to relevant IP address of the remote computer replacing localhost. Otherwise we get errors regarding signature_validation due to inability of recognizing relevant jwks endpoint.

Describe the solution you'd like
provide a configuration or an extension point to set the SSA's jwks_uri attribute.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

How to get the below details
1.getbank
2.getbulkBalance
3.get account and transaction details

where to get below headers
x-fapi-interaction-id: string
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-cds-client-headers: string

According to the doc Get Jwks, the ssa jwks uri should be https://<tls_base_uri>/jwk but the actual ssa jwks uri in the mock register is https://<tls_base_uri>/cdr-register/v1/jwks

After consulting #516, https://<tls_base_uri>/jwk should currently be the correct uri, but it seems there is some hesitation with regard to whether this uri should follow the Base Uri convention.

Hi,
In mock-register source what is the purpose of using kestrel, please explain, it's required?

Describe the bug
When running the mock-register in docker, the login endpoint provided with the Postman collection only allows login to cdr-register:read scope, while Admin Metadata load shows that the given login should be able to access any scope in the mock environment.

The error appears as a HTTP 400 response with the content "error": "invalid_client".

To Reproduce
Steps to reproduce the behaviour:

1. Run the mock-register in Docker.
2. Open the /idp/connect/token endpoint available in the postman collection.
3. Change the scope argument in the body to another available option, like common:customer.basic:read.
4. Make the call to the endpoint.
5. See an error response as above, with content "error": "invalid_client".

Expected behaviour
The expectation would be that the endpoint would return a valid token for the alternate scope.

Describe the bug
The endpoint https://api.cdr.gov.au/cdr-register/v1/banking/data-holders/brands returns a 404 when NOT authorized.
The standard specifies that this should return a 401 (see here)

To Reproduce
Steps to reproduce the behavior:

1. Call the above endpoint with an invalid Bearer token in the Authorization header.

Expected behaviour
This should return a 401 (Unauthorized)

Screenshots

Describe the bug
Hello there!
We have deployed Mock Register on our instance in order to use it for testing our ADR solution. In order to mimic ADR I successfully loaded my data via Admin API - Load Metadata endpoint. To simplify debugging I put minimal changes to my data comparing to your payload for loading metadata. Actually I just changed JwksUri endpoint to invoke my server's endpoint for jwk keys, all other id's and properties stay the same as original. I changed this because I wanted to use client_assertion created by me in order to retrieve access_token on endpoint InfoSec - Get Access Token instead of calling Admin API - Get Mock DR Client Assertion for getting client_assertion. SoftwareProductId and BrandGuid are the same as in your postman collection. After this configuration I got "invalid_client" response on InfoSec - Get Access Token. I don't know if configuration I did is enough to get valid client's access_token, but couldn't find more info on docs.
Do you have any suggestions there, how could I achieve this? Is it feasible at all with current Mock Register?

To Reproduce
Steps to reproduce the behaviour:

1. This is cUrl request how I loaded my metadata

curl --location --request POST 'https://mock-cdr.basiq-dev.com:7006/admin/metadata'
--header 'Content-Type: application/json'
--data-raw '{
"LegalEntities": [{
"LegalEntityId": "de815a93-85b3-4fe8-9513-33ad8f4359d0",
"LegalEntityName": "yoyo Software Company",
"LogoUri": "https://yoyosoftware/img/logo.png",
"Abn": "11222333444",
"Acn": "222333444",
"AccreditationNumber": "ADRBNK000005",
"Participations": [{
"ParticipationId": "0fbc379d-8e48-4dcd-90d3-c13862889e83",
"LegalEntityId": "de815a93-85b3-4fe8-9513-33ad8f4359d0",
"ParticipationTypeId": 2,
"IndustryId": 1,
"StatusId": 1,
"Brands": [{
"BrandId": "f3f0c40b-9df8-491a-af1d-81cb9ab5f021",
"BrandName": "YoYo",
"LogoUri": "https://yoyosoftware/img/logo.png",
"BrandStatusId": 1,
"ParticipationId": "0fbc379d-8e48-4dcd-90d3-c13862889e83",
"LastUpdated": "2021-04-06T11:58:00",
"SoftwareProducts": [{
"SoftwareProductId": "6f7a1b8e-8799-48a8-9011-e3920391f713",
"SoftwareProductName": "MyBudgetHelper",
"SoftwareProductDescription": "A product to help you manage your budget",
"LogoUri": "https://yoyosoftware/mybudgetapp/img/logo.png",
"ClientUri": "https://yoyosoftware/mybudgetapp",
"TosUri": "https://yoyosoftware/mybudgetapp/terms",
"PolicyUri": "https://yoyosoftware/mybudgetapp/policy",
"RecipientBaseUri": "https://api.yoyosoftware/mybudgetapp",
"RevocationUri": "https://api.yoyosoftware/mybudgetapp/revoke",
"RedirectUris": "https://api.yoyosoftware/mybudgetapp/callback https://api.yoyosoftware/mybudgetapp/return",
"JwksUri": "https://27ghl0gdic.execute-api.ap-southeast-2.amazonaws.com/Development/jwks",
"Scope": "openid bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration",
"StatusId": 1,
"BrandId": "f3f0c40b-9df8-491a-af1d-81cb9ab5f021",
"Certificates": [{
"SoftwareProductCertificateId": "d3451e00-fe15-46c2-aec1-d82506110ede",
"SoftwareProductId": "6f7a1b8e-8799-48a8-9011-e3920391f713",
"CommonName": "MockDataRecipient",
"Thumbprint": "58D76F7A61CD726DA1C54F6898E8E69EA4C88060"
}]
}],
"AuthDetails": []
}]
}]
}]
}'

2. I invoked Get Access Token per documentation with appropriate claims signed by my private key to get client_assertion and pass all needed params but I keep getting invalid_client error.
   P.S. When I invoke your endpoint Admin API - Get Mock DR Client Assertion and use retrieved client_assertion to get access token (with original config on metadata) I successfully get access_token.

Expected behaviour
To get valid access_token after provided setup.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Just to mention here that on endpoint Discovery API - Get Data Holder Brands I keep getting 404 Not found error.

Describe the bug
I have setup the docker container as mentioned in https://github.com/ConsumerDataRight/mock-register/blob/main/Help/container/HELP.md#run-the-mock-register after cloning the latest repository.

Then I used the postman script given here https://github.com/ConsumerDataRight/mock-register/blob/main/Postman/mock-register.postman_collection.json to update the metadata and and invoke the token endpoint.

This call returns the following as a response:
{ "error": "invalid_client" }

To Reproduce
Steps to reproduce the behavior:

1. Start the container with docker-compose up -d
2. Execute the postman request Admin API - Load Metadata
3. Execute the postman request InfoSec - Get Access Token
4. See the above error

Expected behaviour
Return the access token

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Describe the bug

The MockDataRecipientJwks endpoint (https://localhost:7006/loopback/MockDataRecipientJwks) is currently returning the public keys' information in the JWKS format without including the property - 'use' (Public Key Use).

Use : Implies how the key is being used. The value sig represents signature.

When this jwks endpoint is used in our DH solutions for scenarios such as encrypting JWT responses and the presence of property 'use' with either 'enc' or 'sig' as the value is mandatory, the flows can not be proceeded.

Hence, the Mock DR JWKS can be more useful if the current JWKS can be updated with the 'use' property with the value as 'sig'.
(Since the 'key_ops' values of the current JWKS are 'sign' and 'verify', only 'sig' can be used as the value for 'use')

But as a further improvement, the JWKS endpoint can be improved to add more separate jwk sets with key_ops having 'encrypt' and 'use' property as 'enc'.

As a temporal solution, the following fix was done.

1. The JsonWebKey.cs model [1] was updated with the 'use' attribute by adding the following line.

   public string use { get; set; }

2. The LoopbackController.cs jwk generation [2] is updated by adding the following line.

   use = "sig",

[1]

To Reproduce

1. Call the https://localhost:7006/loopback/MockDataRecipientJwks endpoint.
2. Notice that the 'use' property is missing in the returned jwks.

{
    "keys": [
        {
            "alg": "PS256",
            "e": "AQAB",
            "key_ops": [
                "sign",
                "verify"
            ],
            "kid": "gP32GTv0be7hGek1ONMPg0T6P4RrKtRLl4l0em7XCw4",
            "kty": "RSA",
            "n": "6kpKQ674ZD6dCrJaZezah4Hpr8D5xo4Pn4TibDtWqWr42ghq2SdJ09laHil4h1t-9u3YLbLeNQlbq2izyvQv_l8mWfBRqb7-UgEfT4EFAlriD5h84xsbsK85laz7ph7LA8kj11ztxuUqjeGbircng2v6GM8nzMSk8n4g9nNSy3-G0nZcPYPqYcbISwPiFX9RN4aPKysouuJ1k1IIVdPzUVaAQwP5F9R7TEz1lWkD4Lj1nw-mx6Jxe5fiozuMS87rD8A9AXtuO-57pmW_m40fiDJRF7csYOYL1N32AUcIIrJW0KYdImWtaOMm-mAAlbGX2zz3znXElKaEm0rBqZdx5Q"
        }
    ]
}

Expected behaviour

The returned response from the MockDataRecipientJwks endpoint should be as follows.

{
    "keys": [
        {
            "alg": "PS256",
            "use": "sig",
            "e": "AQAB",
            "key_ops": [
                "sign",
                "verify"
            ],
            "kid": "gP32GTv0be7hGek1ONMPg0T6P4RrKtRLl4l0em7XCw4",
            "kty": "RSA",
            "n": "6kpKQ674ZD6dCrJaZezah4Hpr8D5xo4Pn4TibDtWqWr42ghq2SdJ09laHil4h1t-9u3YLbLeNQlbq2izyvQv_l8mWfBRqb7-UgEfT4EFAlriD5h84xsbsK85laz7ph7LA8kj11ztxuUqjeGbircng2v6GM8nzMSk8n4g9nNSy3-G0nZcPYPqYcbISwPiFX9RN4aPKysouuJ1k1IIVdPzUVaAQwP5F9R7TEz1lWkD4Lj1nw-mx6Jxe5fiozuMS87rD8A9AXtuO-57pmW_m40fiDJRF7csYOYL1N32AUcIIrJW0KYdImWtaOMm-mAAlbGX2zz3znXElKaEm0rBqZdx5Q"
        }
    ]
}

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Apologies. My mistake. No issue.

Hi
Please let me know clarification on following items,

1. x-cds-client-headers
2. x-fapi-interaction-id
   I have go through the CDR documentation and other documents. but Cant get deep details on the above items and how to use them

Hi,
I don't know How to start cdr open banking process.net core how to implement this

Kindly please share the documents regarding this process

Is your feature request related to a problem? Please describe.
We are using cdr-mock-register while running our test suits. But the issue is that we host that service in a remote location. Therefore we want to change the TLS certificates to be compatible with that server. What we want to know is that, in which locations should we update the new TLS pfx file in ConsumerDataRight/mock-register github repository before running a docker build to create a new image or else is there a way to update that certificate in already running container.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
Mock server certificate DN for Register and Data Holder are the same, which makes things a bit confusing. The certificates themselves are different, so that's good, but both CN's are called 'register.mock'.

Wouldn't it be more straight forward for the server certificate to have CN=mock-data-holder, or something along those lines?

To Reproduce

$ openssl x509 -subject -noout -in register.pem 
subject=CN = register.mock, C = AU, ST = ACT, L = Canberra, O = ACCC, OU = CDR

$ openssl x509 -subject -noout -in server.pem 
subject=CN = register.mock, C = AU, ST = ACT, L = Canberra, O = ACCC, OU = CDR

Hi,
I Need clarification regarding the Certificate
1.What is the purpose of a certificate?
2.In production where to get the certificates?
Ex:register.pfx, ca.crt, ca.pem, tls-register.pfx

3.why do we use a private key in the solution

4.What is the purpose of the certificate? it's necessary or not for our own Solution

Describe the bug
The .well-known/openid-configuration/jwks endpoint should return a mandatory property key_ops.
This is specified in here

To Reproduce

1. Go the the ACCC jwks endpoint https://api.cdr.gov.au/idp/.well-known/openid-configuration/jwks
2. Examine the returned structure

Expected behaviour
Return the key_ops property

Additional context
Add any other context about the problem here.

Describe the bug
This may not be a bug but I could not find a way to tag as question label.
Unable to generate Infosec Access Token and received "error": "invalid_request".

To Reproduce
Steps to reproduce the behavior:

1. Change all the port numbers to 6000 range instead of 7000 ( in macOS Monterey, ControlCenter.app is using 7000)

2. Run docker build --no-cache -f Dockerfile -t mock-register . to generate the new container.

3. Update docker-compose file to this (only database and mock-regsiter).
   

4. Hit https://localhost:6001/idp/connect/token in Postman.

Screenshots

Additional context
Error log

Describe the bug
According to the reply to issue #46 we updated TLS certificate in https://github.com/ConsumerDataRight/mock-register/tree/main/Source/CDR.Register.API.Gateway.TLS/Certificates folder and built an image. But still it returns the localhost certificate in TLS handshake.

A issue regarding JWT signature validation occurs in our Dynamic client registration call when calling to endpoint: https://:7006/loopback/MockDataRecipientJwks. Do you have any idea why or any thoughts on how we can resolve it.

To Reproduce
Steps to reproduce the behavior:
1.
2.
3.
4. See error

Expected behaviour
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Hi Team,

Thanks a lot of the mock-register, mock-data-receipient and mock-data-holder.
Do we have any mock CTS for local development?
That will highly helpful in our development and testing locally. Identifying defects during our development will be good rather than doing at the end during the CTS.
And it will be helpful for all our FAPI compliance as well.

Thanks,
Daniel Jeganathan

URGENT////
**For testing we have upgraded our internal mock registry to the latest CDR mock register version 1.1.1. We have encountered an error at IDP token endpoint around client certification validation failure. Internally we have checked mock client and server certificates as part of investigation.
Hoping to get your help to assess if the error we are encountering is resulting from last week's mock register changes and if you have seen similar issues logged by other participants.
**

To Reproduce
Steps to reproduce the behavior:

1. Go to "Client assertion" for assertion ID - successful

2. Call /IDP/connect/token using assertion ID - giving certification validation error " Client certification validation failed"

3. See error
   {

    "error": "invalid_client",

    "error_description": "Client certificate validation failed"

}
https://github.com/ConsumerDataRight/mock-register/blob/main/Source/CDR.Register.Infosec/Controllers/TokenController.cs
Error screenshot.docx

Expected behaviour
valid IDP token

Screenshots
attached

Additional context
Add any other context about the problem here.

Describe the bug
Followed the steps to update mtls cert and got error when a new container is built using the following command.
docker build -t mock-register-updated .

I am using macOS, is this solution meant to be only run on Windows system?

Screenshots

In Source/CDR.Register.API.Gateway.TLS/appsettings.Release.json, Logfile location for TLS is set to "c:\cdr\Logs\cdr-mr-gateway-tls.log", this results in the logs being written to the /app folder when running in a container (i.e. absolute Windows path is not understood).

        "Name": "File",
        "Args": {
          "path": "c:\\cdr\\Logs\\cdr-mr-gateway-tls.log",
          "outputTemplate": "{Timestamp:dd/MM/yyyy HH:mm:ss.fff zzz} {Level} [{SourceContext}] {Message}{NewLine}{Exception}"
        }

The log output should be configured similar to mTLS:

"WriteTo": [
   { "Name": "Console" },
   {
     "Name": "File",
     "Args": { "path": "/tmp/cdr-mr-mtls-gateway.log" }
   },

Describe the bug
Generating the SSA looking at org_id and software_id values:

They seem to be wrong way around -
org_id guid is showing the softwareProductId
software_id is showing the BrandId

To Reproduce
Steps to reproduce the behavior:

1. See seed-data.json
2. See https://localhost:7001/cdr-register/v1/banking/data-recipients/brands/F3F0C40B-9DF8-491A-AF1D-81CB9AB5F021/software-products/6F7A1B8E-8799-48A8-9011-E3920391F713/ssa
3. See nested SSA JWT org_id software_id

Expected behaviour
org_id = BrandId
software_id = softwareProductId

Hi,

1. I call the "Discovery API - Get Data Holder Brands (requires access token)" then I pass bearer token but the response is Socket hangup what I do?

1.InfoSec - Get OIDC Config I got a 502 bad gateway error, how to rectify this?