Authentication description

The following two steps have to be performed to facilitate a secure connection between the Initiating Party and the TPP solution.

1) Upload certificate
The Initiating Party uploads his public certificate in the Backoffice GUI

2) Retrieve token
Endpoint: POST /authorize/token

This API retrieves the token which is used in the communication between the Initiating Party and the TPP solution. The Initiating Party is using his private key to sign the request. In the response he will receive an access token from the TPP solution. This token is used in all subsequent API calls towards the TPP solution.

Request message
Location Name Comments Type
Header Authorization

The signature. It contains the header attributes 'app', 'client', 'id' and 'date' signed with the private key of the client.

The signature will be used to sign the authorization request with the private key which corresponds to the certificate provided for the onboarding. 

Structure
Signature keyId=”<thumbprint of certificate>”, algorithm=”SHA256withRSA”, headers=”app client id date”, signature=”<signature>”

Example
Signature keyId=”58AF4EC5ADD4C4A3F28D3AEFF60656B2F2xxxxxx”, algorithm=”SHA256withRSA”, headers=”app client id date”, signature=”Abczym2rZF…r5qcvgmA==” 

Generating rules
The signature must be created over a String where app, client, id and date are concatenated with the following rules:  

  • The keyId is the thumbprint of the certificate, viewed with the SHA1 algorithm.
  • Create the header field string by concatenating the lowercased header field name followed with an ASCII colon `:`, an ASCII space ` `, and the header field value.  Leading and trailing optional whitespace (OWS) in the header field value MUST be omitted (as specified in RFC7230 [RFC7230], Section 3.2.4 [7]). If value is not the last value then append an ASCII newline `\n`.

More details can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/

String
QueryParam grant_type To be set to ‘client_credentials’ String
Header App The name of the service. Only AIS,PIS or PSU is allowed. String
Header Client The name of the client. This name is provided to the Initiating Party during onboarding. The name of the client is created by the TPP solution. String
Header Id

The combination of Initiating Party ID and sub Id. For example if Initiating Party ID is 433 and the sub ID is 5 the ID will be 433:5

IP=433, subId=5 -> 433:5

IP=434, no subId -> 434

String
Header Date

Should be filled with the current date.

The following date formats are supported:

1. EEE MMM dd HH:mm:ss zzz yyyy

2. ISO DATE: for example 2011-12-03T10:15:30+01:00

3. RFC 1123: for example Tue, 3 Jun 2008 11:05:30 GMT

Date

This API retrieves the token which is used in the communication between the Initiating Party and the TPP solution. The Initiating Party is using his private key to sign the request. In the response he will receive an access token from the TPP solution. This token is used in all subsequent API calls towards the TPP solution.

Response message
Location Name Comments Type
Body access_token

Token to be used in further API calls

String
Body token_type Type of the token: Bearer String
Body expires_in Expiration time in seconds Integer