[OB3] JWKS validation separation for Prod and Sandbox SSAs

open-banking-accelerator/accelerators/ob-apim/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2

@@ -301,6 +301,25 @@
         {% else %}
         <RequestJWTValidation>true</RequestJWTValidation>
         {% endif %}
+        <RegistrationRequestParams>
+            <SoftwareEnvironmentIdentification>
+                {% if open_banking.dcr.registration.software_environment_identification.ssa_property_name is defined %}
+                    <PropertyName>{{open_banking.dcr.registration.software_environment_identification.ssa_property_name}}</PropertyName>
+                {% else %}
+                    <PropertyName>software_environment</PropertyName>
+                {% endif %}
+                {% if open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_sandbox is defined %}
+                    <PropertyValueForSandbox>{{open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_sandbox}}</PropertyValueForSandbox>
+                {% else %}
+                    <PropertyValueForSandbox>sandbox</PropertyValueForSandbox>
+                {% endif %}
+                {% if open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_production is defined %}
+                    <PropertyValueForProduction>{{open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_production}}</PropertyValueForProduction>
+                {% else %}
+                    <PropertyValueForProduction>production</PropertyValueForProduction>
+                {% endif %}
+            </SoftwareEnvironmentIdentification>
+        </RegistrationRequestParams>
     </DCR>
     <KeyManagerName>{{open_banking.keyManager.name}}</KeyManagerName>
     {% if open_banking.publisher.hostname is defined %}

open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.0.0-deployment.toml

@@ -431,6 +431,12 @@ roles = "AISP,PISP"
 api_name = "AccountandTransactionAPI"
 roles = "AISP"
 
+[open_banking.dcr.registration.software_environment_identification]
+ssa_property_name = "software_environment"
+# If both below values doesnt match, Then software_environment is default to production.
+ssa_property_value_for_sandbox = "sandbox"
+ssa_property_value_for_production = "production"
+
 #============executors=========================
 [[open_banking.gateway.openbanking_gateway_executors.type]]
 name = "Default"

open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.1.0-deployment.toml

@@ -431,6 +431,12 @@ roles = "AISP,PISP"
 api_name = "AccountandTransactionAPI"
 roles = "AISP"
 
+[open_banking.dcr.registration.software_environment_identification]
+ssa_property_name = "software_environment"
+# If both below values doesnt match, Then software_environment is default to production.
+ssa_property_value_for_sandbox = "sandbox"
+ssa_property_value_for_production = "production"
+
 #============executors=========================
 [[open_banking.gateway.openbanking_gateway_executors.type]]
 name = "Default"

open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.2.0-deployment.toml

@@ -435,6 +435,12 @@ roles = "AISP,PISP"
 api_name = "AccountandTransactionAPI"
 roles = "AISP"
 
+[open_banking.dcr.registration.software_environment_identification]
+ssa_property_name = "software_environment"
+# If both below values doesnt match, Then software_environment is default to production.
+ssa_property_value_for_sandbox = "sandbox"
+ssa_property_value_for_production = "production"
+
 #============executors=========================
 [[open_banking.gateway.openbanking_gateway_executors.type]]
 name = "Default"

open-banking-accelerator/accelerators/ob-is/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2

@@ -455,6 +455,23 @@
        <RegistrationClientURI>https://localhost:8243/open-banking/0.1/register/</RegistrationClientURI>
        {% endif %}
        <RegistrationRequestParams>
+            <SoftwareEnvironmentIdentification>
+                {% if open_banking.dcr.registration.software_environment_identification.ssa_property_name is defined %}
+                    <PropertyName>{{open_banking.dcr.registration.software_environment_identification.ssa_property_name}}</PropertyName>
+                {% else %}
+                    <PropertyName>software_environment</PropertyName>
+                {% endif %}
+                {% if open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_sandbox is defined %}
+                    <PropertyValueForSandbox>{{open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_sandbox}}</PropertyValueForSandbox>
+                {% else %}
+                    <PropertyValueForSandbox>sandbox</PropertyValueForSandbox>
+                {% endif %}
+                {% if open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_production is defined %}
+                    <PropertyValueForProduction>{{open_banking.dcr.registration.software_environment_identification.ssa_property_value_for_production}}</PropertyValueForProduction>
+                {% else %}
+                    <PropertyValueForProduction>production</PropertyValueForProduction>
+                {% endif %}
+            </SoftwareEnvironmentIdentification>
             <GrantTypes>
                 {% if open_banking.dcr.registration.grant_types.required is defined %}
                 <Required>{{open_banking.dcr.registration.grant_types.required}}</Required>

open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml

@@ -406,6 +406,12 @@ read_timeout = 3000
 [[open_banking.dcr.regulatory_issuers.iss]]
 name = "OpenBanking Ltd"
 
+[open_banking.dcr.registration.software_environment_identification]
+ssa_property_name = "software_environment"
+# If both below values doesnt match, Then software_environment is default to production.
+ssa_property_value_for_sandbox = "sandbox"
+ssa_property_value_for_production = "production"
+
 #Signature algorithm types that are allowed
 #[[open_banking.signature_validation.allowed_algorithms]]
 #name = "PS256"

open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml

@@ -406,6 +406,12 @@ read_timeout = 3000
 [[open_banking.dcr.regulatory_issuers.iss]]
 name = "OpenBanking Ltd"
 
+[open_banking.dcr.registration.software_environment_identification]
+ssa_property_name = "software_environment"
+# If both below values doesnt match, Then software_environment is default to production.
+ssa_property_value_for_sandbox = "sandbox"
+ssa_property_value_for_production = "production"
+
 #Signature algorithm types that are allowed
 #[[open_banking.signature_validation.allowed_algorithms]]
 #name = "PS256"

open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml

@@ -406,6 +406,12 @@ read_timeout = 3000
 [[open_banking.dcr.regulatory_issuers.iss]]
 name = "OpenBanking Ltd"
 
+[open_banking.dcr.registration.software_environment_identification]
+ssa_property_name = "software_environment"
+# If both below values doesnt match, Then software_environment is default to production.
+ssa_property_value_for_sandbox = "sandbox"
+ssa_property_value_for_production = "production"
+
 #Signature algorithm types that are allowed
 #[[open_banking.signature_validation.allowed_algorithms]]
 #name = "PS256"

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/config/OpenBankingConfigParser.java

@@ -1397,6 +1397,40 @@ public String getRealtimeEventNotificationRequestGenerator() {
                 : (String) getConfigElementFromKey(OpenBankingConstants.REALTIME_EVENT_NOTIFICATION_REQUEST_GENERATOR);
     }
 
+    /**
+     * Method to get software environment identification SSA property name.
+     *
+     * @return String software environment identification SSA property name.
+     */
+    public String getSoftwareEnvIdentificationSSAPropertyName() {
+        return getConfigElementFromKey(OpenBankingConstants.DCR_SOFTWARE_ENV_IDENTIFICATION_PROPERTY_NAME) == null ?
+                OpenBankingConstants.SOFTWARE_ENVIRONMENT : (String) getConfigElementFromKey(
+                OpenBankingConstants.DCR_SOFTWARE_ENV_IDENTIFICATION_PROPERTY_NAME);
+    }
+
+    /**
+     * Method to get software environment identification value for sandbox in SSA.
+     *
+     * @return String software environment identification value for sandbox.
+     */
+    public String getSoftwareEnvIdentificationSSAPropertyValueForSandbox() {
+        return getConfigElementFromKey(OpenBankingConstants.DCR_SOFTWARE_ENV_IDENTIFICATION_VALUE_FOR_SANDBOX) == null ?
+                "sandbox" : (String) getConfigElementFromKey(
+                        OpenBankingConstants.DCR_SOFTWARE_ENV_IDENTIFICATION_VALUE_FOR_SANDBOX);
+    }
+
+    /**
+     * Method to get software environment identification value for production in SSA.
+     *
+     * @return String software environment identification value for production.
+     */
+    public String getSoftwareEnvIdentificationSSAPropertyValueForProduction() {
+        return getConfigElementFromKey(
+                OpenBankingConstants.DCR_SOFTWARE_ENV_IDENTIFICATION_VALUE_FOR_PRODUCTION) == null ?
+                "production" : (String) getConfigElementFromKey(
+                OpenBankingConstants.DCR_SOFTWARE_ENV_IDENTIFICATION_VALUE_FOR_PRODUCTION);
+    }
+
     /**
      * Get config related for checking whether PSU is a federated user or not.
      *

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/constant/OpenBankingConstants.java

@@ -62,6 +62,12 @@ public class OpenBankingConstants {
     public static final String DCR_JWKS_NAME = "DCR.JWKSEndpointName";
     public static final String DCR_APPLICATION_NAME_KEY = "DCR.ApplicationName";
     public static final String OB_KM_NAME = "KeyManagerName";
+    public static final String DCR_SOFTWARE_ENV_IDENTIFICATION_PROPERTY_NAME =
+            "DCR.RegistrationRequestParams.SoftwareEnvironmentIdentification.PropertyName";
+    public static final String DCR_SOFTWARE_ENV_IDENTIFICATION_VALUE_FOR_SANDBOX =
+            "DCR.RegistrationRequestParams.SoftwareEnvironmentIdentification.PropertyValueForSandbox";
+    public static final String DCR_SOFTWARE_ENV_IDENTIFICATION_VALUE_FOR_PRODUCTION =
+            "DCR.RegistrationRequestParams.SoftwareEnvironmentIdentification.PropertyValueForProduction";
 
     public static final String APIM_APPCREATION = "DCR.APIMRESTEndPoints.AppCreation";
     public static final String APIM_KEYGENERATION = "DCR.APIMRESTEndPoints.KeyGeneration";

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/OpenBankingUtils.java

@@ -19,11 +19,14 @@
 
 import com.wso2.openbanking.accelerator.common.config.OpenBankingConfigParser;
 import com.wso2.openbanking.accelerator.common.exception.OpenBankingRuntimeException;
+import com.wso2.openbanking.accelerator.common.identity.IdentityConstants;
+import net.minidev.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import java.lang.reflect.InvocationTargetException;
+import java.text.ParseException;
 
 /**
  * Open Banking common utility class.
@@ -53,6 +56,36 @@ public static Object getClassInstanceFromFQN(String classpath) {
         }
     }
 
+    /**
+     * Extract software_environment (SANDBOX or PRODUCTION) from SSA
+     *
+     * @param softwareStatement software statement (jwt) extracted from request payload
+     * @return software_environment
+     * @throws ParseException
+     */
+    public static String getSoftwareEnvironmentFromSSA(String softwareStatement) throws ParseException {
+
+        String sandboxEnvIdentificationPropertyName = OpenBankingConfigParser.getInstance()
+                .getSoftwareEnvIdentificationSSAPropertyName();
+        String sandboxEnvIdentificationValue = OpenBankingConfigParser.getInstance()
+                .getSoftwareEnvIdentificationSSAPropertyValueForSandbox();
+        String prodEnvIdentificationValue = OpenBankingConfigParser.getInstance()
+                .getSoftwareEnvIdentificationSSAPropertyValueForProduction();
+        String softwareEnvironment = IdentityConstants.PRODUCTION;
+        // decode software statement and get softwareEnvironment
+        JSONObject softwareStatementBody = JWTUtils.decodeRequestJWT(softwareStatement, "body");
+        Object softwareEnvironmentValue = softwareStatementBody.get(sandboxEnvIdentificationPropertyName);
+        if (softwareEnvironmentValue != null &&
+                softwareEnvironmentValue.toString().equalsIgnoreCase(sandboxEnvIdentificationValue)) {
+            softwareEnvironment = IdentityConstants.SANDBOX;
+        } else if (softwareEnvironmentValue != null &&
+                softwareEnvironmentValue.toString().equalsIgnoreCase(prodEnvIdentificationValue)) {
+            softwareEnvironment = IdentityConstants.PRODUCTION;
+        }
+        return softwareEnvironment;
+    }
+
+
     /**
      * Method to obtain boolean value for check if the Dispute Resolution Data is publishable.
      *