NZ Banking Data Security Profile v2.1.1
- 1 Version Control
- 2 Introduction
- 2.1 Security Architecture
- 2.1.1 OAuth 2.0
- 2.1.2 OIDC Core
- 2.1.3 OIDC Client Initiated Backchannel Authentication
- 2.1.4 FAPI
- 2.2 Scope
- 2.3 Normative References
- 2.4 Terms and Definitions
- 2.5 Symbols and Abbreviated Terms
- 2.1 Security Architecture
- 3 NZ Read and Write API Security Profile
- 3.1 5.2 Read and Write API Security Provisions
- 3.1.1 5.2.1 Introduction
- 3.1.2 5.2.2 Authorization Server
- 3.1.3 5.2.4 Confidential Client
- 3.2 6. Accessing Protected Resources
- 3.2.1 6.1 Introduction
- 3.2.2 6.2 Access Provisions
- 3.2.2.1 6.2.1 Protected resources provisions
- 3.2.2.2 6.2.2 Client Provisions
- 3.3 7. Request Object Endpoint
- 3.3.1 7.1 Introduction
- 3.4 8. Security Considerations
- 3.1 5.2 Read and Write API Security Provisions
- 4 NZ Client Initiated Backchannel Authentication Profile
- 5 Non-Normative Examples
- 5.1 Hybrid Flow
- 5.1.1 Authorization Request
- 5.1.1.1 Parameters
- 5.1.2 Request Object
- 5.1.2.1 Claims
- 5.1.3 ID Token
- 5.1.3.1 Claims
- 5.1.1 Authorization Request
- 5.2 Decoupled Request
- 5.2.1 Authorization Request
- 5.2.1.1 Claims
- 5.2.2 Login Hint Token
- 5.2.2.1 Claims
- 5.2.3 ID Token Hint
- 5.2.4 Authorization Request Response
- 5.2.4.1 Claims
- 5.2.5 Token Request
- 5.2.6 Token Request Response
- 5.2.7 Ping Callback
- 5.2.8 ID Token
- 5.2.8.1 Claims
- 5.2.1 Authorization Request
- 5.1 Hybrid Flow
- 6 Implementation Guide
- 6.1 Hybrid Flow
- 6.1.1 Client Types
- 6.1.2 Grant Types
- 6.1.2.1 Client Credentials Grant Type
- 6.1.2.2 Hybrid Flow
- 6.1.3 Access Tokens
- 6.1.4 Refresh Tokens
- 6.1.5 ID Tokens
- 6.1.6 Authorization Codes
- 6.1.7 Unspecified Behaviour
- 6.1.7.1 Client Types
- 6.1.7.2 Grant Types
- 6.1.7.3 Validity Lengths
- 6.1.8 Success Flows
- 6.1.8.1 Client Credentials Grant Type (OAuth 2.0)
- 6.1.8.2 OIDC Hybrid Flow
- 6.1.9 Non-Normative HTTP Request and Response Examples
- 6.1.9.1 Step 1 - Agree Payment Consent
- 6.1.9.2 Step 2 - Setup Payment-Order Consent
- 6.1.9.3 Step 3 - Authorize Consent
- 6.1.9.4 Step 4 - Create Payment-Order
- 6.1.9.5 Step 5 - Get Domestic-Payment Status
- 6.2 Decoupled Flow
- 6.2.1 Client Types
- 6.2.2 Grant Types
- 6.2.2.1 Client Credentials Grant Type
- 6.2.2.2 CIBA Flow
- 6.2.3 Access Tokens
- 6.2.4 Refresh Tokens
- 6.2.5 ID Tokens
- 6.2.6 Unspecified Behaviour
- 6.2.6.1 Validity Lengths
- 6.2.7 Success Flows
- 6.2.7.1 Client Credentials Grant Type (OAuth 2.0)
- 6.2.7.2 CIBA Flow
- 6.2.8 Non-Normative HTTP Request and Response Examples
- 6.3 Edge Cases
- 6.1 Hybrid Flow
- 7 JSON Security Suite
- 8 Prerequisites
- 8.1 Certificates
- 8.2 API Centre Register
- 8.2.1 Organisations
- 8.2.2 Keys
- 8.2.3 Authorisation Servers
- 8.2.4 Swagger
Version Control
Version | Date | Author | Comments |
|---|---|---|---|
2.0.0 | Apr 30, 2020 | Payments NZ API Working Group | Baseline |
2.1-draft1 | Jun 15, 2020 | @Gavin Wong (Unlicensed) | Updated:
|
2.1-rc2 | Sep 11, 2020 | @Gavin Wong (Unlicensed) | Updated:
|
2.1.1 | Nov 5, 2022 | @Nigel Somerfield | No change |
Introduction
This document is based on the OpenID Foundation's Financial-grade API Read+Write specification FAPI-RW, which in turn is based on the Read only specification document FAPI. In addition, the Financial-grade API: Client Initiated Backchannel Authentication Profile FAPI-CB has been incorporated, to support a decoupled authentication flow. The NZ Banking Data profile will further shape these profiles in some cases tightening restrictions and in others loosening requirements using keywords. Please see the introduction to FAPI-RW for a general introduction to the aims of this document.
The NZ Banking Data Profile outlines the differences between the FAPI-RW and FAPI-CB with clauses and provisions necessary to reduce delivery risk for API Providers.
Security Architecture
OAuth 2.0
OAuth 2.0 will be the foundational framework for API Security for the NZ Banking Data API Standard. OAuth 2.0 itself is a framework which can be deployed in many ways, some of them completely incompatible with financial models. In order to securely use the OAuth 2.0 framework, a profile must exist by which both Third Parties and API Providers are certified to have correctly configured their clients and servers.
OIDC Core
The OpenID Connect Request object uses exactly the same claims object for specifying claim names, priorities, and values as OAuth 2.0. However if the Request object is used, the Claims object becomes a member in an assertion that can be signed and encrypted, allowing the API Provider to authenticate the request from the Third Party and ensure it hasn't been tampered with. The OpenID Connect Request object can either be passed as a query string parameter, or can be referenced at an endpoint that could theoretically be protected by MATLS. The use of JWT Request objects by reference is not supported due a number of delivery risks and remaining security concerns.
In addition to specifying a ticket, the Third Party can optionally require a minimum strength of authentication context or request to know how long ago the user was actually authenticated. Multiple tickets could be passed if necessary. Everything is fully specified. Vendors who implement this feature are not creating a one-off proprietary feature, they are simply supporting the OpenID Connect standard.
Full accountability is available as required by all participants. Not only can the API Provider prove that they received the original request from the Third Party, but the Third Party can prove that the access token that comes back was the token that was intended to be affiliated to this specific ConsentId.
OIDC Client Initiated Backchannel Authentication
The OIDC Client Initiated Backchannel Authentication (CIBA) profile enables a Client (Third Party) to initiate the authentication of the end-user (Customer) with the OpenID Provider (API Provider) in an out of band mechanism. This direct out of band mechanism between the Third Party and API Provider means that the Customer is not redirected to authenticate through the Customer's browser (or consumption device).
FAPI
The Financial API working group in the OpenID Foundation has created a draft standard for configuration of Financial-grade API security regimes. If any FAPI-compliant vendor can participate in the NZ Banking Data API ecosystem, it means that vendors can work to the standard and reach many customers, rather than having to create different solutions for different banking platforms. The FAPI profiles apply to both OIDC Core and OIDC CIBA profiles.
Scope
This part of the document specifies the method of
Applications to obtain the OAuth tokens in an appropriately secure manner for financial data access;
Applications to use OpenID flows to identify the Customer; and
Using tokens to interact with the REST endpoints that provides financial data;
This document is applicable to higher risk use cases which includes commercial and investment banking.
Normative References
The following referenced documents are strongly recommended to be used in conjunction with this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
[FAPI] - FAPI ReadOnly profile [FAPI]: http://openid.net/specs/openid-financial-api-part-1.html
[FAPI-RW] - FAPI Read+Write profile [FAPI-RW]: http://openid.net/specs/openid-financial-api-part-2.html
[OIDC] - OpenID Connect Core 1.0 incorporating errata set 1 [OIDC]: http://openid.net/specs/openid-connect-core-1_0.html
[MTLS] - Mutual TLS Profile for OAuth 2.0 [MTLS]: https://tools.ietf.org/html/draft-ietf-oauth-mtls-03
[CIBA] - OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02 [CIBA]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
[FAPI-CB] - Financial-grade API: Client Initiated Backchannel Authentication Profile [FAPI-CB]: https://openid.net/specs/openid-financial-api-ciba-ID1.html
[OAUTH-CLIENT-AUTH] - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAUTH-CLIENT-AUTH]: https://tools.ietf.org/html/rfc7521
Terms and Definitions
For the purpose of this document, the terms defined in [FAPI ReadOnly profile] FAPI, [FAPI Read+Write profile] FAPI-RW, [OpenID Connect Core] OIDC, [OpenID Connect Client Initiated Backchannel Authentication Flow] CIBA, and [FAPI: Client Initiated Backchannel Authentication Profile] FAPI-CB apply.
Symbols and Abbreviated Terms
API Provider - provides APIs in a manner that complies with the API Standards (e.g. Account Information and Payment Initiation APIs), and connects those APIs with a Third Party.
Third Party - the entity that consumes an API in a manner that complies with the API Standards.
Customer - a natural or legal person that operates banking accounts.
NZ Read and Write API Security Profile
The NZ Read and Write API Security Profile extends from [FAPI Read+Write profile] FAPI-RW.
This section identifies variations from FAPI-RW and the numbered section references where there is a variation in FAPI-RW.
5.2 Read and Write API Security Provisions
5.2.1 Introduction
The NZ Banking Data API Security Profile does not distinguish between the security requirements from a technical level between "read" and "write" resources. The security requirements for accessing Customer resources held at API Providers requires more protection level than a basic OAuth 2.0 (RFC6749) supports.
As a profile of The OAuth 2.0 Authorization Framework, this document mandates the following to the NZ Banking Data APIs.
5.2.2 Authorization Server
The Authorization Server
shall only support confidential clients;
shall secure its token endpoint using mutually authenticated TLS;
shall only support the
response_typevaluecode id_token;shall require the ConsentId to be passed in the authorisation request as an essential claim;
shall issue an ID Token in the token response as in Section 3.1.3.3 of OIDC with its "sub" value corresponding to the ConsentId;
may support refresh tokens; and
shall provide a discovery endpoint that does not require a client certificate to authenticate using a TLS certificate that should be trusted by the user agent.
5.2.4 Confidential Client
A Confidential Client
may use separate and distinct Redirect URI for each Authorization Server that it talks to; and
shall accept and verify signed ID Tokens (JWS);
6. Accessing Protected Resources
6.1 Introduction
The FAPI endpoints are OAuth 2.0 protected resource endpoints that return various financial information for the resource owner associated with the submitted access token.
6.2 Access Provisions
6.2.1 Protected resources provisions
The resource server with the FAPI endpoints
shall mandate mutually authenticated TLS; and
shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to.
6.2.2 Client Provisions
The confidential client supporting this document
shall use mutually authenticated TLS;
shall supply the last time the customer logged into the client as defined by FAPI clause 6.2.2.3;
shall supply the customer's IP address if this data is available as defined by FAPI clause 6.2.2.4;
shall supply the merchant's IP address if this data is available in the x-merchant-ip-address header, e.g., x-fapi-merchant-ip-address: 198.51.100.119; and
shall supply the customer's user agent if this data is available in the x-customer-user-agent header.
7. Request Object Endpoint
7.1 Introduction
OPs:
shall not support
request_uri, OIDC Request Object by Reference;shall only support Request Objects passed by value as in clause 6.3 of OIDC.
8. Security Considerations
The Message containment failure considerations in FAPI section 7.4 shall be followed.
8.5 TLS Considerations
The TLS considerations in FAPI section 7.1 shall be followed; and
The TLS considerations in FAPI-RW section 8.5 shall be followed.
8.6 JWS Algorithm Considerations
The JWS algorithm considerations in FAPI-RW section 8.6 shall be followed.
NZ Client Initiated Backchannel Authentication Profile
The NZ Client Initiated Backchannel Authentication Profile extends from [FAPI: Client Initiated Backchannel Authentication Profile] FAPI-CB.
This section identifies variations from FAPI-CB and the numbered section references where there is a variation in FAPI-CB.
The Client Initiated Backchannel Authentication Flow [CIBA] specifies an alternate method of users granting access to their resources whereby the flow is started from a consumption device, but authorized on an authentication device.
5.2 Read and Write API Security Provisions
5.2.2 Authorization Server
The Authorization Server
shall require a previously staged ConsentId to be passed in the authentication request;
shall not require clients to provide a request_context claim - as these fraud and threat parameters will be passed in the consent object;
shall only support login_hint_token and id_token_hint; and
shall not support the user_code parameter in the authentication request.
6. Accessing Protected Resources
6.1 Introduction
The FAPI endpoints are OAuth 2.0 protected resource endpoints that return various financial information for the resource owner associated with the submitted access token.
6.2 Access Provisions
6.2.1 Protected resources provisions
The resource server with the FAPI endpoints
shall mandate mutually authenticated TLS; and
shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to.
6.2.2 Client Provisions
The confidential client supporting this document
shall use mutually authenticated TLS;
shall supply the last time the customer logged into the client as defined by FAPI clause 6.2.2.3;
shall supply the customer's IP address if this data is available as defined by FAPI clause 6.2.2.4;
shall supply the merchant's IP address if this data is available in the x-merchant-ip-address header, e.g., x-fapi-merchant-ip-address: 198.51.100.119; and
shall supply the customer's user agent if this data is available in the x-customer-user-agent header.
7. Security Considerations
7.9 TLS Considerations
The TLS considerations in FAPI-CB section 7.9 shall be followed.
7.10 Algorithm Considerations
The JWS algorithm considerations in FAPI-CB section 7.10 shall be followed.
Non-Normative Examples
Hybrid Flow
This section describes parameters that should be used with a hybrid grant flow request so that an ConsentId can be passed from the Third Party to an API Provider for minimum conformance for the NZ Read and Write API Security Profile (extending FAPI-RW). The hybrid flow is used as the redirect authorisation flow for the NZ Banking Data APIs.
Prior to this step,
The Third Party would have already registered a consent with an API Provider. This is achieved by creating a resource with an account information or payment consent APIs.
The API Provider would have responded with an ConsentId (this is the unique identifier for the consent resource).
Authorization Request
This section describes the bare minimum set of Authorization Request parameters that an API Provider must support. The definitive reference is specified in OIDC Section 3.3.2.1 (Authentication Request) and OIDC Section 3.1.2.1 (Authentication Request)
All API Providers must support the issuance of OIDC ID Tokens, a Third Party must request that an ID Token is issued.
This is a non-normative example of the Authorization Request:
GET /authorize?
response_type=code%20id_token
&client_id=s6BhdRkqt3
&state=af0ifjsldkj&
&scope=openid%20payments
&nonce=n-0S6_WzA2Mj
&redirect_uri=https://api.mytpp.com/cb
&request=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6I.....JjVqsDuushgpwp0E.5leGFtcGxlIiwianRpIjoiM....JleHAiOjE0.olnx_YKAm2J1rbpOP8wGhi1BDNHJjVqsDuushgpwp0EParameters
Parameter | NZ Banking Data Profile | Notes |
|---|---|---|
scope | Required | Third Parties must specify the scopes that are being requested. The scope parameter must contain openid The scopes must be a sub-set of the scopes that were registered during Client Registration with the API Provider. |
response_type | Required | OAuth 2.0 requires that this parameter is provided. Third Parties must specify " The values for these parameters must match those in the Request Object, if present. |
client_id | Required | Third Parties must provide this value and set it to the Client Id issued to them by the API Provider to which the authorization code grant request is being made. |
redirect_uri | Required | Third Parties must provide the URI to which they want the resource owner's user agent to be redirected to after authorization. This must be a valid, absolute URL that was registered during Client Registration with the API Provider. |
state | Required | Third Parties must provide a state parameter. The parameter may be of any format and is opaque to the API Provider. The API Provider must play back the value in the redirect to the Third Party. The API Provider must include the s_hash in the ID Token. |
nonce | Required | Third Parties must provide a nonce parameter. Used to help mitigate against replay attacks. The API Provider must be replay the supplied nonce parameter in any ID Token response. |
request | Required | The Third Party must provide a value for this parameter. The Request Object parameter must contain a JWS that is signed by the Third Party. The JWS payload must consist of a JSON object containing a Request Object as per OIDC Section 6.1. |
Request Object
This section describes the Request Object which is used in the request Authorization Request parameter. The definitive reference is specified in OIDC Section 6.1 (Request Object). All standards and guidance MUST be followed as per the OIDC specification.
As per OIDC - when the Request Object is used, the OpenID Connect Request Object values (in the JWT) supersede those which are passed using the OAuth 2.0 request query parameter syntax.
The Request Object:
must contain a "claims" request parameter with the ConsentId in the "id_token" object as an essential claim
may contain additional "claims" to be requested if the API Provider's Authorization Server support them - these claims must be listed on the OIDC Well Known configuration endpoint.
In OIDC - the "claims" request parameter in the Request Object is used to request that specific Claims be returned in either the ID Token or at the userinfo endpoint. Hence the top level members of the "claims" request parameter are:
id_token
userinfo
The userinfo and id_token members of the claims request parameter are JSON objects with the names of the individual Claims being requested as the member names. Within an individual Claims field, the "essential" field is required to indicate whether the Claim being requested is an Essential Claim. If the value is true, this indicates that the claim is an Essential Claim.
For instance, the claim request:
"claims": { "id_token": { "ConsentId": { "value": "urn-alphabank-intent-58923", "essential": true } } }can be used to specify that it is essential to return the ConsentId as a claim in the ID Token.
This is a non-normative example of the Request Object JWS - without Base64 encoding:
{
"alg": "PS256",
"kid": "GxlIiwianVqsDuushgjE0OTUxOTk"
}
.
{
"iss": "https://api.alphanbank.com",
"aud": "s6BhdRkqt3",
"response_type": "code id_token",
"client_id": "s6BhdRkqt3",
"redirect_uri": "https://api.mytpp.com/cb",
"scope": "openid payments",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"max_age": 86400,
"claims": {
"id_token": {
"ConsentId": {
"value": "urn-alphabank-intent-58923",
"essential": true
}
}
}
}
.
<<signature>>
Claims
Where appropriate follow the JWT Good Practice Guides http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html#rfc.section.3.1
Field | NZ Banking Data Profile | Notes |
|---|---|---|
iss | Required | The iss value should be or include the API Provider's Issuer Identifier URL. |
aud | Required | The aud value should be the Client Id of the Third Party, unless it was signed by a different party than the Third Party. |
scope | Required | Third Parties must specify the scopes that are being requested. The scope parameter must contain openid The scopes must be a sub-set of the scopes that were registered during Client Registration with the API Provider. |
response_type | Required | Third Parties must provide this field and set its value to 'code id_token'. The values must match those in the request parameter. |
client_id | Required | Third Parties must provide this value and set it to the Client Id issued to them by the API Provider to which the authorization code grant request is being made. |
redirect_uri | Required | Third Parties must provide the URI to which they want the resource owner's user agent to be redirected to after authorization. This must be a valid, absolute URL that was registered during Client Registration with the API Provider. |
state | Required | Third Parties must provide a state parameter. The parameter may be of any format and is opaque to the API Provider. The API Provider must play back the value in the redirect to the Third Party. The API Provider must include the s_hash in the ID Token. |
nonce | Required | Third Parties must provide a nonce parameter. Used to help mitigate against replay attacks. The API Provider must be replay the supplied nonce parameter in any ID Token response. |
max_age | Optional | Third Parties may provide a maximum authentication age parameter. This specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the API Provider. If the elapsed time is greater than this value, the API Provider must attempt to actively re-authenticate the Customer. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) If the parameter is provided, the API Provider must include an auth_time Claim value in the ID Token. |
claims.id_token.ConsentId | Required | Third Parties must provide a ConsentId. The ConsentId must be the identifier for a consent resource returned by the API Provider to Third Party that is initiating the authorisation request. |
ID Token
This is a non-normative example of an ID Token returned - with the sub being populated with the ConsentId.
{
"alg": "PS256",
"kid": "12345",
"typ": "JWT"
}
.
{
"iss": "https://api.alphabank.com",
"iat": 1234569795,
"auth_time": 1234569785,
"sub": "urn:alphabank-intent-58923",
"ConsentId": "urn:alphabank-intent-58923",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"s_hash": "76sa5dd",
"c_hash": "asd097d"
}
.
<<signature>>
Claims
Where appropriate please follow the JWT Good Practice Guides http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html#rfc.section.3.1
Field | NZ Banking Data Profile | Notes |
|---|---|---|
aud | Required | Audience that the ID Token is intended for. OpenID Connect protocol mandates this must include the ClientID of the Third Party's OAuth Client. |
iss | Required A JSON string that represents the issuer identifier of the authorization server as defined in RFC7519. When a pure OAuth 2.0 is used, the value is the redirection URI. When OpenID Connect is used, the value is the issuer value of the authorization server. | Issuer of the token. Token issuer will be specific to the business. |
sub | Required | Token subject identifier. A unique and non-repeating identifier for the subject.
|
ConsentId | Required It's acknowledged that this field duplicates the value in "sub". | The ConsentId of the originating request. |
exp | Required The validity length will be at the discretion of the API Providers as long as it does not impact the functionality of the APIs. E.g., an expiry time of 1 second is insufficient for all resource requests | Token expiration date/time. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
iat | Required | Token issuance date/time. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
auth_time | Case-Specific | The date/time the Customer was authorised. This field must be provided when max_age is in the Authorization Request is made or max_age is included as an essential claim. In order to be compliant with the protocol we therefore need to support it. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
nonce | Required | Used to help mitigate against replay attacks. The API Provider must be replay the supplied nonce parameter (in the Authorization Request) in any ID Token response. |
c_hash | Required | Code hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. |
s_hash | Required | State hash value. must include state hash, Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the state value, where the hash algorithm used is the hash algorithm used in the |
Decoupled Request
This section describes parameters that should be used with a decoupled flow so that a ConsentId can be passed from the Third Party to an API Provider for minimum conformance for the NZ Client Initiated Backchannel Authentication Profile (extending FAPI-CB).
Prior to this step,
The Third Party would have already registered a consent with an API Provider. This is achieved by creating a resource with an account information or payment consent APIs.
The API Provider would have responded with an ConsentId (this is the unique identifier for the consent resource).
Authorization Request
This section describes the bare minimum set of Authorization Request parameters that an API Provider must support. The definitive reference is specified in CIBA Section 7.1 (Authentication Request).
As per FAPI-CB 5.2.2.6 the Authorization Requests shall be signed as per CIBA Section 7.1.1
This is a non-normative example of the Authorization Request:
POST /bc-authorize HTTP/1.1
Host: server.example.com
Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
request=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IlJTMjU2In0.GasCmoMYSMohPOb
nwAlkm8Yf0uglhxM83B0dj_I10vwlMGnVFvydaH9wnacM4Ln7E-JIYOxtZa33abf
1PB3fLs29GKOBmgNPn3NrxJ0iCLb0F243556Ypzdhcyj7vM8ukNzkKT3eQ0ZWJ1v
VRToThgKyIN-HvLFpeSfJtSH5ycMYOjob-qXUgKpQryUbgbpqsM1XnUV-8aBD5d8
VF5fQoz0.PQWq63B_zpC22nstIFxNmfxztSFpnW0vgX0htNKOtL_HMwFRfwh71gThis is the example Request Object - without Base64 encoding:
{
"alg": "PS256",
"kid": "GxlIiwianVqsDuushgjE0OTUxOTk"
}
.
{
"iss": "https://api.alphanbank.com",
"aud": "s6BhdRkqt3",
"nbf": 1537818886,
"exp": 1537820086,
"iat": 1537819486,
"jti": "4LTCqACC2ESC5BWCnN3j58EnA",
"client_notification_token": "8d67dc78-7faa-4d41-aabd-67707b374255",
"scope": "openid payments"
"ConsentId": "urn-alphabank-intent-58923",
"login_hint_token": "eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IlJTMjU2I
n0.eyJzdWJqZWN0Ijp7InN1YmplY3RfdHlwZSI6InBob25lIiwicGhvbmUiO
iIrMTMzMDI4MTgwMDQifX0.YB8_8OksJd1FwfVsIUlH-rs9cPhkIa0DUi7OV
W_Da9gP6huBxf7aSDl3qKXA20uT1zThuSiYz0bdz8J_KPRHuC6vwoFlz9yBJ
9ksWOP28sHPPi19_4-xidwnb8P12-RoXwY2eAF82_NAn2vmpvqUjluoWyNHa
y8vguChIutqziV0bFl-7oaxp36i4elbvT_DYeg20a0jz4wIBKc_46K8I28Er
kwbI5O35GfElPXl-4J55NHkkOsDxuUYQtWjSM3wme19735XWq2DIT2nmLFi4
HzzT27W0cnJg7L_ai9uNNBvIx_Mp5AbcmkR83apR4jxnQuE5Xf23qyRpAhaw
e7IPQ"
}
.
<<signature>>
Claims
Field | NZ Banking Data Profile | Notes |
|---|---|---|
iss | Required | The iss value should be or include the API Provider's Issuer Identifier URL. |
aud | Required | The aud value should be the Client Id of the Third Party, unless it was signed by a different party than the Third Party. |
nbf | Required | The time before which the JWT must not be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbf claim. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
exp | Required | Token expiration date/time. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
iat | Required | Token issuance date/time. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
jti | Required | The jti (JWT ID) claim provides a unique identifier for the JWT. |
scope | Required | Third Parties must specify the scopes that are being requested. The scope parameter must contain openid The scopes must be a sub-set of the scopes that were registered during Client Registration with the API Provider. |
ConsentId | Required | Third Parties must provide a ConsentId for which this authorisation is requested. |
client_notification_token | Optional | Third Parties must provide this field if registered to use Ping mode. It is a bearer token provided by the Third Party that will be used by the API Provider to authenticate the callback request to the Third Party. |
login_hint_token | Optional | A token containing information identifying the Customer for whom authentication is being requested. The particular details for the login_hint_token are documented in the NZ Banking Data API standard. Third Parties must provide either a login_hint_token or an id_token_hint |
id_token_hint | Optional | An ID Token previously issued to the Third Party by the API Provider being passed back as a hint to identify the Customer for whom authentication is being requested. Third Parties must provide either a login_hint_token or an id_token_hint |
requested_expiry | Optional | A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return. The API Provider may use this value to influence the lifetime of the authentication request and is encouraged to do so where it will improve the user experience, for example by terminating the authentication when as it knows the client is no longer interested in the result. |
Login Hint Token
This is a non-normative example of a Login Hint Token - which is used to identify the Customer.
{
"alg": "PS256",
"kid": "GxlIiwianVqsDuushgjE0OTUxOTk"
}
.
{
"subject": {
"subject_type": "phone",
"phone": "+64-220466878"
}
}
.
<<signature>>
Claims
Field | NZ Banking Data Profile | Notes |
|---|---|---|
subject_type | Required | Third Parties must specify the type of identification provided in the login_hint_token. This is limited to:
|
username | Optional | The username that identifies the Customer with the API Provider. |
phone | Optional | A phone number that identifies the Customer with the API Provider. |
Optional | An email address that identifies the Customer with the API Provider. | |
api_provider_token | Optional | A token generated by a Customer's authentication device that identifies the Customer with the API Provider. |
third_party_token | Optional | A token generated by a Third Party and registered with a Customer's authentication device by the Customer. |
ID Token Hint
This ID Token must be from a previously successful authentication event for the Customer. As this is a previously used ID Token, it is valid for a Third Party to use an expired ID Token.
This is the example Request Object - without Base64 encoding - using the ID Token Hint:
{
"alg": "PS256",
"kid": "GxlIiwianVqsDuushgjE0OTUxOTk"
}
.
{
"iss": "https://api.alphanbank.com",
"aud": "s6BhdRkqt3",
"nbf": 1537818886,
"exp": 1537820086,
"iat": 1537819486,
"jti": "4LTCqACC2ESC5BWCnN3j58EnA",
"client_notification_token": "8d67dc78-7faa-4d41-aabd-67707b374255",
"scope": "openid payments"
"ConsentId": "urn-alphabank-intent-58923",
"id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE2NzcyNiJ9.eyJpc3MiOiJo
dHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsInN1YiI6IjI0ODI4OTc2MTAwMSIs
ImF1ZCI6InM2QmhkUmtxdDMiLCJlbWFpbCI6ImphbmVkb2VAZXhhbXBsZS5jb20i
LCJleHAiOjE1Mzc4MTk4MDMsImlhdCI6MTUzNzgxOTUwM30.aVq83mdy72ddIFVJ
LjlNBX-5JHbjmwK-Sn9Mir-blesfYMceIOw6u4GOrO_ZroDnnbJXNKWAg_dxVynv
MHnk3uJc46feaRIL4zfHf6Anbf5_TbgMaVO8iczD16A5gNjSD7yenT5fslrrW-NU
_vtmi0s1puoM4EmSaPXCR19vRJyWuStJiRHK5yc3BtBlQ2xwxH1iNP49rGAQe_LH
fW1G74NY5DaPv-V23JXDNEIUTY-jT-NbbtNHAxnhNPyn8kcO2WOoeIwANO9BfLF1
EFWtjGPPMj6kDVrikec47yK86HArGvsIIwk1uExynJIv_tgZGE0eZI7MtVb2UlCw
DQrVlg"
}
.
<<signature>>Authorization Request Response
The following is a non-normative example of an authentication response:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"auth_req_id": "1c266114-a1be-4252-8ad1-04986c5b9ac1",
"expires_in": 3600,
"interval": 2
}Claims
Field | NZ Banking Data Profile | Notes |
|---|---|---|
auth_req_id | Required | This is a unique identifier to identify the authentication request made by the Client. It MUST contain sufficient entropy (a minimum of 128 bits while 160 bits is recommended) to make brute force guessing or forgery of a valid auth_req_id computationally infeasible - the means of achieving this are implementation specific, with possible approaches including secure pseudorandom number generation or cryptographically secured self-contained tokens. |
expires_in | Required | A JSON number with a positive integer value indicating the expiration time of the "auth_req_id" in seconds since the authentication request was received. A Client calling the token endpoint with an expired auth_req_id will receive an error. |
interval | Optional | A JSON number with a positive integer value indicating the minimum amount of time in seconds that the Client MUST wait between polling requests to the token endpoint. This parameter will only be present if the Client is registered to use the Poll or Ping modes. |
Token Request
The following is a non-normative example of a token request using the auth_req_id in the authorisation request response.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba
&auth_req_id=1c266114-a1be-4252-8ad1-04986c5b9ac1Token Request Response
The following is a non-normative example of a successful token response.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token": "G5kXH2wHvUra0sHlDy1iTkDJgsgUO1bN",
"token_type": "Bearer",
"refresh_token": "4bwc0ESC_IAhflf-ACC_vjD_ltc11ne-8gFPfA2Kx16",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE2NzcyNiJ9....eyJpc3MiOiJ
dHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsInN1YiI6IjI0ODI4OTc2MTAwMSIs
LCJleHAiOjE1Mzc4MTk4MDMsImlhdCI6MTUzNzgxOTUwM30....83mdy72ddIFVJ
MHnk3uJc46feaRIL4zfHf6Anbf5_TbgMaVO8iczD16A5gNjSD7yenT5fslrrW-NU
DQrVlg"
}Ping Callback
The following is a non-normative example of a Ping callback response. The API Provider calls POST at the Third Party's registered callback endpoint with the client_notification_token in the original Authorisation Request, and the auth_req_id in the body of the request.
POST /cb HTTP/1.1
Host: client.example.com
Authorization: Bearer 8d67dc78-7faa-4d41-aabd-67707b374255
Content-Type: application/json
{
"auth_req_id": "1c266114-a1be-4252-8ad1-04986c5b9ac1"
}ID Token
This is a non-normative example of an ID Token returned - with the sub being populated with the ConsentId.
{
"alg": "PS256",
"kid": "12345"
}
.
{
"aud": "s6BhdRkqt3",
"iss": "https://api.alphabank.com",
"sub": "urn:alphabank-intent-58923",
"ConsentId": "urn:alphabank-intent-58923",
"iat": 1234569795,
"exp": 1311281970
}
.
<<signature>>
Claims
Where appropriate please follow the JWT Good Practice Guides http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html#rfc.section.3.1
Field | NZ Banking Data Profile | Notes |
|---|---|---|
aud | Required | Audience that the ID Token is intended for. OpenID Connect protocol mandates this must include the ClientID of the Third Party's OAuth Client. |
iss | Required A JSON string that represents the issuer identifier of the authorization server as defined in RFC7519. When a pure OAuth 2.0 is used, the value is the redirection URI. When OpenID Connect is used, the value is the issuer value of the authorization server. | Issuer of the token. Token issuer will be specific to the business. |
sub | Required | Token subject identifier. A unique and non-repeating identifier for the subject.
|
ConsentId | Required It's acknowledged that this field duplicates the value in "sub". | The ConsentId of the originating request. |
exp | Required The validity length will be at the discretion of the Banks provided that it does not impact the functionality of the APIs. For example, an expiry time of 1 second is insufficient for all Resource Requests. | Token expiration date/time. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
iat | Required | Token issuance date/time. Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519. |
Implementation Guide
This provides an implementation perspective of the NZ Banking Data Security Profile aligned to the accepted NZ Banking Data APIs for:
The Hybrid Flow (illustrated with the Payment Initiation APIs)
The Decoupled Flow (illustrated with the Account Information APIs)
Both the Payment Initiation APIs and the Account Information APIs rely on the same underlying consent flow - so either authorisation flow may be used for both Payment Initiation and Account Information.
JSON schemas for messages associated with the security profile can be found here:
https://github.com/PaymentsNZ/API-Security-Profile
Hybrid Flow
The implementation is based on the following known configurations:
Client Types
As per the OAuth 2.0 specification, the Confidential Client Type is illustrated
Grant Types
Client Credentials Grant Type
This is with scope payments
The Client Credentials Grant Type is used when the Third Party requires an Access Token (on behalf of itself) in order to access a consent resource
Only valid API scopes will be accepted when generating an Access Token (i.e.,
payments)Access tokens generated by a Client Credentials grant may not return any refresh tokens (as per the OAuth 2.0 specification)
Hybrid Flow
This is with response_type "code id_token"
The Payment Initiation APIs illustrate the use of request_type=code id_token for the OIDC Hybrid Flow implementation
The API Provider may optionally choose to return Refresh Tokens for the Hybrid Flow when issuing an Access Token
Access Tokens
For the Payments and Accounts APIs, the Access Token must be obtained within a Secure, Server Side Context between the Third Party and the API Provider
Access Tokens must be validated by the Third Party as outlined within OIDC
Refresh Tokens
API Providers may optionally return a Refresh Token when an Authorization Request is successfully processed at the Token endpoint. The Hybrid flow supports the provisioning of Refresh Tokens.
Refresh Tokens must be validated as outlined in OIDC
ID Tokens
ID Tokens must be validated by the Third Party as outlined within OIDC
Third Parties must use the ConsentId claim to populate and retrieve the ConsentId for any required validation
The full set of claims that can be represented within an ID Token are documented in the Request Object and ID Token sections of the Security Profile
Authorization Codes
Authorization Codes must be validated by the Third Party as outlined within OIDC
Unspecified Behaviour
The implementation guide does not illustrate the following configurations in this section.
Client Types
Public clients - as only confidential clients are allowed in the NZ Banking Data Security Profile
Grant Types
OIDC Hybrid Flow (response_type=code id_token token)
Forces an Access Token to be returned from the API Provider Authorization endpoint (instead of a token endpoint). This is not illustrated in the Payments and Accounts API Specifications
Client Credentials Grant Type (scope=openid email profile)
Requesting OIDC specific scopes or any unspecified scopes when using the Client Credentials grant
Validity Lengths
These are to be managed in the competitive space - so different validity lengths are not illustrated. Each API Provider's Authorization / Resource Server will be configured independently to comply with internal API Provider Security Policies and Guidelines. The Accounts and Payments API Specifications do not mandate validity lengths.
Authorization Code
OAuth 2.0 Specification suggests an Authorization Code should be short lived to a maximum of 10 minutes. Any codes exceeding this limit to be rejected
ID Token
ID Token claims (exp and iat) determine its validity
Returned with the Authorization Code when the Hybrid flow (code id_token) is initiated
Access Token
The expires_in attribute returned by the Authorization Server when an Access Token is generated determines its validity
Access Tokens are generally short lived, and where they expire, are then exchanged for another using a longer lived Refresh Token
Refer to Section 16.18 of OIDC - Lifetimes of Access Tokens and Refresh Tokens.
Refresh Token
Refresh Tokens are generally longer lived in comparison to Access Tokens
Refer to Section 16.18 of OIDC - Lifetimes of Access Tokens and Refresh Tokens
Success Flows
The sequence diagram below highlights the OAuth 2.0 Client Credentials Grant and OIDC Hybrid flow that are used by the Payments API.
Payment Initiation with Client Credentials Grant Type and OIDC Hybrid Flows
participant Customer
participant Third Party
participant API Provider Authorisation Server
participant API Provider Resource Server
autonumber 1
Customer -> Third Party: Establish TLS 1.2
note over Customer, API Provider Resource Server
Step 1: Agree payment consent
end note
Customer -> Third Party: Agree payment consent
note over Customer, API Provider Resource Server
Step 2: Create payment consent
end note
Third Party <-> API Provider Authorisation Server: Establish TLS 1.2 MA
note left of Third Party
Client Credentials Grant
end note
Third Party -> API Provider Authorisation Server: POST /token (client authentication credentials, scope:payments)
API Provider Authorisation Server -> API Provider Authorisation Server: Validate client authentication credentials, scope
API Provider Authorisation Server -> API Provider Authorisation Server: Validate ClientId matches client SSL cert
API Provider Authorisation Server -> Third Party: HTTP 200 (OK) access-token (scope:payments)
Third Party <-> API Provider Resource Server: Establish TLS 1.2 MA
Third Party -> API Provider Resource Server: POST /domestic-payment-consents (access-token - scope:payments)
API Provider Resource Server -> API Provider Resource Server: Validate access token
API Provider Resource Server -> API Provider Resource Server: Validate scope:payments
API Provider Resource Server -> API Provider Resource Server: Validate ClientId matches client SSL cert
API Provider Resource Server -> API Provider Resource Server: Create new domestic-payment-consent resource
API Provider Resource Server -> API Provider Resource Server: Bind ConsentId with ClientId
API Provider Resource Server -> Third Party: HTTP 201 (Created), ConsentId
note right of Third Party
Begin OIDC Hybrid Flow.
See OpenID Core 6.1. Passing a Request Object by Value
See OpenID Core5.5. Requesting Claims using the "claims" Request Parameter
The claims parameter must at least request:
"id_token": {
"ConsentId": {"value": ConsentId, "essential": true}
}
The response object must be signed using the Third Party's private key.
end note
Third Party -> Third Party: Persist ConsentId
note right of Third Party
The Third Party should store the ConsentId in a manner
that it can be retrieved again later in the flow in Step 4.
This could be stored in the user session (and retrieved using 'state'
as a key) or the Customer could use some other unique identifier.
This will be re-retrieved in [43].
end note
note over Customer, API Provider Resource Server
Step 3: Authorize consent
end note
Third Party -> Third Party: Create signed request object with requested Claims (ConsentId)
Third Party -> Customer: HTTP 302 (Found); Location: /authorize,\nredirect-uri, ClientId, state, nonce, scope=openid payments,\nresponse-type=code id_token,\nrequest=signed JWT request object - ConsentId)
Customer -> API Provider Authorisation Server: HTTP GET /authorize redirect-uri, ClientId, state, nonce, scope=openid payments, response-type=code id_token,\nrequest=signed JWT request object - ConsentId
API Provider Authorisation Server -> API Provider Authorisation Server: Validate Clientid, scope
API Provider Authorisation Server -> API Provider Authorisation Server: Validate redirect-uri for ClientId
API Provider Authorisation Server -> API Provider Authorisation Server: Validate JWT request claim - ConsentId
note right of API Provider Authorisation Server
Validate the request object by using the Third Party's public key.
Third Party certificate will be identified using the kid claim
in the JOSE header of the request object.
Check that the ConsentId belongs to the ClientId that initiated the request.
end note
API Provider Authorisation Server <-> Customer: Authenticate (login and agree consent)
Customer <-> API Provider Authorisation Server: Select debtor account if necessary
API Provider Authorisation Server -> API Provider Resource Server: Update Consent Status to Authorised
API Provider Resource Server -> API Provider Authorisation Server: OK
note right of API Provider Authorisation Server
Implementation of how the resource is updated is API Provider specific. (There is
no standardised API for this)
end note
API Provider Authorisation Server -> API Provider Authorisation Server: Generate authorization-code, id_token
note right of API Provider Authorisation Server
id_token claims:{
c_hash: 123,
s_hash: 456
}
id_token must be signed using the API Provider's private key.
The generation of c_hash is documented in OIDC: 3.3.2.11. ID Token
The generation of s_hash is in FAPI R/W spec: Section 5.1
http://openid.net/specs/openid-financial-api-part-2-wd-02.html#introduction
end note
API Provider Authorisation Server -> Customer: HTTP 302 (Found); Location: redirect-uri (authorization-code, id_token, state)
Customer -> Third Party: HTTP GET redirect-uri (authorization-code, id_token, state)
Third Party -> Third Party: Validate signature on id_token
note right of Third Party
Validate the id_token by using the API Provider's public key.
API Provider certificate will be identified using the kid claim
in the JOSE header of the id_token
end note
Third Party -> Third Party: Validate authorization-code using id_token (c_hash)
Third Party -> Third Party: Validate state using id_token (s_hash)
Third Party -> Third Party: Validate nonce using id_token
note right of Third Party
Exchange authorization-code for access token.
end note
Third Party <-> API Provider Authorisation Server: Establish TLS 1.2 MA
Third Party -> API Provider Authorisation Server: HTTP POST /token (client authentication credentials,\n authorization-code, grant_type, redirect_uri)
API Provider Authorisation Server -> API Provider Authorisation Server: Validate ClientId matches client SSL cert
API Provider Authorisation Server -> API Provider Authorisation Server: Validate client authentication credentials,\n authorization-code
API Provider Authorisation Server -> API Provider Authorisation Server: Generate access-token
API Provider Authorisation Server -> API Provider Authorisation Server: Bind access-token to ConsentId
API Provider Authorisation Server -> Third Party: HTTP 200 (OK) access-token (scope:payments)
note over Customer, API Provider Resource Server
Step 4: Create domestic payment
end note
Third Party <-> API Provider Resource Server: Establish TLS 1.2 MA
Third Party -> Third Party: Retrieve ConsentId
note left of Third Party
Retrieve the ConsentId that was issued in Step 2.
The method for doing this will depend on how the Third Party persisted
the payment id in [16]
end note
Third Party -> Third Party: Decode / verify ID Token
Third Party -> Third Party: Read ConsentId from id_token claim
Third Party -> Third Party: Compare with ConsentId retrieved in [43]
Third Party -> API Provider Resource Server: POST /domestic-payments (access-token - scope:payments) using ConsentId
API Provider Resource Server -> API Provider Resource Server: Validate access-token
API Provider Resource Server -> API Provider Resource Server: Validate access-token matches client SSL cert
API Provider Resource Server -> API Provider Resource Server: Validate scope:payments
note right of API Provider Resource Server
Check binding created in [38]
end note
API Provider Resource Server -> API Provider Resource Server: Ensure access-token is bound to ConsentId
API Provider Resource Server -> API Provider Resource Server: Update domestic-payment Status to AcceptedSettlementInProcess
API Provider Resource Server -> Third Party: HTTP 201 (Created), DomesticPaymentId
note over Customer, API Provider Resource Server
Step 5: Get domestic payment status
end note
opt
Third Party <-> API Provider Resource Server: Establish TLS 1.2 MA
alt Use active access token to retrieve domestic-payment status
Third Party -> API Provider Resource Server: GET /domestic-payments/{DomesticPaymentId} (access-token - scope:payments)
API Provider Resource Server -> API Provider Resource Server: Validate access-token
API Provider Resource Server -> API Provider Resource Server: Validate access-token matches client SSL cert
API Provider Resource Server -> API Provider Resource Server: Validate scope:payments
API Provider Resource Server -> Third Party: HTTP 200 (OK), domestic-payments resource
end alt
end optClient Credentials Grant Type (OAuth 2.0)
This grant type is used by the Third Party in Step 2 to setup a single payment with the API Provider.
The Third Party initiates an Authorization request using valid Client Credentials Grant type and scope(s)
The API Provider Authorization Server validates the Client Authentication request from the Third Party and generates an Access Token response where the request is valid
The Third Party uses the Access Token to create a new Payment resource against the API Provider Resource Server
The API Provider Resource server responds with the ConsentId for the resource it has created
The Client Credentials Grant may optionally be used by the Third Party in Step 5 to retrieve the status of a consent resource
OIDC Hybrid Flow
The Hybrid flow is mandated as the redirect flow for the NZ Banking Data Security Profile. The Hybrid flow prevents IDP mixup attacks as documented by Nat Sakimura - Cut and Paste OAuth 2.0 Attack
This is initiated at the end of Step 2 by the Third Party after the ConsentId is generated by the API Provider and returned to the Third Party
This is used in a redirect across the Customer and API Provider in Step 3 in order for the Customer to authorize consent with the API Provider
This is used across the Third Party and API Provider in Step 4 by exchanging the Authorization Code for an Access Token in order to create the domestic-payment resource
Non-Normative HTTP Request and Response Examples
Step 1 - Agree Payment Consent
There are no Requests and Responses against the Payments API in this Step for the Customer, Third Party and API Provider.
Step 2 - Setup Payment-Order Consent
1. Third Party obtains an Access Token using a Client Credentials Grant Type. The scope payments must be used. When an Access Token expires, the Third Party will need to re-request for another Access Token using the same request below.
Request : Client Credentials using private_key_jwt
POST /as/token.oauth2 HTTP/1.1
Host: https://authn.alphabank.com
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=client_credentials
&scope=payments
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRw
czovL2p3dC1pZHAuZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmN
vbSIsIm5iZiI6MTQ5OTE4MzYwMSwiZXhwIjoxNDk5MTg3MjAxLCJpYXQiOjE0OTkxODM2MD
EsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3Rlc
iJ9.SAxPMaJK_wYl_W2idTQASjiEZ4UoI7-P2SbmnHKr6LvP8ZJZX6JlnpK_xClJswAni1T
p1UnHJslc08JrexctaeEIBrqwHG18iBcWKjhHK2Tv5m4nbTsSi1MFQOlMUTRFq3_LQiHqV2
M8Hf1v9q9YaQqxDa4MK0asDUtE_zYMHz8kKDb-jj-Vh4mVDeM4_FPiffd2C5ckjkrZBNOK0
01Xktm7xTqX6fk56KTrejeA4x6D_1ygJcGfjZCv6Knki7Jl-6MfwUKb9ZoZ9LiwHf5lLXPuy
_QrOyM0pONWKj9K4Mj7I4GPGvzyVqpaZUgjcOaZY_rlu_p9tnSlE781dDLuwNon-Base64 JWT client_assertion
{
"alg": "PS256",
"kid": "12345",
"typ": "JWT"
}
.
{
"aud": "s6BhdRkqt3",
"sub": "s6BhdRkqt3",
"exp": 1499187201,
"iat": 1499183601,
"jti": "id123456",
"iss": "https://authn.alphabank.com/as/token.oauth2"
}
.
<<signature>>Response : Client Credentials
HTTP/1.1 200 OK
Content-Length: 1103
Content-Type: application/json
Date: Mon, 26 Jun 2017 15:18:28 GMT
{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"expires_in": 3600,
"token_type": "bearer",
"scope": "payments"
}
2. Third Party uses the Access Token (with payments scope) from the API Provider to invoke the payment-order consent API.