Version 3.3 of the Curity Identity Server is due out later this month and includes new features to make it easy to comply with PSD2 regulations. Specifically, we have added:
- Support for mutual TLS client authentication and certificate-constrained tokens
- Wildcard scopes
The former allows a TPP to dynamically register and authenticate to Curity and obtain tokens that are bound to that third-party. These tokens are Proof of Possession (PoP) tokens not bearer tokens. This provides extra security that is required for banking-grade security. The other – wildcard or prefix scopes – allows the TPP to register with a scope like "PIS:" but to include a suffix in the request with any value. This could be something like "PIS:123". This suffix will be presented to the end user for consent purposes and burned into the token.
Combining these features with others will result in a highly secure and PSD2 compliant OAuth implementation. We'll send out more information when the new release is available. In the meantime, keep an eye on the developer portal for the latest docs, releases and tutorials.