How can we store the relation between the certificate information and the TPP ClientID in our API Gateway? We need to persist this relation, so caching it is not an option.
We need some help to understand the capabilities of the API Gateway related with OpenBanking specification (PSD2 for UK). The security specification of OpenBanking establishes a one-to-one relation between the enrolled TPPs (ClientIDs) and their certificate used for Mutual Authentication (TLS). The main target of this requirement is to offer to the APIM Platform a way to confirm this communication is secure and comes from the correct TPP ( APIM confirms the provided ClientID received in the request body is related with the Certificate used for MA).
The expected flow is the following:
1. A Third party enrols in our API Portal, sending information about its business. In addition, using another flow (for example via email) the TPP sends us the certificate.
2. The API team in our company will double check the information sent using the API Portal and the certificate send via email, all together.
3. If everything is OK, the TPP is accepted and the enrollment finishes registering an App in the API Portal. This App will generate a client_id and a client_secret.
4. THIS IS THE IMPORTANT POINT!! After this registering, the API Team must persist in our API Platform the relation between the certificate got on step 1 with the client_id generated on step 3.
5. When the registered App on step 3 wants to consume a published API, the communications between the App and the API platform will be secured using the certificate provided in step 1. In addition, the App must send in the request the client_id of the registered App, got on step 3.
6. When the API Platform receives the request, one of the security assertions is to confirm that the certificate used in the secured communication is related with the client_id retrieved from the request info. If it's not related, the APIM must return a security error.