consumerdataright / mock-register Goto Github PK
View Code? Open in Web Editor NEWA mock version of the Consumer Data Right Register that can be used in the development and testing of CDR solutions.
License: MIT License
A mock version of the Consumer Data Right Register that can be used in the development and testing of CDR solutions.
License: MIT License
Describe the bug
Noticed a major bug in around the JWKS generation. The kid and x5t values need swapped.
SSA JWTs have the incorrecct kid values. They are using the x5t value.
To Reproduce
Steps to reproduce the behavior:
Expected behaviour
kid values and x5t values to follow standards defined in
https://datatracker.ietf.org/doc/html/rfc7517
https://datatracker.ietf.org/doc/html/rfc7638
Additional context
Example of values that need swapped
"kid": "AA24F185EE3F67504808FC4E26B135B99E63BDA9",
"x5t": "qiTxhe4_Z1BICPxOJrE1uZ5jvak",
Can we get an ETA on the fix please?
Thanks for the repo.
Is your feature request related to a problem? Please describe.
We want to deploy CDR Mock Register container in a remote location for test purposes. So that we need to change hostname value of "jwks_uri" attribute of SSA to relevant IP address of the remote computer replacing localhost. Otherwise we get errors regarding signature_validation due to inability of recognizing relevant jwks endpoint.
Describe the solution you'd like
provide a configuration or an extension point to set the SSA's jwks_uri attribute.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
According to the doc Get Jwks, the ssa jwks uri should be https://<tls_base_uri>/jwk
but the actual ssa jwks uri in the mock register is https://<tls_base_uri>/cdr-register/v1/jwks
After consulting #516, https://<tls_base_uri>/jwk
should currently be the correct uri, but it seems there is some hesitation with regard to whether this uri should follow the Base Uri convention.
Describe the bug
When running the mock-register
in docker, the login endpoint provided with the Postman collection only allows login to cdr-register:read
scope, while Admin Metadata load shows that the given login should be able to access any scope in the mock environment.
The error appears as a HTTP 400
response with the content "error": "invalid_client"
.
To Reproduce
Steps to reproduce the behaviour:
mock-register
in Docker./idp/connect/token
endpoint available in the postman collection.common:customer.basic:read
."error": "invalid_client"
.Expected behaviour
The expectation would be that the endpoint would return a valid token for the alternate scope.
Describe the bug
The endpoint https://api.cdr.gov.au/cdr-register/v1/banking/data-holders/brands returns a 404 when NOT authorized.
The standard specifies that this should return a 401 (see here)
To Reproduce
Steps to reproduce the behavior:
Expected behaviour
This should return a 401 (Unauthorized)
Describe the bug
Hello there!
We have deployed Mock Register on our instance in order to use it for testing our ADR solution. In order to mimic ADR I successfully loaded my data via Admin API - Load Metadata endpoint. To simplify debugging I put minimal changes to my data comparing to your payload for loading metadata. Actually I just changed JwksUri endpoint to invoke my server's endpoint for jwk keys, all other id's and properties stay the same as original. I changed this because I wanted to use client_assertion created by me in order to retrieve access_token on endpoint InfoSec - Get Access Token instead of calling Admin API - Get Mock DR Client Assertion for getting client_assertion. SoftwareProductId and BrandGuid are the same as in your postman collection. After this configuration I got "invalid_client" response on InfoSec - Get Access Token. I don't know if configuration I did is enough to get valid client's access_token, but couldn't find more info on docs.
Do you have any suggestions there, how could I achieve this? Is it feasible at all with current Mock Register?
To Reproduce
Steps to reproduce the behaviour:
curl --location --request POST 'https://mock-cdr.basiq-dev.com:7006/admin/metadata'
--header 'Content-Type: application/json'
--data-raw '{
"LegalEntities": [{
"LegalEntityId": "de815a93-85b3-4fe8-9513-33ad8f4359d0",
"LegalEntityName": "yoyo Software Company",
"LogoUri": "https://yoyosoftware/img/logo.png",
"Abn": "11222333444",
"Acn": "222333444",
"AccreditationNumber": "ADRBNK000005",
"Participations": [{
"ParticipationId": "0fbc379d-8e48-4dcd-90d3-c13862889e83",
"LegalEntityId": "de815a93-85b3-4fe8-9513-33ad8f4359d0",
"ParticipationTypeId": 2,
"IndustryId": 1,
"StatusId": 1,
"Brands": [{
"BrandId": "f3f0c40b-9df8-491a-af1d-81cb9ab5f021",
"BrandName": "YoYo",
"LogoUri": "https://yoyosoftware/img/logo.png",
"BrandStatusId": 1,
"ParticipationId": "0fbc379d-8e48-4dcd-90d3-c13862889e83",
"LastUpdated": "2021-04-06T11:58:00",
"SoftwareProducts": [{
"SoftwareProductId": "6f7a1b8e-8799-48a8-9011-e3920391f713",
"SoftwareProductName": "MyBudgetHelper",
"SoftwareProductDescription": "A product to help you manage your budget",
"LogoUri": "https://yoyosoftware/mybudgetapp/img/logo.png",
"ClientUri": "https://yoyosoftware/mybudgetapp",
"TosUri": "https://yoyosoftware/mybudgetapp/terms",
"PolicyUri": "https://yoyosoftware/mybudgetapp/policy",
"RecipientBaseUri": "https://api.yoyosoftware/mybudgetapp",
"RevocationUri": "https://api.yoyosoftware/mybudgetapp/revoke",
"RedirectUris": "https://api.yoyosoftware/mybudgetapp/callback https://api.yoyosoftware/mybudgetapp/return",
"JwksUri": "https://27ghl0gdic.execute-api.ap-southeast-2.amazonaws.com/Development/jwks",
"Scope": "openid bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration",
"StatusId": 1,
"BrandId": "f3f0c40b-9df8-491a-af1d-81cb9ab5f021",
"Certificates": [{
"SoftwareProductCertificateId": "d3451e00-fe15-46c2-aec1-d82506110ede",
"SoftwareProductId": "6f7a1b8e-8799-48a8-9011-e3920391f713",
"CommonName": "MockDataRecipient",
"Thumbprint": "58D76F7A61CD726DA1C54F6898E8E69EA4C88060"
}]
}],
"AuthDetails": []
}]
}]
}]
}'
Expected behaviour
To get valid access_token after provided setup.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Just to mention here that on endpoint Discovery API - Get Data Holder Brands I keep getting 404 Not found error.
Describe the bug
I have setup the docker container as mentioned in https://github.com/ConsumerDataRight/mock-register/blob/main/Help/container/HELP.md#run-the-mock-register after cloning the latest repository.
Then I used the postman script given here https://github.com/ConsumerDataRight/mock-register/blob/main/Postman/mock-register.postman_collection.json to update the metadata and and invoke the token endpoint.
This call returns the following as a response:
{ "error": "invalid_client" }
To Reproduce
Steps to reproduce the behavior:
docker-compose up -d
Admin API - Load Metadata
InfoSec - Get Access Token
Expected behaviour
Return the access token
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Describe the bug
The MockDataRecipientJwks endpoint (https://localhost:7006/loopback/MockDataRecipientJwks) is currently returning the public keys' information in the JWKS format without including the property - 'use' (Public Key Use).
Use : Implies how the key is being used. The value sig represents signature.
When this jwks endpoint is used in our DH solutions for scenarios such as encrypting JWT responses and the presence of property 'use' with either 'enc' or 'sig' as the value is mandatory, the flows can not be proceeded.
Hence, the Mock DR JWKS can be more useful if the current JWKS can be updated with the 'use' property with the value as 'sig'.
(Since the 'key_ops' values of the current JWKS are 'sign' and 'verify', only 'sig' can be used as the value for 'use')
But as a further improvement, the JWKS endpoint can be improved to add more separate jwk sets with key_ops having 'encrypt' and 'use' property as 'enc'.
As a temporal solution, the following fix was done.
The JsonWebKey.cs model [1] was updated with the 'use' attribute by adding the following line.
public string use { get; set; }
The LoopbackController.cs jwk generation [2] is updated by adding the following line.
use = "sig",
[1]
To Reproduce
{
"keys": [
{
"alg": "PS256",
"e": "AQAB",
"key_ops": [
"sign",
"verify"
],
"kid": "gP32GTv0be7hGek1ONMPg0T6P4RrKtRLl4l0em7XCw4",
"kty": "RSA",
"n": "6kpKQ674ZD6dCrJaZezah4Hpr8D5xo4Pn4TibDtWqWr42ghq2SdJ09laHil4h1t-9u3YLbLeNQlbq2izyvQv_l8mWfBRqb7-UgEfT4EFAlriD5h84xsbsK85laz7ph7LA8kj11ztxuUqjeGbircng2v6GM8nzMSk8n4g9nNSy3-G0nZcPYPqYcbISwPiFX9RN4aPKysouuJ1k1IIVdPzUVaAQwP5F9R7TEz1lWkD4Lj1nw-mx6Jxe5fiozuMS87rD8A9AXtuO-57pmW_m40fiDJRF7csYOYL1N32AUcIIrJW0KYdImWtaOMm-mAAlbGX2zz3znXElKaEm0rBqZdx5Q"
}
]
}
Expected behaviour
The returned response from the MockDataRecipientJwks endpoint should be as follows.
{
"keys": [
{
"alg": "PS256",
"use": "sig",
"e": "AQAB",
"key_ops": [
"sign",
"verify"
],
"kid": "gP32GTv0be7hGek1ONMPg0T6P4RrKtRLl4l0em7XCw4",
"kty": "RSA",
"n": "6kpKQ674ZD6dCrJaZezah4Hpr8D5xo4Pn4TibDtWqWr42ghq2SdJ09laHil4h1t-9u3YLbLeNQlbq2izyvQv_l8mWfBRqb7-UgEfT4EFAlriD5h84xsbsK85laz7ph7LA8kj11ztxuUqjeGbircng2v6GM8nzMSk8n4g9nNSy3-G0nZcPYPqYcbISwPiFX9RN4aPKysouuJ1k1IIVdPzUVaAQwP5F9R7TEz1lWkD4Lj1nw-mx6Jxe5fiozuMS87rD8A9AXtuO-57pmW_m40fiDJRF7csYOYL1N32AUcIIrJW0KYdImWtaOMm-mAAlbGX2zz3znXElKaEm0rBqZdx5Q"
}
]
}
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Apologies. My mistake. No issue.
Hi,
I don't know How to start cdr open banking process.net core how to implement this
Kindly please share the documents regarding this process
Is your feature request related to a problem? Please describe.
We are using cdr-mock-register while running our test suits. But the issue is that we host that service in a remote location. Therefore we want to change the TLS certificates to be compatible with that server. What we want to know is that, in which locations should we update the new TLS pfx file in ConsumerDataRight/mock-register github repository before running a docker build to create a new image or else is there a way to update that certificate in already running container.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
Mock server certificate DN for Register and Data Holder are the same, which makes things a bit confusing. The certificates themselves are different, so that's good, but both CN's are called 'register.mock'.
Wouldn't it be more straight forward for the server certificate to have CN=mock-data-holder, or something along those lines?
To Reproduce
$ openssl x509 -subject -noout -in register.pem
subject=CN = register.mock, C = AU, ST = ACT, L = Canberra, O = ACCC, OU = CDR
$ openssl x509 -subject -noout -in server.pem
subject=CN = register.mock, C = AU, ST = ACT, L = Canberra, O = ACCC, OU = CDR
Hi,
I Need clarification regarding the Certificate
1.What is the purpose of a certificate?
2.In production where to get the certificates?
Ex:register.pfx, ca.crt, ca.pem, tls-register.pfx
3.why do we use a private key in the solution
4.What is the purpose of the certificate? it's necessary or not for our own Solution
Describe the bug
The .well-known/openid-configuration/jwks endpoint should return a mandatory property key_ops.
This is specified in here
To Reproduce
Expected behaviour
Return the key_ops property
Additional context
Add any other context about the problem here.
Describe the bug
This may not be a bug but I could not find a way to tag as question
label.
Unable to generate Infosec Access Token and received "error": "invalid_request"
.
To Reproduce
Steps to reproduce the behavior:
Change all the port numbers to 6000 range instead of 7000 ( in macOS Monterey, ControlCenter.app is using 7000)
Run docker build --no-cache -f Dockerfile -t mock-register .
to generate the new container.
Update docker-compose file to this (only database and mock-regsiter).
Hit https://localhost:6001/idp/connect/token
in Postman.
Additional context
Error log
Describe the bug
According to the reply to issue #46 we updated TLS certificate in https://github.com/ConsumerDataRight/mock-register/tree/main/Source/CDR.Register.API.Gateway.TLS/Certificates folder and built an image. But still it returns the localhost certificate in TLS handshake.
A issue regarding JWT signature validation occurs in our Dynamic client registration call when calling to endpoint: https://:7006/loopback/MockDataRecipientJwks. Do you have any idea why or any thoughts on how we can resolve it.
To Reproduce
Steps to reproduce the behavior:
1.
2.
3.
4. See error
Expected behaviour
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Hi Team,
Thanks a lot of the mock-register, mock-data-receipient and mock-data-holder.
Do we have any mock CTS for local development?
That will highly helpful in our development and testing locally. Identifying defects during our development will be good rather than doing at the end during the CTS.
And it will be helpful for all our FAPI compliance as well.
Thanks,
Daniel Jeganathan
URGENT////
**For testing we have upgraded our internal mock registry to the latest CDR mock register version 1.1.1. We have encountered an error at IDP token endpoint around client certification validation failure. Internally we have checked mock client and server certificates as part of investigation.
Hoping to get your help to assess if the error we are encountering is resulting from last week's mock register changes and if you have seen similar issues logged by other participants.
**
To Reproduce
Steps to reproduce the behavior:
Go to "Client assertion" for assertion ID - successful
Call /IDP/connect/token using assertion ID - giving certification validation error " Client certification validation failed"
See error
{
"error": "invalid_client",
"error_description": "Client certificate validation failed"
}
https://github.com/ConsumerDataRight/mock-register/blob/main/Source/CDR.Register.Infosec/Controllers/TokenController.cs
Error screenshot.docx
Expected behaviour
valid IDP token
Screenshots
attached
Additional context
Add any other context about the problem here.
In Source/CDR.Register.API.Gateway.TLS/appsettings.Release.json, Logfile location for TLS is set to "c:\cdr\Logs\cdr-mr-gateway-tls.log", this results in the logs being written to the /app folder when running in a container (i.e. absolute Windows path is not understood).
"Name": "File",
"Args": {
"path": "c:\\cdr\\Logs\\cdr-mr-gateway-tls.log",
"outputTemplate": "{Timestamp:dd/MM/yyyy HH:mm:ss.fff zzz} {Level} [{SourceContext}] {Message}{NewLine}{Exception}"
}
The log output should be configured similar to mTLS:
"WriteTo": [
{ "Name": "Console" },
{
"Name": "File",
"Args": { "path": "/tmp/cdr-mr-mtls-gateway.log" }
},
Describe the bug
Generating the SSA looking at org_id and software_id values:
They seem to be wrong way around -
org_id guid is showing the softwareProductId
software_id is showing the BrandId
To Reproduce
Steps to reproduce the behavior:
Expected behaviour
org_id = BrandId
software_id = softwareProductId
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.