New SCA Oauth2 response in consent creation/payment submission - New version of the Sandbox
Dear Developers,
We want to inform you that the new release of the PSD2 APIs will be available on October 19th (date to be confirmed) on our production environment.
This version brings a breaking change for you in the creation of a consent or a payment submission.
For better understanding, this breaking change we invite you to read the new HowTo which is dedicated to it : https://devportal-tpp.orangebank.fr/content/howto/build-authorize-url
The current version, in production is described in this section : Build an authorize URL using the authorization URL
The new version describes all those changes in this section : Build an authorize URL using the well-known configuration link
On the sandbox environment, the well-known configuration has been deployed in advance in order for you to begin implementing the required changes for your application.
Here the "scaOauth" property of a consent creation (with header tppExplicitAuthorizationPreferred = false) or a
POST /authorization
endpoint is the following:
{
…
"_links": {
"scaOAuth": {
"href":
https://sandbox-api-tpp.orangebank.fr/berlingroup/.well-known/openid-configuration?authorizationId=11111111-1111-1111-1111-111111111111
},
…
}
}
You have to call this URL and retrieve the “authorization_enpoint” property in the response:
{
"issuer":
http://sandbox-api-tpp.orangebank.fr
,
"
authorization_endpoint":
http://sandbox-web-tpp.orangebank.fr/berlingroup/authorize/11111111-1111-1111-1111-111111111111
,
"token_endpoint":
http://sandbox-api-tpp.orangebank.fr/berlingroup/v1/token
,
"userinfo_endpoint":
http://sandbox-api-tpp.orangebank.fr/berlingroup/v1/accounts
,
"scopes_supported": [
"account",
"payment"
],
"response_types_supported": [
"code"
],
"grant_types_supported": [
"client_credentials",
"authorization_code",
"refresh_token"
],
"code_challenge_methods_supported": [
"S256"
],
"subject_types_supported": [
"public"
]
}
With this property, you will be able to build your authorize URL with the following parameters:
URI parameter
Description
scope
This parameter corresponds to the consentId of the consent creation or the paymentId of the payment initiation
Examples:
AIS:VALID_CONSENT_ID
PIS:PAYMENT_ID_RCVD_SCTclient_id
This parameter corresponds to your NCA id
state
Dynamic value that you have to set in order to prevent XSRF attacks
redirect_uri
This parameter corresponds to the URI where the OAuth2 server is redirecting the PSU after the authorization.
NB : this redirect_uri has to be the same used for the consent creation or payment initiationcode_challenge
This parameter corresponds to PKCE challenge according to cryptographic RFC 7636 which is used to prevent code injection attacks
response_type
Type of the response. This value has to be set to “code”
code_challenge_method
Optional parameter which corresponds to the code verifier transformation method ("S256" or "plain")
Following these instructions your authorize URL should look like this and is now valid to process the authorization of the PSU:
This process to build the authorize URL is the same for a payment initiation.
The new version of the API has been released on the Sandbox environment for you to test.
Best regards,
Your bank support team