participant PSU
participant AISP
participant ASPSP Authorisation Server
participant ASPSP Resource Server
autonumber 1
PSU -> AISP: Establish TLS 1.2
note over PSU, ASPSP Resource Server
Step 1: Request account information
end note
PSU -> AISP: Get account/transaction information
note over PSU, ASPSP Resource Server
Step 2: Setup account request
end note
AISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
note left of AISP
Client Credentials Grant
end note
AISP->ASPSP Authorisation Server: POST /token (client authentication credentials, scope:accounts)
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate client authentication credentials, scope
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate clientId matches client SSL cert
ASPSP Authorisation Server -> AISP: HTTP 200 (OK) access-token (scope:accounts)
AISP <-> ASPSP Resource Server: Establish TLS 1.2 MA
AISP -> ASPSP Resource Server: POST /account-requests (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access token
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server->ASPSP Resource Server: Validate clientId matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Create new account resource
ASPSP Resource Server->ASPSP Resource Server: Bind AccountRequestId with ClientId
ASPSP Resource Server -> AISP: HTTP 201 (Created), AccountRequestId
note right of AISP
Begin OIDC Hybrid Flow.
See 6.1. Passing a Request Object by Value
See 5.5. Requesting Claims using the "claims" Request Parameter
The claims parameter must at least request:
"id_token": {
"openbanking_intent_id": {"value": AccountRequestId, "essential": true},
"acr": {"essential": true}
}
The response object must be signed using the PISP's private key.
end note
AISP->AISP: Persist AccountRequestId
note right of AISP
The AISP should store the AccountRequestId in a manner
that it can be retrieved again later in the flow in Step 4.
This could be stored in the user session (and retrieved using 'state'
as a key) or the PSU could use some other unique identifier.
This can be re-retrieved in [81] and [96].
end note
AISP->AISP: Create signed request object with requested Claims (AccountRequestId)
AISP -> PSU: HTTP 302 (Found); Location: /authorize,\nredirect-uri, clientId, state, nonce, scope=openid accounts,\nresponse-type=code id_token,\nrequest=signed JWT request object - AccountRequestId)
note over PSU, ASPSP Resource Server
Step 3: Authorise consent
end note
PSU -> ASPSP Authorisation Server: HTTP GET /authorize redirect-uri, clientId, state, nonce, scope=openid accounts, response-type=code id_token,\nrequest=signed JWT request object - AccountRequestId
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate clientid, scope
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate redirect-uri for clientId
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate JWT request claim -AccountRequestId
note right of ASPSP Authorisation Server
Validate the request object by using the PISP's public key.
PISP certificate will be identified using the kid claim
in the JOSE header of the request object.
Check that the AccountRequestId belongs to the ClientId that initiated the request.
end note
PSU <-> ASPSP Authorisation Server: Authenticate (Login and Consent Page)
PSU <-> ASPSP Authorisation Server: SCA if required
PSU <-> ASPSP Authorisation Server: Select Accounts
ASPSP Authorisation Server->ASPSP Authorisation Server: Generate authorization-code, id_token
note right of ASPSP Authorisation Server
id_token claims:{
c_hash: 123,
s_hash: 456
}
id_token must be signed using the ASPSP's private key.
The generation of c_hash is documented in OIDC: 3.3.2.11. ID Token
The generation of s_hash is in FAPI R/W spec: Section 5.1
http://openid.net/specs/openid-financial-api-part-2-wd-02.html#introduction
end note
ASPSP Authorisation Server-> ASPSP Authorisation Server: Bind selected Accounts to AccountRequestId
ASPSP Authorisation Server -> PSU: HTTP 302 (Found); Location: redirect-uri (authorization-code, id_token, state)
PSU -> AISP: HTTP GET redirect-uri (authorization-code, id_token, state)
AISP->AISP: Validate signature on id_token
note right of AISP
Validate the id_token by using the ASPSP's public key.
ASPSP certificate will be identified using the kid claim
in the JOSE header of the id_token
end note
AISP->AISP: Validate authorization-code using id_token (c_hash)
AISP->AISP: Validate state using id_token (s_hash)
AISP->AISP: Validate nonce using id_token
note right of AISP:
Exchange authorization-code for access token.
end note
AISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
AISP -> ASPSP Authorisation Server: HTTP POST /token (client authentication credentials,\nauthorization-code, grant_type, redirect_uri)
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate clientId matches client SSL cert
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate client authentication credentials,\nauthorization-code
ASPSP Authorisation Server->ASPSP Authorisation Server: Generate access-token
ASPSP Authorisation Server->ASPSP Authorisation Server: Bind access-token to AccountRequestId
note right of ASPSP Authorisation Server
Implies an association of Accounts to access-token
end note
ASPSP Authorisation Server->ASPSP Resource Server: Update account-requests Status to Authorised
ASPSP Resource Server->ASPSP Authorisation Server:OK
note right of ASPSP Authorisation Server
Implementation of how the resource is updated is ASPSP specific (There
is no standardised API for this)
end note
alt Access Token
ASPSP Authorisation Server -> AISP: HTTP 200 (OK) access-token (scope:accounts)
else Optional Refresh Token
ASPSP Authorisation Server->ASPSP Authorisation Server: Generate Refresh Token
ASPSP Authorisation Server -> AISP: HTTP 200 (OK) access-token, refresh-token (scope:accounts)
end
note over PSU, ASPSP Resource Server
Step 4: Request data
end note
AISP <-> ASPSP Resource Server: Establish TLS 1.2 MA
AISP<->AISP: Retrieve access-token
note left of AISP
Retrieve the access-token that was issued in Step [42].
The access-token is linked with consented Accounts
from Steps [27] and [39]
end note
alt Valid Access Token
AISP -> ASPSP Resource Server: GET /accounts (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access-token
ASPSP Resource Server->ASPSP Resource Server: Validate access-token matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server -> AISP: HTTP 200 (OK), List of accounts containing AccountId(s)
AISP -> ASPSP Resource Server: GET /accounts/{AccountId}/transactions (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access-token
ASPSP Resource Server->ASPSP Resource Server: Validate access-token matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server->ASPSP Resource Server: Validate access-token bound to AccountId
ASPSP Resource Server -> AISP: HTTP 200 (OK), List of transactions
else Expired Access Token
AISP->AISP: Retrieve Refresh Token from [44]
AISP->ASPSP Authorisation Server:HTTP POST /token (client authentication credentials,\ngrant_type=refresh_token,refresh_token=[58],\nscope=openid accounts)
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate clientId matches client SSL cert
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate client authentication credentials,\refresh_token
ASPSP Authorisation Server->ASPSP Authorisation Server: Generate Access Token and Refresh Token
ASPSP Authorisation Server -> AISP: HTTP 200 (OK) access-token, refresh-token (scope:accounts)
AISP -> ASPSP Resource Server: GET /accounts (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access-token
ASPSP Resource Server->ASPSP Resource Server: Validate access-token matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server -> AISP: HTTP 200 (OK), List of accounts containing AccountId(s)
AISP -> ASPSP Resource Server: GET /accounts/{AccountId}/transactions (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access-token
ASPSP Resource Server->ASPSP Resource Server: Validate access-token matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server->ASPSP Resource Server: Validate access-token bound to AccountId
ASPSP Resource Server -> AISP: HTTP 200 (OK), List of transactions
else Account Request - Get Status
AISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
note left of AISP
Client Credentials Grant
end note
AISP->ASPSP Authorisation Server: POST /token (client authentication credentials, scope:accounts)
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate client authentication credentials, scope
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate clientId matches client SSL cert
ASPSP Authorisation Server -> AISP: HTTP 200 (OK) access-token (scope:accounts)
AISP <-> ASPSP Resource Server: Establish TLS 1.2 MA
AISP->AISP: Retrieve AccountRequestId from [16]
AISP -> ASPSP Resource Server: GET /account-requests/{AccountRequestId} (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access token
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server->ASPSP Resource Server: Validate clientId matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Lookup AccountRequestId resource
ASPSP Resource Server -> AISP: HTTP 200 (OK), AccountRequest Status
else Account Request- PSU removes consent at a later point in time with the AISP
PSU -> AISP: Establish TLS 1.2
PSU -> AISP: Remove Consent
AISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
note left of AISP
Client Credentials Grant
end note
AISP->ASPSP Authorisation Server: POST /token (client authentication credentials, scope:accounts)
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate client authentication credentials, scope
ASPSP Authorisation Server->ASPSP Authorisation Server: Validate clientId matches client SSL cert
ASPSP Authorisation Server -> AISP: HTTP 200 (OK) access-token (scope:accounts)
AISP <-> ASPSP Resource Server: Establish TLS 1.2 MA
AISP->AISP: Retrieve AccountRequestId from [16]
AISP -> ASPSP Resource Server: DELETE /account-requests/{AccountRequestId} (access-token - scope:accounts)
ASPSP Resource Server->ASPSP Resource Server: Validate access token
ASPSP Resource Server->ASPSP Resource Server: Validate scope:accounts
ASPSP Resource Server->ASPSP Resource Server: Validate clientId matches client SSL cert
ASPSP Resource Server->ASPSP Resource Server: Delete AccountRequestId resource
ASPSP Resource Server -> AISP: HTTP 204 (No Content)
AISP->PSU: Consent Removed
end
|