InitConsent-010 ConsentAuthorisationApi
The redirect starts with a get request to ConsentAuthorisationApi.auth. The entryPoint of the ConsentAuthorisationApi for processing a consent initiated on the TppBankingApi side.
The ConsentAuthorisationApi forwards the redirect call to the BankingProtocolFacade.
The redirectCOde is used to load and decrypt the redirecSession.
BankingProtocolFacade will read the serviceSessionId from the redirectSession and use it to load the matching BankingProtocol.
The BankingProtocolFacade forwards the redirect call to the BankingProtocol.
The serviceSessionID will be introspected to extract the bpServiceSessionID and the bpServiceSessionKey used to read and decrypt the persistent service session
Some OpenBanking protocols required the PsuId to be provided with the very initial consent initiation request. In some cases, the OpenBanking protocol will specify a way to collect the PSU identity. This is the approach taken by the AuthPreStep as defined by the NextGenPSD2 protocol. In some other cases, the OpenBanking will not define any way of collecting this PSU identity. In such a case, the PsuIdentity will be collected using a UI defined by the TPP. Depending on which interface is taken to collect the PsuIdentity, we will have to mark if this collected identity is authenticated or not. If the identity collection interface allow the provision of a password and verifycation of the association between the given identity and the password, we call this an authenticated identity. If the interface only provide a collection of the PsuIdentity without proof of ownership of this identity, will call this an unauthenticated identity.
- Inputs: (seviceSessionId, authId) If the protocol requires a PsuIdentity and does not specify an identity provider (e.g.: oAuth2) used to collect that identity, we assume the BankingProtocol is requesting the ConsentAuthorisationApi to collect the identity unauthenticated. In this case, the BankingProtocol will return an BankingProtocolResponse to instruct the BankingProtocolFacade to collect the identity of the PSU. The result carries following parameters:
- The seviceSessionId: contains information later used by the BankingProtocol to load the ServiceSession.
- The authId: references this authorization instance in the scope of a service session, as a service request can involve more that one authorization session.
- Inputs: (seviceSessionId, authId) The BankingProtocolFacade instructs the ConsentAuthorisationApi to collect the identity of the PSU.
- Inputs: (seviceSessionId, authId)
- Returns: SessionCookie,state The ConsentAuthorisationApi creates a SessionCookie containing information provided in the call, generates a state parameter to protect the SessionCookie and redirects the call to the psuIdScreen of the ConsentAuthorisationUI.
- Specification: redirect302[SessionCookie,ConsentAuthorisationUI.psuIdScreen()<q:state> The ConsentAuthorisationApi instructs the PsuUserDevice to redirect the PSU to the psuIdScreen of the ConsentAuthorisationUI.
The ConsentAuthorisationUI displays the psuIdScreen to the PSU.
The PSU enters the aspsp's PsuId in the filed provided by the ConsentAuthorisationUI.
- Spec: updatePsuIdentificationSessionCookie, X-XSRF-TOKEN The ConsentAuthorisationUI sends the the collected data to the ConsentAuthorisationApi.
- Inputs: (SessionCookie,xsrfToken)
- Results: seviceSessionId, authId The ConsentAuthorisationApi uses the provided xsrfToken to validate authenticity of the SessionCookie and the extract processing information out of the cookie.
- Spec: updatePsuIdentification(psu-id@tpp, psu-id@aspsp, seviceSessionId, authId) The ConsentAuthorisationApi forwards the call to the BankingProtocolFacade.
- Spec: selectBankingProtocol(protocolId):BankingProtocol The BankingProtocolFacade uses the provided protocolId to select the target BankingProtocol.
- Spec: updatePsuIdentification(psu-id@tpp, psu-id@aspsp, seviceSessionId ,authId) The BankingProtocolFacade forwards the call to the BankingProtocol.
- Inputs: (seviceSessionId, authId, idpUrl) If the protocol requires a PsuIdentity and do specify an identity provider (e.g.: oAuth2) used to collect that identity, we assume the idp is going to authenticate the PSU and therefore, the BankingProtocol will return a BankingProtocolResponse to instruct the BankingProtocolFacade to send the PSU to the specified Idp. The returned result carries following parameters:
- The seviceSessionId : contains information later used by the BankingProtocol to laod the ServiceSession.
- The authId: references this authorization instance in the scope of a service session, as a service request can involve more that one authorization session.
- The idpUrl the url of the idp used to collect the psu identity on behalf of the ASPSP.
- Inputs: (protocolId,seviceSessionId, serviceSessionKey,authId,idpUrl) The BankingProtocolFacade instructs the ConsentAuthorisationApi to collect the identity of the PSU.
- Inputs: (seviceSessionId, authId, idpUrl)
- Returns: SessionCookie,state The ConsentAuthorisationApi creates a SessionCookie containing information provided in the call, generates a state parameter to protect the SessionCookie and redirects the call to the redirectInfoPage of the ConsentAuthorisationUI.
- Specification: redirect302[SessionCookie, ConsentAuthorisationUI.psuIdScreen()<q:state> The ConsentAuthorisationApi instructs the PsuUserDevice to redirect the PSU to the redirectInfoPage of the ConsentAuthorisationUI.
The ConsentAuthorisationUI displays the redirectInfoPage to the PSU.
The PSU confirms the redirect to the idp of the ASPSP.
- Spec: confirmRedirect[SessionCookie, X-XSRF-TOKEN](psu-id@tpp, psu-id@aspsp) The ConsentAuthorisationUI sends a redirect confirmation to the ConsentAuthorisationApi.
- Inputs: (SessionCookie,xsrfToken)
- Results: seviceSessionId, authId, idpUrl The ConsentAuthorisationApi uses the provided xsrfToken to validate authenticity of the SessionCookie and the extract processing information out of the cookie.
- Inputs: (seviceSessionId, authId, idpUrl)
- Results: RedirectCookie,state The ConsentAuthorisationApi creates a RedirectCookie containing those processing information and following specification:
- path: ConsentAuthorisationUI.fromIdpAuth<p:authId>
- exp: expected time needed by the PSU to authenticate with the idp of the ASPSP
- redirect-uri: ConsentAuthorisationUI.fromIdpAuth<p:authId>. This the uri that is going to be used by the idp to redirect the PSU back to the TPP.
- state: this is the state used to verify authenticity of the RedirectCookie.
- Spec: redirect302[RedirectCookie,\nOnlineBankingApi.redirectEntryPoint]\n()<redirect-uri, state> The ConsentAuthorisationApi instructs the ConsentAuthorisationUI to redirect the PSU to the idp of the ASPSP.
- Spec: fromIdpAuthUserAgentContext,\nRedirectCookie\n<p:authId,q:code,q:state> With this call, the idp of the APSPS redirects the PsuUserDevice to the ConsentAuthorisationUI of the TPP. This call will
- Inputs: (RedirectCookie,state)
- Results: seviceSessionId, authId, idpUrl The ConsentAuthorisationApi uses the provided state parameter to validate authenticity of the RedirectCookie and then extract processing information out of the cookie.
- Inputs: (code, seviceSessionId, authId, idpUrl) The ConsentAuthorisationApi forwards the call to the BankingProtocolFacade.
- Spec: selectBankingProtocol(seviceSessionId):BankingProtocol The BankingProtocolFacade uses the provided seviceSessionId to select the target BankingProtocol.
- Spec: code2Token(code, seviceSessionId, authId, idpUrl) The BankingProtocolFacade forwards the call to the target BankingProtocol.
- Spec: GET:code2TokenTppContext
The BankingProtocol calls the token endpoint of the idp of the ASPSP to request the token matching the returned authorization code.
The idp of the ASPSP returns a token to the banking protocol.
The banking protocol extracts the needed psu-id from the returned token.
- Spec: initiateConsentUserAgentContext, TppContext, psu-id@aspsp
The BankingProtocol sends an initiate consent request to the OpenBanking interface of the ASPSP (aka AspspBankingApi).
- Spec: 200_OK(AisConsent, AspspRedirectInfo, AspspChallenges, seviceSessionId)
The OpenBanking interface of the ASPSP returns information necessary to start the consent authorization process.
- AisConsent : a reference to the started ASPSP consent session
- AspspRedirectInfo: Information needed in case the TPP has to redirect the PSU to the OnlineBankingApi of the ASPSP
- AspspChallenges: Challenges and SCA meta information in case the TPP will have to collect PSU credentials at the ConsentAuthorisationApi.
- seviceSessionId: needed to read the serviceSession.
- Spec: addToServiceSession(AisConsent,\nAspspRedirectInfo,\nAspspChallenges)
The BankingProtocol stores the response of the call in the ServiceSession that also includes information like: protocolId, seviceSessionId, serviceSessionKey, authId.
The BankingProtocol also returns the ServiceSession containing information necessary to start the consent authorization process.
The BankingProtocolFacade returns the ServiceSession containing information necessary to start the consent authorization process.
-Specs: prepareResponse(ServiceSession):xsrfToken,AuthorizeResponse,SessionCookie
The ConsentAuthorisationApi prepares the response, producing:
- AuthorizeResponse : that will be sent back to the ConsentAuthorisationUI and used to manage interaction with the PSU and the ConsentAuthorisationUI.
- SessionCookie : that will be used to authenticate the interaction between the ConsentAuthorisationUI and the ConsentAuthorisationApi
- xsrfToken : used to authenticate SessionCookie
- Spec: displayBankLoginPageSessionCookie,X-XSRF-Token
If the AuthorizeResponse indicates that the consent authorization is going to happen at the interface of the TPP (ConsentAuthorisationApi), the initial screen for the processing of challenges will be displayed.
- Spec: displayRedirectInfoPageSessionCookie,X-XSRF-Token
If the AuthorizeResponse indicates that the consent authorization process is going to happen at the interface of the ASPSP, the redirect info page will be displayed to the PSU, waiting for a confirmation to be redirected to the ASPSP online banking interface.