Validate signed responses
In order to guarantee the integrity of API responses, Rabobank digitally signs all responses of the Rabo Identity Services APIs. You can also use this feature to determine the integrity and authenticity of the response.
This functionality relies on JWS (JSON Web Signatures) for computing and signing the response payloads and JWK (JSON Web Keys) for the publication of the key material required to validate the integrity and authenticity.
Follow the listed steps to validate the integrity and authenticity of your response:
Obtain the JSON Web Key
All Rabo Identity Services API(s) facilitate an endpoint exposing the JSON Web Key, which is used to validate the signature on the response.
Retrieve the JWK by invoking the GET/keys
endpoint on your subscribed API. The received response should contain the public part of the cryptographic key and the corresponding private key should be used to compute the signature.
{ "keys": [ { "kty": "RSA", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "e": "AQAB", "alg": "RS256", "kid": "12345" } ] }
The object with the keys
array should be used in its entirety when the signature validation is performed.
Obtain the X-JWS-Signature header
The API response should contain the X-JWS-Signature
header, this header represents a signed JWT and is computed based on the corresponding payload of the response.
The header of the X-JWS-Signature value contains a Key ID, referred to as kid. This value should match the kid
value in the public part of the JSON Web Key.
The signed JWT itself contains a header and signature part but with an empty payload, this payload should be populated before validating the signature.
Validating the X-JWS-Signature
After the JWK
and the X-JWS-Signature
are obtained, you can validate the signature.
In order to determine the integrity and authenticity of any API response, it’s required to base64 URL encode the payload of the API response and add it to the payload section of the X-JWS-Signature
value (this is empty by default).
After the entire JWS is composed, the X-JWS-Signature
value can be verified by applying the object within the keys
array as derived from the GET/keys
endpoint.
Certain API responses can be large in size, therefore the encoded payload is not duplicated as part of the X-JWS-Signature header due to performance reasons.