Remove ACR validation for NatWest banks

finlabsuk · Mar 1, 2023 · 96d2cea · 96d2cea
1 parent 0f68df8
commit 96d2cea
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 35 deletions.
diff --git a/src/OpenBanking.Library.Connector/BankProfiles/Generators/NatWestGenerator.cs b/src/OpenBanking.Library.Connector/BankProfiles/Generators/NatWestGenerator.cs
@@ -3,11 +3,9 @@
 // See the LICENSE file in the project root for more information.
 
 using FinnovationLabs.OpenBanking.Library.BankApiModels.Json;
-using FinnovationLabs.OpenBanking.Library.BankApiModels.UkObRw.V3p1p10.Aisp.Models;
 using FinnovationLabs.OpenBanking.Library.Connector.BankProfiles.BankGroups;
 using FinnovationLabs.OpenBanking.Library.Connector.Configuration;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Configuration;
-using FinnovationLabs.OpenBanking.Library.Connector.Models.Fapi;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Public.AccountAndTransaction;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Public.BankConfiguration.CustomBehaviour;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Public.BankConfiguration.Request;
@@ -110,13 +108,15 @@ or NatWestBank.UlsterBankNiBankline
             {
                 AccountAccessConsentExternalApiRequestAdjustments = externalApiRequest =>
                 {
-                    var elementsToRemove = new List<OBReadConsent1DataPermissionsEnum>
-                    {
-                        OBReadConsent1DataPermissionsEnum.ReadParty,
-                        OBReadConsent1DataPermissionsEnum.ReadPartyPSU,
-                        OBReadConsent1DataPermissionsEnum.ReadPAN
-                    };
-                    foreach (OBReadConsent1DataPermissionsEnum element in elementsToRemove)
+                    var elementsToRemove =
+                        new List<AccountAndTransactionModelsPublic.OBReadConsent1DataPermissionsEnum>
+                        {
+                            AccountAndTransactionModelsPublic.OBReadConsent1DataPermissionsEnum.ReadParty,
+                            AccountAndTransactionModelsPublic.OBReadConsent1DataPermissionsEnum.ReadPartyPSU,
+                            AccountAndTransactionModelsPublic.OBReadConsent1DataPermissionsEnum.ReadPAN
+                        };
+                    foreach (AccountAndTransactionModelsPublic.OBReadConsent1DataPermissionsEnum element in
+                             elementsToRemove)
                     {
                         externalApiRequest.Data.Permissions.Remove(element);
                     }
@@ -154,11 +154,11 @@ or NatWestBank.UlsterBankNiBankline
                                 "https://secure1.ulsterbank.co.uk",
                             _ => throw new ArgumentOutOfRangeException(nameof(bank), bank, null)
                         },
-                        IdTokenAcrClaim = Acr.Ca
+                        DoNotValidateIdTokenAcrClaim = true
                     },
                     AuthCodeGrantPost = new GrantPostCustomBehaviour
                     {
-                        IdTokenAcrClaim = Acr.Ca
+                        DoNotValidateIdTokenAcrClaim = true
                     }
                 }
         };

diff --git a/....Library.Connector/Models/Persistent/Cleanup/BankConfiguration/BankRegistrationCleanup.cs b/....Library.Connector/Models/Persistent/Cleanup/BankConfiguration/BankRegistrationCleanup.cs
@@ -4,7 +4,6 @@
 
 using FinnovationLabs.OpenBanking.Library.BankApiModels.Json;
 using FinnovationLabs.OpenBanking.Library.Connector.BankProfiles;
-using FinnovationLabs.OpenBanking.Library.Connector.Models.Fapi;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Persistent.BankConfiguration;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Public.BankConfiguration.CustomBehaviour;
 using FinnovationLabs.OpenBanking.Library.Connector.Models.Repository;
@@ -89,10 +88,12 @@ public async Task Cleanup(
                 bool? idTokenNonceClaimIsPreviousValue =
                     bankRegistration.BankNavigation.CustomBehaviour?.AccountAccessConsentAuthGet
                         ?.IdTokenNonceClaimIsPreviousValue;
-                bool? responseLinksOmitId = bankRegistration.BankNavigation.CustomBehaviour?.AccountAccessConsentPost
-                    ?.ResponseLinksOmitId;
-                DateTimeOffsetConverterEnum? previousPaymentDateTimeJsonConverter = bankRegistration.BankNavigation.CustomBehaviour?.DirectDebitGet
-                    ?.PreviousPaymentDateTimeJsonConverter;
+                bool? responseLinksOmitId =
+                    bankRegistration.BankNavigation.CustomBehaviour?
+                        .AccountAccessConsentPost?.ResponseLinksOmitId;
+                DateTimeOffsetConverterEnum? previousPaymentDateTimeJsonConverter =
+                    bankRegistration.BankNavigation.CustomBehaviour?
+                        .DirectDebitGet?.PreviousPaymentDateTimeJsonConverter;
                 var changeMade = false;
 
                 CustomBehaviourClass newCustomBehaviour = GetNewCustomBehaviour(bankRegistration);
@@ -141,27 +142,29 @@ public async Task Cleanup(
                 or BankRegistrationGroup.NatWest_RoyalBankOfScotlandProduction
                 or BankRegistrationGroup.NatWest_UlsterBankNiProduction)
             {
-                Acr? idTokenAcrClaim =
-                    bankRegistration.BankNavigation.CustomBehaviour?.AccountAccessConsentAuthGet?.IdTokenAcrClaim;
-                Acr? idTokenAcrClaim2 =
-                    bankRegistration.BankNavigation.CustomBehaviour?.AuthCodeGrantPost?.IdTokenAcrClaim;
+                bool? doNotValidateIdTokenAcrClaim =
+                    bankRegistration.BankNavigation.CustomBehaviour?
+                        .AccountAccessConsentAuthGet?.DoNotValidateIdTokenAcrClaim;
+                bool? doNotValidateIdTokenAcrClaim2 =
+                    bankRegistration.BankNavigation.CustomBehaviour?
+                        .AuthCodeGrantPost?.DoNotValidateIdTokenAcrClaim;
                 var changeMade = false;
 
                 CustomBehaviourClass newCustomBehaviour = GetNewCustomBehaviour(bankRegistration);
-                if (idTokenAcrClaim is null)
+                if (doNotValidateIdTokenAcrClaim is null)
                 {
                     newCustomBehaviour.AccountAccessConsentAuthGet ??=
                         new ConsentAuthGetCustomBehaviour();
-                    newCustomBehaviour.AccountAccessConsentAuthGet.IdTokenAcrClaim =
-                        Acr.Ca;
+                    newCustomBehaviour.AccountAccessConsentAuthGet.DoNotValidateIdTokenAcrClaim =
+                        true;
                     changeMade = true;
                 }
 
-                if (idTokenAcrClaim2 is null)
+                if (doNotValidateIdTokenAcrClaim2 is null)
                 {
                     newCustomBehaviour.AuthCodeGrantPost ??=
                         new GrantPostCustomBehaviour();
-                    newCustomBehaviour.AuthCodeGrantPost.IdTokenAcrClaim = Acr.Ca;
+                    newCustomBehaviour.AuthCodeGrantPost.DoNotValidateIdTokenAcrClaim = true;
                     changeMade = true;
                 }
 

diff --git a/...onnector/Models/Public/BankConfiguration/CustomBehaviour/ConsentAuthGetCustomBehaviour.cs b/...onnector/Models/Public/BankConfiguration/CustomBehaviour/ConsentAuthGetCustomBehaviour.cs
@@ -16,7 +16,12 @@ public class ConsentAuthGetCustomBehaviour
 
     public bool? DoNotValidateIdToken { get; set; }
 
+    /// <summary>
+    ///     Deprecated
+    /// </summary>
     public Acr? IdTokenAcrClaim { get; set; }
 
+    public bool? DoNotValidateIdTokenAcrClaim { get; set; }
+
     public bool? IdTokenNonceClaimIsPreviousValue { get; set; }
 }
diff --git a/...ary.Connector/Models/Public/BankConfiguration/CustomBehaviour/GrantPostCustomBehaviour.cs b/...ary.Connector/Models/Public/BankConfiguration/CustomBehaviour/GrantPostCustomBehaviour.cs
@@ -12,5 +12,10 @@ public class GrantPostCustomBehaviour
 
     public bool? DoNotValidateScopeResponse { get; set; }
 
+    /// <summary>
+    ///     Deprecated
+    /// </summary>
     public Acr? IdTokenAcrClaim { get; set; }
+
+    public bool? DoNotValidateIdTokenAcrClaim { get; set; }
 }
diff --git a/src/OpenBanking.Library.Connector/Operations/ExternalApi/GrantPost.cs b/src/OpenBanking.Library.Connector/Operations/ExternalApi/GrantPost.cs
@@ -63,17 +63,17 @@ public GrantPost(IApiClient apiClient)
                     idTokenDecoded,
                     jsonSerializerSettings) ??
                 throw new Exception("Can't deserialise ID token.");
-            Acr expectedAcr =
-                consentAuthGetCustomBehaviour?.IdTokenAcrClaim
-                ?? (supportsSca ? Acr.Sca : Acr.Ca);
+            bool doNotValidateIdTokenAcrClaim =
+                consentAuthGetCustomBehaviour?.DoNotValidateIdTokenAcrClaim
+                ?? false;
             ValidateIdTokenCommon(
                 idToken,
                 bankIssuerUrl,
                 externalApiClientId,
                 externalApiConsentId,
                 expectedNonce,
                 supportsSca,
-                expectedAcr);
+                !doNotValidateIdTokenAcrClaim);
 
             // Validate ID token subject claim
             string? outputExternalApiUserId = externalApiUserId; // unchanged by default
@@ -352,7 +352,7 @@ private void ValidateIdTokenCommon(
             string externalApiConsentId,
             string expectedNonce,
             bool supportsSca,
-            Acr expectedAcr)
+            bool validateAcr)
         {
             if (idToken.Exp < DateTimeOffset.UtcNow)
             {
@@ -374,7 +374,9 @@ private void ValidateIdTokenCommon(
                 throw new Exception("Auth time is null.");
             }
 
-            if (supportsSca && idToken.Acr != expectedAcr)
+            if (supportsSca &&
+                validateAcr &&
+                idToken.Acr is not Acr.Sca)
             {
                 throw new Exception("Acr from ID token does not match expected Acr.");
             }
@@ -438,17 +440,18 @@ private async Task ValidateIdTokenTokenEndpoint(
                     jsonSerializerSettings) ??
                 throw new Exception("Can't deserialise ID token.");
 
-            Acr expectedAcr =
-                grantPostCustomBehaviour?.IdTokenAcrClaim
-                ?? (supportsSca ? Acr.Sca : Acr.Ca);
+            bool doNotValidateIdTokenAcrClaim =
+                grantPostCustomBehaviour?.DoNotValidateIdTokenAcrClaim
+                ?? false;
+
             ValidateIdTokenCommon(
                 idToken,
                 bankIssuerUrl,
                 externalApiClientId,
                 externalApiConsentId,
                 expectedNonce,
                 supportsSca,
-                expectedAcr);
+                !doNotValidateIdTokenAcrClaim);
 
             // Validate ID token subject claim
             switch (idTokenSubClaimType)