On the production and sandbox environments, the "scaOauth" property of a consent creation (with header tppExplicitAuthorizationPreferred = false) or a POST /authorization
endpoint is the following:
{
…
"_links": {
"scaOAuth": {
"href": "https://api.tpp.europabank.be/berlingroup/.well-known/openid-configuration?authorizationId=31f68ab6-1ce6-4131-a324-3f37d2ca4b02"
},
…
}
}
You have to call this URL and retrieve the “authorization_enpoint” property in the response:
{
"issuer": "https://api.tpp.europabank.be",
"authorization_endpoint": "https://oauth2.tpp.europabank.be/public/berlingroup/authorize/31f68ab6-1ce6-4131-a324-3f37d2ca4b02",
"token_endpoint": "https://api.tpp.europabank.be/berlingroup/v1/token",
"userinfo_endpoint": "https://api.tpp.europabank.be/berlingroup/v1/accounts",
"scopes_supported": [
"account",
"payment"
],
"response_types_supported": [
"code"
],
"grant_types_supported": [
"client_credentials",
"authorization_code",
"refresh_token"
],
"code_challenge_methods_supported": [
"S256"
],
"subject_types_supported": [
"public"
]
}
With this property, you will be able to build your authorize URL with the following parameters:
URI parameter | Description |
---|---|
scope | This parameter corresponds to the consentId of the consent creation or the paymentId of the payment initiation Examples: AIS:1587559935-bae68c2 PIS:1587561419-bp5b5f2 |
client_id | This parameter corresponds to your NCA id |
state | Dynamic value that you have to set in order to prevent XSRF attacks |
redirect_uri | This parameter corresponds to the URI where the OAuth2 server is redirecting the PSU after the authorization. NB : this redirect_uri has to be the same used for the consent creation or payment initiation |
code_challenge | This parameter corresponds to PKCE challenge according to cryptographic RFC 7636 which is used to prevent code injection attacks |
response_type | Type of the response. This value has to be set to “code” |
code_challenge_method | Optional parameter which corresponds to the code verifier transformation method ("S256" or "plain") |
Following these instructions your authorize URL should look like this and is now valid to process the authorization of the PSU:
This process to build the authorize URL is the same for a payment initiation.
NB : the "redirect_uri" parameter in the URL has to be the same as the "TPP-Redirect-URI" header of the consent creation