Implementation Guide: Sainsbury's Bank PLC

This page has been created and maintained by the relevant ASPSP, and OBIE takes no liability for the completeness nor accuracy of this data.

Note to ASPSP: Please indicate which brands this applies to and/or duplicate this page per brand if relevant.


ASPSPSainsbury's Bank
BrandSainsbury's Bank PLC
Date14 March 2019
Developer portal (s)developer.sainsburysbank.co.uk

On-boarding

Supports dynamic client registration (Y/N)Y, currently using OBIE certs only
Instructions for manual on-boarding

Manual On-boarding not supported except for eIDAS see notes below.

OIDC .well-known endpoint

Test Facility (aka Sandbox)

https://tsob.sainsburysbank.co.uk/sso/oauth2/realms/root/realms/general/.well-known/openid-configuration


Production

https://iam.sainsburysbank.co.uk/sso/oauth2/realms/root/realms/general/.well-known/openid-configuration

Notes on testing

Follow the instructions on the Sandbox page in our developer portal to get started.  For all other testing related support, raise a testing related request using the email found in the Contact Details on our developer portal Support page

Behaviour is as described in “Dynamic Client Registration” section of Open Banking Client Registration specification:

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/36667724/The+OpenBanking+OpenID+Dynamic+Client+Registration+Specification+-+v1.0.0-rc2#TheOpenBankingOpenIDDynamicClientRegistrationSpecification-v1.0.0-rc2-ClientRegistrationRequest

Other on-boarding notes

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/36667724/The+OpenBanking+OpenID+Dynamic+Client+Registration+Specification+-+v1.0.0-rc2#TheOpenBankingOpenIDDynamicClientRegistrationSpecification-v1.0.0-rc2-ClientRegistrationRequest

In Dynamic Registration we are compliant with the OIDC spec in that the aud in the jwt is the access_token endpoint from the well known endpoints. Note this is NOT what was is in the above OB spec where its states it should be the OB orgId, We have raised the ticket OBSD-10967 with OBIE and they are intending change their spec to align with OIDC. We will continue to be OIDC compliant whilst OB catches up.

ONLY private_key_jwt is supported, client_secret_post and client_secret_basic will result in an error.

The only scopes supported are openid, accounts, and fundsconfirmations.

Please note that the Sainsburys Bank fundsconfirmations implementation is not compliant with the OB specs, but mimics the account info to avoid PCC-DSS issues ( the customer selects the PAN based on last 4 digits in the SB authorisation screen).

Sainsbury's Bank preferred support for eIDAS is via the OBIE Directory. TPP's should register their eIDAS certs with OB and this will allow them to swap out eIDAS certs for non-ETSI OB certs when conversing with Sainsbury's Bank. This is referred to as the Open Banking eIDAS Trust Framework.The benefits of this approach are that consents created prior to the introduction of eIDAS will continue to remain valid.
For TPP's that are not OB registered, if the TPP is not using a QTSP that Sainsbury's Bank have configured with the root certificates then they will need to contact our Developer Support team with the QTSP details prior to registration via the support email.

Dynamic Registration is ONLY via non-ETSI ( OB Transport and OB Signing), eIDAS is manual ( as stated above contact our support team).

Sainsburys Bank only support SSA's signed by OBIE.

Note you will need to do this for BOTH the Sandbox AND Prod ( this method is not currently supported)

The current list of supported QTSP's is as follows:

  • Bupass from  

  • D-Trust from  

  • Infocert from  
  • Multicert from  
  • Quovadis from  
Documentation URL

https://developer.sainsburysbank.co.uk


Account Information API

Swagger version3.1
Base URI

Test Facility (aka Sandbox)

https://tsob.sainsburysbank.co.uk/open-banking/v3.1/aisp

Production

https://ob.sainsburysbank.co.uk/open-banking/v3.1/aisp

General variances to specification 

Only the following permissions are supported::

ReadAccountsBasic

ReadAccountsDetail

ReadBalances

ReadTransactionsBasic

ReadTransactionsCredits

ReadTransactionsDebits

ReadTransactionsDetail

If the TPP requests any others the POST /account-access-consents will fail with a 

400 Bad Request with details of the permissions that were requested that are not supported.

Transactions - For Credit Card transaction are only available for the last six months, requesting beyond this period will result in the past six months being returned.

Pagination - Sainsbury's  Bank are not currently supporting the splitting up of response messages into pages, pagination. We currently support the sharing of a file size up to a maximum of 10MB as a response message. If, in rare circumstances, you receive an exception message after requesting a large set of data, you can look to request the data for a series of narrower date ranges.


API Call Limits - If Sainsbury's  Bank receives more than four requests for data where the customer is not present from a third party within a 24hr period, we will process requests on the understanding that the third party (AISP) has obtained consent from the customer to request data more frequently.

Re-authentication - Periodically customers will need to re-confirm that we are permitted to share their data with third parties, e.g. once every 90 days. This will involve creating a new intent and this being confirmed by the customer.

Bulk Endpoints - Sainsbury's  Bank does not support the bulk endpoints for account resources at this time.

Optional Fields - Sainsbury's  Bank will only return mandatory fields with the exception of name ahead of the 3.1.1 release.


Ref

Area

Field

Available (Y/N)

Exception/Notes (inc details on classification codes, field limits, and field formats)

Endpoint 1

POST

/open-banking/v3.1/aisp/account-access-consents

-

Y

Mandatory

API Endpoint available

Endpoint 2

GET /open-banking/v3.1/aisp/account-access-consents/{ConsentId}

-

Y

Optional

API Endpoint available

Endpoint 3

DELETE /open-banking/v3.1 /aisp/account-access-consents/{ConsentId}

-

Y

Mandatory

API Endpoint available

Endpoint 4

GET /open-banking/v3.1/aisp/accounts

-

Y

Mandatory

API Endpoint available

Endpoint 5

GET /open-banking/v3.1/aisp/accounts/{AccountId}

-

Y

Mandatory

API Endpoint available

Endpoint 6

GET /open-banking/v3.1/aisp/accounts/{AccountId}/balances

-

Y

Mandatory

API Endpoint available

Endpoint 7

GET /open-banking/v3.1/aisp/accounts/{AccountId}/beneficiaries

-

N

Mandatory

API Endpoint not available


Endpoint 8

GET /open-banking/v3.1/aisp/accounts/{AccountId}/direct-debits

-

N

Mandatory 

API Endpoint not available

Endpoint 9

GET /open-banking/v3.1/aisp/accounts/{AccountId}/product

-

N

Conditional

API Endpoint not available

Endpoint 10

GET /open-banking/v3.1/aisp/accounts/{AccountId}/standing-orders

-

N

Conditional

API Endpoint not available

Endpoint 11

GET /open-banking/v3.1/aisp/accounts/{AccountId}/transactions

-

Y

Mandatory

API Endpoint available

Notes - see known issues:

  • The transaction description (the merchant name) is currently truncated to 25 characters.
  • Transaction filtering by date may not work in all cases.


Endpoint 12

GET /open-banking/v3.1/aisp/balances

-

N

Optional

API Endpoint not available

Endpoint 13

GET /open-banking/v3.1/aisp/beneficiaries

-

N

Optional

API Endpoint not available

Endpoint 14

GET /open-banking/v3.1/aisp/direct-debits

-

N

Optional

API Endpoint not available

Endpoint 15

GET /open-banking/v3.1/aisp/products

-

N

Optional

API Endpoint not available

Endpoint 16

GET /open-banking/v3.1/aisp/standing-orders

-

N

Optional

API Endpoint not available

Endpoint 17

GET /open-banking/v3.1/taisp/ransactions

-

N

Optional

API Endpoint not available

Endpoint 18

Test Facility (aka Sandbox)

POST https://tsob.sainsburysbank.co.uk/sso/oauth2/realms/root/realms/general/register

Production

POST https://ob.sainsburysbank.co.uk/sso/oauth2/realms/root/realms/general/register


Y

Optional

API Endpoint Available

Funds Confirmation API

Swagger version1.0.0
Base URI

Test Facility (aka Sandbox)

https://tsob.sainsburysbank.co.uk/open-banking/v1.0.0/cbpii (TBC availability)

Production

https://ob.sainsburysbank.co.uk/open-banking/v1.0.0/cbpii available  

General variances to specification 

Note that the consents endpoints ARE NOT the OB ones but mimic the account information ones to avoid the passing of PAN's.

However POST /funds-confirmations is the same as v3.1 of the OB specification but uses the same versions as the rest of the SB API fro consistency.


Currently GET /funds-confirm-consents/{ConsentId} and DELETE /funds-confirm-consents/{ConsentId} will return 422, we will look to implement these as soon after  as possible,

Ref

Area

Field

Available (Y/N)

Exception/Notes (inc details on classification codes, field limits, and field formats)

Endpoint 1

POST

/open-banking/v1.0.0/cbpii/funds-confirm-consents

-

Y

Note this is like the account information rather than the consents ( hence difference in name) so no account (PAN) is included in this call it is bound by the customer in the Sainsburys Bank authentication pages as per account information. See the developer portal for the Open API specification.

Endpoint 2

GET /open-banking/v1.0.0/cbpii/funds-confirm-consents/{ConsentId}

-

Y

Note this is like the account information rather than the consents ( hence difference in name) it returns details of the consent not the cardholder name and last 4 digits as per the OB spec.  See the developer portal for the Open API specification.

Endpoint 3

DELETE /open-banking/v1.0.0/cbpii/funds-confirm-consents/{ConsentId}

-

Y

See the developer portal for the Open API specification.

Endpoint 4

POST /open-banking/v1.0.0/cbpii/funds-confirmations

-

Y

Mandatory

API Endpoint available

Known Issues

We are aware of a number of issues and are working to resolve them. 

General Issues

 IssueDescription

Internet Explorer Incompatibility

There is a known issue that prevents successful authentication when using Internet Explorer (tested on versions 10 and 11). Until this issue is resolved please use another browser (Chrome, Edge, Firefox and Safari are supported).

Access TokenCurrently there is an issue with existing consents which will result in a 500 ( key not found) this will be fixed in our July release, new consents are not impacted.

API Issues

Issue Description

Transaction Filtering by Date

Transaction filtering by date may not work in all cases.

account access consentsmandatory field StatusUpdateDateTime is missing