API technical configuration

1. Overview

WL ACS platform exposes unified APIs for host-to-host communications.

The methods are exposed through a RESTful API built on HTTP and JSON.
The data exchanged is serialized using JSON format (RFC 7159).
The character set supported for input and output data is UTF-8 (RFC 3629).

As per the REST principles:

• All the methods are accessed by performing an HTTP request to the web service endpoint,
• URL are used to access the data
• HTTP bodies carry the representation of the business objects (elements),
• HTTP verbs are used to indicate the action to perform :
  • POST: create a new element for which no identifier is known
  • PUT: update an element, or create a resource for which the identifier is known in advance
  • GET: retrieve one or more elements
  • DELETE: delete an element

HTTP headers are used to carry information related to the API protocol: authentication, pagination, API versioning… 

All the services are exposed through the HTTPS protocol (RFC 2818) TLS 1. 2.

No HTTP compression (RFC 2616) is activated.

In order to secure the communication channel between the bank and WL ACS platform, a mutual authentication mTLS is required.
In addition, an Ouath 2.0 security channel could be implemented for Client APIs.

2. API Server

  2.1. Security

In order to secure the communication channel between the bank and WL ACS platform, a mutual authentication mTLS is required.
Clients must provide a mutual authentication (client) certificate that complies with the following rules.

2.1.1. Testing environment

The certificate file must comply with the PKCS10 format and be base-64 encoded.
Important note: the use of ‘&’ and ‘<’ characters in the certificate fields is prohibited.

2.1.2 Production

Important note: the use of ‘&’ and ‘<’ characters in the certificate fields is prohibited.

  2.2 Versioning

For WL Server APIs, the version number has been included in the service URI. 
By default, when the version is not provided in the URI, the initial version 2019R1.0 implementation is used.

Examples of URI :

/referential/rest/2019R2-1.0/public/updateCardWithCredentials/669c8c64-e71f-4e87-8966-cb578a86074e

/referential/rest/2021R1-1.0/public/updateCardWithCredentials/3aaa4686-d139-4822-b193-6a0140467264

  2.3 Message format

  2.3.1. Common headers request

  2.3.2. Common headers response

3. API Client

  3.1. Security

In order to secure the communication channel between the bank and WL ACS platform, a mutual authentication mTLS is recommended.
In replacement or addition to mTLS, an Oauth 2.0 authentication could be used (cf. paragraph 5)

For mTLS, 
Client certificate :
WL will provide a Certificate Request based on Bank recommendation.
Bank must sign the certificate with AC of its choice.
The certificate file must comply with the PKCS10 format and be base-64 encoded.

Server certificate:
Bank must provide SSL certificates (root/ac) used to sign the URL name of the API. 

  3.2 Versioning

Client APIs can be modified during major product releases.

However, to avoid server-side impacts, changes are limited to the addition of optional supplementary fields.

Additionally, APIs are versioned and configurable by the bank, so upgrading to a new version is not mandatory. The new fields will only be transmitted starting from the version in which they are implemented (see the "since release" label in the Swagger file).

A bank wishing to have the latest version of the API must thus request it from their WL contact; by default, no API changes will be made without an explicit request.

  3.3 Message Format

       3.2.1. Hypermedia

Hypermedia is used to specify content type and charset to be used.

Currently supported values are:

• Content type: json
• Charset: UTF-8

Table 1 - Hypermedia input header

Table 2 - Hypermedia output header

  3.4. Signature

Signature is currently only available for Authentication and Credential API.

3.4.1. Signature content

The signature fields are optional and are only filled and/or checked if explicitly required.Otherwise, signature values will be ignored in responses and left empty in requests. Signatures can be activated for each issuer, sub-issuer individually and at a method level.

To pass validation, the signature format must be RFC 7515 (JSON Web Signature) and RFC 7797 (Unencoded or detached payload) compliant. As such a typical signature should look like this [header]..[signature] where:

1. [header] : a Base64 URL encoding of the JOSE header which contains the key ID, algorithm and object type. For example: eyJraWQiOiJzaWduIiwidHlwIjoiSk9TRStKU09OIiwiYWxnIjoiUlMyNTYifQ which in clear JSON gives: {"kid":"sign","typ":"JOSE+JSON","alg":"RS256"}. The "kid" (Key ID) and "alg" header fields are both required to perform the check. An additional "jku" parameter in which a JWKS URL where to retrieve the public key can also be specified, if not it should be expected for public keys to have been exchanged beforehand. The "typ" is only there by convention and should only be set as JOSE or JOSE+JSON since were are not dealing JWT (tokens) here.
2. [signature] : a Base64 URL encoded value representation of the signature output. The payload used to generate the signature consists of the JSON serialization of the whole object, excluding old signatures and null values, which is then Base 64 URL encoded as well.

If the signature from the response contains a payload value then it will be ignored in favor to the actual object.

3.4.2. Supported algorithm

Currently supported algorithms are RS256, RS384, RS512, ES256, ES256K, ES384, and ES512.

3.4.3. Samples

{
"header": {
"issuerCode": "123456",
"subIssuerCode": "987654",
"service": "ACS_TEST",
"requestId": "5850e990-a21e-4925-8483-a407ef609e30",
"keyTag": "01"
},

"body": "Hello",
"signature": "eyJraWQiOiJzaWduIiwidHlwIjoiSk9TRStKU09OIiwiYWxnIjoiUlMyNTYifQ..QslvRsAf7favTzmZACC6l1UbjySjezKwCIJ0T-qxWkla0GjACsp-5TzannnBoTYzpZfa9BasNVRe1UZyTKEF8ViQX_LL_XnMoDttzB15zCoKkLhgcTOqSmrUa2p_hPOTnmL40TAnlykqNA0MlOQ9nox3K7a-rlfAG4FVXypyaHN71rCBfMQiw5eY-57e3DEdcjDAIWMxKh2zaM4HZ43K2fc1DQHGB-k9aTljOZAEhe6D7dgTYV0EGAHzRw51x15xnPD7_z-sJGpun9iVZpf8fHu9dTn5lhMChQvEBqElxWpm6fET7Izm8hqMa1oUkf2l5ue9h-WotzIbzE4PQuLOxw"
}

3. Data Encryption

Some fields, corresponding to sensitive data, can be either encrypted or plain. In this case, there is a type, a value and a key tag attribute.

When the type is encrypted, the value attribute is a String, before encryption and after being decrypted. The encrypted result is in Hexadecimal format compliant with JSON structure. 
That’s why this field doesn’t need to be parsed into JSON object.

Only for plain formats, the value needs to be casted to as JSON object. As a result, all the double quotes characters need to be escaped by a backslash, resulting to the following format: "\"PWD\": {\"pwd\":\"@value\"}".

When sensitive fields are encrypted, a “keyTag” value is requested to identify the key used. The “keyTag” value must be defined per field. Same keytag value could be used for all data.

  3.1. Encryption

Sensitive data will be encrypted with AES256bits (RFC 3565) encryption in GCM mode with an random initial vector or set with the requestId (without “-“ character). 
Notes that usage of CBC mode and IV =0 is deprecated for security reason.

The encrypted field is always exchanged in Hexadecimal format.

The main steps are:

1. Depending on config, IV is either the session ID without dashes, a random value, or null (only zeros);
2. IV is truncated to the algorithm's corresponding IV length (12 bytes / 24 hex char);
3. IV's chars are converted from hex to bytes array;
4. data is converted to bytes array, using UTF-8 char-set;
5. data is encrypted using the key, the IV and the algorithm ("AES256GCM_NOPADD") corresponding to the configured key;
6. encrypted data is converted from bytes array to an hex string.

Whatever the implementation, it must be able to produce the same result depending on algo, key and IV chosen. 

  3.2. Samples

Key

XOR1: B3EE911BA049ADBEE36B0445C8FC8A2832E7646316F111BCFA3EE062B0379E23
CCV1: BF36D7

XOR2: 50A813F0A59FFADDFEFE06904A4E4E42DF30026CE63FECEEAB92043C667FBC0C
CCV2: DA684A

Clear key: E34682EB05D657631D9502D582B2C46AEDD7660FF0CEFD5251ACE45ED648222F
KCV: 84A0D9

Encryption (GCM)

IV: 00000000000000000000000000000000
Data to encrypt (Clear PAN): 4263540111825682
Data encrypted – in hexadecimal: 68e94ab51334a794c10ebdb76b7480cebb740d8d655396cf7626b1177ad9a78f

IV: 384000008CF011BDB23E10B96E4EF00E
Data to encrypt (Clear PAN): 4263540111825682
Data encrypted – in hexadecimal: 0ead51b9582223c003fcf13195fd3c83d39c2f8cb6a6000dfcc758401fb5e7ea
 

Encryption (GCM)
IV: 384000008CF011BDB23E10B96E4EF00E
Data to encrypt (Clear PAN): 4263540111825682
Data encrypted – in hexadecimal: b045162d84b792ee2c89e098d05369defa09bd5eaea899058c8f83da3395f663 (value and tag concatenated)
Decryption: "b045162d84b792ee2c89e098d05369de" and tag "fa09bd5eaea899058c8f83da3395f663" → "4263540111825682"

Oauth 2.0

1. Overview

OAuth 2.0 is an open standard for access delegation.​

​OAuth 2.0 enables a third-party application to obtain limited access to an HTTP service by allowing the third-party application to directly obtain access on its own behalf. This allows the API to be secured by requiring the third-party application to obtain an access token from the authorization server with the necessary permissions to access the API resources. This helps in ensuring that only authorized applications can access the API and that the access is limited to the specific permissions granted.​
​

In OAuth 2.0, there are main actors: ​

• the client ​(the application requesting access to the user's data), ​​
• the authorization server ​(which authenticates the user and issues access tokens), ​​
• the resource server ​(which hosts the protected user data).​

2. Implementation

ACS' Client API could be secure by using Oauth 2.0 protocol. 
Oauth 2.0 could be configured for all standard Client API :

• Scoring
• Card Referential​
• Authentication​

The same access token can be reuse for all API​, or a dedicated access token could be requested per API​.
We recommend to use the same access token for all API.

  2.1 get AccessToken

This endpoint is necessary to get the authorization string from the OAuth external source. 
As an execution result a Token object will be retrieved and “access_token” field data will be extracted for future usage. 

An application access token is requested by calling API token endpoint: POST /oauth2/token. 
Requesting an application access token requires the following parameters to be supplied :

The client id is defined during the implementation project phase. 

The scope is optional and could be customized if needed depending on Server methods security controls. The scope could be generic or a list of API/methods authorized.
By default, the product scopes are :

• card-credentials:view
• card-credentials:update
• scoring-request:execute
• authentication:initiate
• authentication:validate
• authentication:cancel

  2.2 API adaptation

All API requests using Oauth 2.0 must contain at least the following headers: Date, Digest and Authorization.

In order to verify that the message was not tampered with during transit, a signature is also requested.

Two types of signature can be implemented :

• HTTP signature, in this case, API requires a "Signature" header to be supplied
• JWS signature, in this case, API requires an "X-JWS-Signature" header.

Oauth 2.0 authentification is configurable and can be “activated” for customer upon necessity.
Example of “getCardWithCredentials” method with all mentioned parameters present in the “header” section of the request :

3.3.1 HTTP signature

3.3.2 JWS signature

The JWS structure shall be carried in HTTP header field named "x-jws-signature".

A JWS protected header parameter is composed of parameters :

• "b64” ; the JWS header shall include b64 header parameter set to false
• “x5t#S256” is the digest (fingerprint) of the X.509 signing certificate using SHA 256. "x5t#S256" shall be checked against the certificate used to validate the signature
• crit:["sigT","sigD","b64"] - Non-standard JWS header parameters (ie. not defined in RFC 7515), which are critical
• "sigT" shall be present and set to the time that the signature was created. The time shall be indicated in UTC (ending in "Z") and shall indicate date and time to the second.
• "sigD" header parameter shall be present and shall contain :
  • “mId" set to http://uri.etsi.org/19182/HttpHeaders
  • "pars" should include the following HTTP Header field names:
    • "(request-target)" for HTTP Requests
    • "Content-Type"
    • “Digest” enables protection of the HTTP Body
  • "alg" identifies the cryptographic algorithm used to create the JWS Signature Value. Use RS256

Example of protected header 

    { "b64":false,
    "x5t#S256":"dytPpSkJYzhTdPXSWP7jhXgG4kCOWIWGiesdzkvNLzY",
    "crit":[ "sigT", "sigD", "b64" ], 
    "sigT":"2023-11-26T11:26:57Z",
    "sigD":{ "pars":[ "(request-target)", "content-type", "digest" ],
    "mId":"http://uri.etsi.org/19182/HttpHeaders" 
    }, 
    "alg":"RS256"
    }

Example of protected header encoded in B64 (without line breaks or extra spaces)

eyJiNjQiOmZhbHNlLCJ4NXQjUzI1NiI6ImR5dFBwU2tKWXpoVGRQWFNXUDdqaFhnRzRrQ09XSVdHaWVzZHprdk5MelkiLCJjcml0IjpbInNpZ1QiLCJzaWdEIiwiYjY0Il0sInNpZ1QiOiIyMDIzLTExLTI2VDExOjI2O
jU3WiIsInNpZ0QiOnsicGFycyI6WyIocmVxdWVzdC10YXJnZXQpIiwiY29udGVudC10eXBlIiwiZGlnZXN0Il0sIm1JZCI6Imh0dHA6Ly91cmkuZXRzaS5vcmcvMTkxODIvSHR0cEhlYWRlcnMifSwiYWxnIjoiUlMyNTYifQ

A HTTP header parameter

• request-target :
• digest :
• content-type : application/json

Example of HTTP header

    (request-target): post /initiateAuthentication
    content-type: application/json
    digest: SHA-256=+xeh7JAayYPh8K13UnQCBBcniZzsyat+KDiuy8aZYdI=

Where digest is the hash in SHA-256 of request body

All the header parameters contained in JWS Protected Header are protected by the signature.

The data must be signed with the private key (associated with the certificate identified in "x5t#S256") by using the chosen algorithm (specified in “alg” parameter).

Data to sign is the concatenation of protected header encoded in B64 and HTTP Header separated by “.”

Example of input Data for Signature

eyJiNjQiOmZhbHNlLCJ4NXQjUzI1NiI6ImR5dFBwU2tKWXpoVGRQWFNXUDdqaFhnRzRrQ09XSVdHaWVzZHprdk5MelkiLCJjcml0IjpbInNpZ1QiLCJzaWdEIiwiYjY0Il0sInNpZ1QiOiIyMDIzLTE

xLTI2VDExOjI2OjU3WiIsInNpZ0QiOnsicGFycyI6WyIocmVxdWVzdC10YXJnZXQpIiwiY29udGVudC10eXBlIiwiZGlnZXN0Il0sIm1JZCI6Imh0dHA6Ly91cmkuZXRzaS5vcmcvMTkxODIvSHR0cE

hlYWRlcnMifSwiYWxnIjoiUlMyNTYifQ.(request-target): post /initiateAuthentication


    content-type: application/json


    digest: SHA-256=+xeh7JAayYPh8K13UnQCBBcniZzsyat+KDiuy8aZYdI=

Example of Signed Data

Q9ZSYXJ0QWSoPBfBUR58Sqplw7BQcrcqVR6rvnqfBOvosbBLcsBjkjzi1kCF 2cJsHTJRtp6GcJmZplqRg-7_QBKQAgkUq0BGQpzZwhVYrvP0opdLEarVBrej YA05gt3qnleuS53DWmyZu9iNxhwJTY

VPyXediwo3TIlSn-8XjSTZAVHa728E WK6XzRC9rEroXYPYd23iQLXetMygLaDhRT2lGhV5WvmO0wC0B6RbGiYl2zIv D0XliMP6MidX4SDY5zlzyWyFlHqX7eHpkH8xxqAsBdKb16y4IdOoRhil9yws

 vlzkG6-U9jmBU4y_m3mZArD22oRVXTywzFn9NUtY9w

X-JWS-Signature is the concatenation of protected header encoded in B64 and Signature value separated by “..”

Example of JWS Signature

   eyJiNjQiOmZhbHNlLCJ4NXQjUzI1NiI6ImR5dFBwU2tKWXpoVGRQWFNXUDdqaFhnRzRrQ09XSVdHaWVzZHprdk5MelkiLCJjcml0IjpbInNpZ1QiLCJzaWdEIiwiYjY0Il0sInNpZ1QiOiIyMDIzLTE

xLTI2VDExOjI2OjU3WiIsInNpZ0QiOnsicGFycyI6WyIocmVxdWVzdC10YXJnZXQpIiwiY29udGVudC10eXBlIiwiZGlnZXN0Il0sIm1JZCI6Imh0dHA6Ly91cmkuZXRzaS5vcmcvMTkxODIvSHR0cEhlY

WRlcnMifSwiYWxnIjoiUlMyNTYifQ..Q9ZSYXJ0QWSoPBfBUR58Sqplw7BQcrcqVR6rvnqfBOvosbBLcsBjkjzi1kCF 2cJsHTJRtp6GcJmZplqRg-7_QBKQAgkUq0BGQpzZwhVYrvP0opdLEarVBrej YA05gt3qnleuS53DWmyZu9iNxhwJTYVPyXediwo3TIlSn-8XjSTZAVHa728E WK6XzRC9rEroXYPYd23iQLXetMygLaDhRT2lGhV5WvmO0wC0B6RbGiYl2zIv D0XliMP6MidX4SDY5zlzyWyFlHqX7eHpkH8xxqAsBdKb16y4IdOoRhil9yws vlzkG6-U9jmBU4y_m3mZArD22oRVXTywzFn9NUtY9w

The Authentication process can be provided by banks on their authentication platforms. In this case ACS uses an API the Authentication WS Client to manage it.

Banks use API the Authentication Callback Server and/or  the Authentication Callback Decoupled Server to send the authentication result to ACS.

The Authentication can also be done on OpenId system and in this case ACS uses an API the Authentication OpenID WS Client to manage it.

Version 2.35.2 to 2.36.1

What's New

No API added.

What's Changed

POST /issuers/{issuerId}/accounts/external-accounts/{issuerAccountExternalReference}/reverse-reimbursement-operation

Request body :

• Added property specificFields (object)

POST /issuers/{issuerId}/accounts/external-accounts/{issuerAccountExternalReference}/reverse-payment-operation

Request body :

• Added property specificFields (object)

POST /issuers/{issuerId}/accounts/{accountReference}/reverse-reimbursement-operation

Request body :

• Added property specificFields (object)

POST /issuers/{issuerId}/accounts/{accountReference}/reverse-payment-operation

Request body :

• Added property specificFields (object)

GET /issuers/{issuerId}/accounts/external-accounts/{issuerAccountExternalReference}/statements/last

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/external-accounts/{issuerAccountExternalReference}/statements/next

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/{accountReference}/statements/last

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/{accountReference}/statements/next

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/external-accounts/{issuerAccountExternalReference}/statements/last/operations

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/external-accounts/{issuerAccountExternalReference}/statements/next/operations

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/{accountReference}/statements/last/operations

Parameters:

Deleted: includeOriginalAccount in query

GET /issuers/{issuerId}/accounts/{accountReference}/statements/next/operations

Parameters:

Deleted: includeOriginalAccount in query

POST /issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/block-and-replace

Request body :

• Changed property replaceCardRequest (object ReplaceCardRequest)
  • Changed property cardContract (object ReplaceCardRequest.CardContract)
    • Changed property card (object ReplaceCardRequest.CardContract.Card)
      • Changed property externalAuthorizationsRestrictions (array)
        • Changed items (object ExternalAuthorizationsRestriction)
          • Changed property activationStartTime (string -> string-date-time)

          • Changed property activationEndTime (string -> string-date-time)

POST /issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/replace

Request body :

• Changed property cardContract (object ReplaceCardRequest.CardContract)
  • Changed property card (object ReplaceCardRequest.CardContract.Card)
    • Changed property externalAuthorizationsRestrictions (array)
      • Changed items (object ExternalAuthorizationsRestriction)
        • Changed property activationStartTime (string -> string-date-time)

        • Changed property activationEndTime (string -> string-date-time)

POST /issuers/{issuerId}/cards/{cardReference}/block-and-replace

Request body :

• Changed property replaceCardRequest (object ReplaceCardRequest)
  • Changed property cardContract (object ReplaceCardRequest.CardContract)
    • Changed property card (object ReplaceCardRequest.CardContract.Card)
      • Changed property externalAuthorizationsRestrictions (array)
        • Changed items (object ExternalAuthorizationsRestriction)
          • Changed property activationStartTime (string -> string-date-time)

          • Changed property activationEndTime (string -> string-date-time)

POST /issuers/{issuerId}/cards/{cardReference}/replace

Request body :

• Changed property cardContract (object ReplaceCardRequest.CardContract)
  • Changed property card (object ReplaceCardRequest.CardContract.Card)
    • Changed property externalAuthorizationsRestrictions (array)
      • Changed items (object ExternalAuthorizationsRestriction)
        • Changed property activationStartTime (string -> string-date-time)

        • Changed property activationEndTime (string -> string-date-time)

POST /issuers/{issuerId}/contracts/create-consumer-contract

Request body :

• Changed property addCardsAccounts (object CreateConsumerContractRequest.AddCardsAccounts)
  • Changed property accounts (array)
    • Changed items (object CreateConsumerContractRequest.Account)
      • Changed property externalAuthorizationsRestrictions (array)
        • Changed items (object ExternalAuthorizationsRestriction)
          • Changed property activationStartTime (string -> string-date-time)

          • Changed property activationEndTime (string -> string-date-time)

  • Changed property cardContracts (array)
    • Changed items (object CreateConsumerContractRequest.CardContract)
      • Changed property card (object CreateConsumerContractRequest.Card)
        • Changed property cardOrder (object CreateConsumerContractRequest.CardOrder)
          • Added property deliveryType (string)

          • Added property deliveryBranchCode (string)

POST /issuers/{issuerId}/contracts/external-contracts/{issuerContractExternalReference}/add-cards-accounts

Request body :

• Changed property accountHierarchy (object AddCardsAccountsRequest.AccountHierarchy)
  • Changed property accounts (array)
    • Changed items (object CreateConsumerContractRequest.Account)
      • Changed property externalAuthorizationsRestrictions (array)
        • Changed items (object ExternalAuthorizationsRestriction)
          • Changed property activationStartTime (string -> string-date-time)

          • Changed property activationEndTime (string -> string-date-time)

• Changed property cardContracts (array)
  • Changed items (object CreateConsumerContractRequest.CardContract)
    • Changed property card (object CreateConsumerContractRequest.Card)
      • Changed property cardOrder (object CreateConsumerContractRequest.CardOrder)
        • Added property deliveryType (string)

        • Added property deliveryBranchCode (string)

POST /issuers/{issuerId}/contracts/{contractReference}/add-cards-accounts

Request body :

• Changed property accountHierarchy (object AddCardsAccountsRequest.AccountHierarchy)
  • Changed property accounts (array)
    • Changed items (object CreateConsumerContractRequest.Account)
      • Changed property externalAuthorizationsRestrictions (array)
        • Changed items (object ExternalAuthorizationsRestriction)
          • Changed property activationStartTime (string -> string-date-time)

          • Changed property activationEndTime (string -> string-date-time)

• Changed property cardContracts (array)
  • Changed items (object CreateConsumerContractRequest.CardContract)
    • Changed property card (object CreateConsumerContractRequest.Card)
      • Changed property cardOrder (object CreateConsumerContractRequest.CardOrder)
        • Added property deliveryType (string)

        • Added property deliveryBranchCode (string)

What's Deprecated

No API deprecated.

Current version 25R2-1.0 of October 14th 2025

It is a public API to export transaction details for a given list of ACS transaction ID(s).​

​The API takes in Input : 1 to 10 ACS Transaction ID​ and returns a list of transaction(s) in JSON format.

The complete list of fields available on the API response is described in the swagger API.​

Notes that sensitive data should be encrypted.
There is no sensitive PCI-DSS data (as PAN is not provided)
 

Sensitive Data are regarding GDPR : 

• billing and shipping address, 
• email
• phone number
• cardholder name
• IP address

This document describes the OpenID 1.0 interfaces exposed by an external authentication platform and expected by Authentication HUB as client server. This document is based on OpenID 1.0 specifications  

1. Overview

Authentication HUB uses the OpenID Authorization Code Flow to do user authentication during a 3DS request.

The Authorization Code Flow goes through the following steps.

• Client (HUB) prepares an Authentication Request containing the desired request parameters. – STEP 8
• Client (ACS3) sends the request to the Authorization Server. – STEP 10
• Authorization Server (Issuer Bank) authenticates the End-User.– STEP 11
• Authorization Server (Issuer Bank) sends the End-User back to the Client with an Authorization Code. – STEP 12
• Client (HUB) requests a response using the Authorization Code at the Token Endpoint.– STEP 14
• Client (HUB) receives a response that contains an ID Token and Access Token in the response body.– STEP 15
• Client (HUB) validates the ID token and retrieves the End-User's Subject Identifier.– STEP 16

2. Requirement

All following informations should be provided beforehand in order to setup OpenID authentication.

Provided to Authentication HUB by Authorization server:

• Authorization server openid configuration url ( which contains jwks_uri, authorization_endpoint, token_endpoint, should not contain fragment components)
• Client password : client_id and client_secret (RFC6749 section-2.3.1)
• Whether or not authentication data validation is necessary on HUB side
  • Authentications data type used for end user authentication (data should be provided in HUB repository database using the credential type 'OPENID')

Provided to Authorization server by Authentication HUB:

• RSA Public key for token encryption (JWE)

3. Connectivity

3.1. Network

All the services are exposed through the HTTPS protocol (RFC 2818) TLS 1. 2.

No HTTP compression (RFC 2616) is activated.

3.2. Security

RSA keys used MUST be 2048 bits or longer. Elliptic curve keys must be long enough to provide a symmetric key equivalent security strength of at least 112 bits (typical EC algorithm key length of 224 bits or longer). Symmetric keys MUST be 128 bits or longer. Hash algorithms used MUST have a digest size of 224 bits or longer.

3.2.1. Signature

Tokens MUST be digitally signed JWTs and must be validated by the receiver using the pre-exchanged signature validation keys. JOSE header kid (RFC 7515) should be used for identifying the key used in all cryptographically secured JWTs. The algorithm used for signing is RSASSA-PKCS1-v1_5 using SHA-256 for JWS (RS256 value for alg header field) and RSAES OAEP using default parameters for JWE (RSA-OAEP value for alg header field). The public key for the kid value should be available for validation in a JWKS endpoint (RFC7517).

By default, the authentication HUB will call JWKS endpoint in these cases:

• Hub applications start
• New kid value provided by authorization server (signature certificates renewal for example)
• Once per day to check JWKS endpoint availability

The public certificates will be stored in a memory cache in order to avoid calling JWKS endpoint for each transaction. If the server maintainer wants the Hub to make a call for each transaction, it can request it.

3.2.2. PKCE

OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE).

Usage of PKCE is optional and must be configured during project phase.

The PKCE introduces a secret created by the HUB that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the HUB creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

A Code Verifier is generated by HUB for each Oauth transaction, it is a high-entropy cryptographic random with a minimum length of 43 characters.

The Code Challenge is calculated by hashing the Code Verifier  in SHA256 then encoding the hash in B64.

3.2.3. Encryption

Encryption of OIDC Tokens is mandatory for Token with authentication data. The ID Token from the Authorization Server must be first signed by one of the signing private keys and then encrypted using the Authentication HUB public encryption key. In other words, the Token is first secured with JWS and then with JWE to create a nested JWT as described in the OIDC Core specification (section 10). For this to be possible the Authentication HUB needs to have an asymmetric encryption key.

The encryption algorithm used is RSAES OAEP using default parameters (RS256 value for alg header field).

4. OpenID Connect methods

4.1. Authorization endpoint

The Authorization Endpoint performs Authentication of the End-User. This is done by sending the User Agent to the Authorization Server’s Authorization Endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter values defined by OpenID Connect.

4.1.1. Request

Authentication endpoint should support POST and GET. ACS client will use GET method to send the request.

Parameters

Sample

     GET /authorize?
        scope=openid
        &response_type=code
        &client_id=s6BhdRkqt3
        &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
        &state=af0ifjsldkj
        &nonce= n-0S6_WzA2Mj
        &prompt=login
        &transaction_id=3a6f4695-e791-45c4-9a9f-95bf0e416346
        &payee=merchant
        &amount=10000
        &currency_code=978
        &currency_exponent=2
        &trusted_enrollment_request=true
        &login_hint=571a48b12
        &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM

        &code_challenge_method=S256
        Host: server.example.com

4.1.2. Response

Response should return a 302 Found HTTP code even if error fields are non-empty.

Response without error:

If “code” field is null or not provided then the use case corresponds to a user cancellation on authorization server.

If authentication fails, the field error must be set to “access_denied” and an error_description can be provided to distinguish the reason of this functional authentication failure.

Response with error:

Errors

Error descriptions

error_description is a free value, but Hub will interpret differently the following values in case of error = access_denied:

Samples

Success:

 HTTP/1.1 302 Found
 Location: https://client.example.org/cb?
    code=SplxlOBeZQQYbYS6WxSbIA
    &state=af0ifjsldkj

Technical Error:

    HTTP/1.1 302 Found
    Location: https://client.example.org/cb?
    error=invalid_request
    &error_description=Unsupported%20response_type%20value
    &state=af0ifjsldkj

Authentication Failure:

    HTTP/1.1 302 Found
    Location: https://client.example.org/cb?
    error=access_denied
    &error_description=Auth_failed
    &state=af0ifjsldkj

4.2. Token endpoint

To obtain an Access Token, an ID Token, and optionally a Refresh Token, the HUB (Relying Party - Client) sends a Token Request to the Token Endpoint to obtain a Token Response, as described in Section 3.2 of OAuth 2.0 [RFC6749], when using the Authorization Code Flow.

4.2.1. Request

To exchange the authorization code for an access token, HUB client makes a POST request to the service’s token endpoint.

Headers

Parameters

Sample

    POST /token HTTP/1.1
    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    grant_type=authorization_code
    &code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &code_verifier=0MF7_qn397NQ_c1cnJkIB4tKPZrWXX0yAFCWFiYw_VA
     

4.2.2. Response

After receiving and validating a valid and authorized Token Request from the HUB, the Authorization Server returns a successful response that includes an ID Token and an Access Token.

Parameters

Response should return a 200 http code for success (for error http code see below).

Response without error:

Response with error:

4.2.2.1. ID Token without authentication data

JWS
 

4.2.2.2. ID Token with authentication data

The ID Token is a nested JWT (JWE containing a JWS, first signed and then encrypted JWT containing information about the end user that authenticated) In order to protect authentication data, the token should be encrypted with the public key of the Authorization server.

HUB will generate a privet/public key pair (format RSA AES 256). Only public key is shared with the Issuer Bank Authorization Server.

JWE

JWE also contain Encrypted Key, Initialization Vector and Tag, descripted in JWE specification. (https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40)

JWS

Authentication data claims

Authentication data used for end user authentication on HUB side are stored in “data_type_X” and “data_value_X”. Only “data_type_1” and “data_value_1” are mandatory for authentication. If authentication servers require more security, up to five authentication data could be sent to the HUB for check. Authentication data type should be exchanged beforehand between authorization server and HUB client.

Sample

    data_type_1 : DDN 
    data_value_1 : 10/03/1980 
    data_type_2 : PWD 
    data_value_2 : totopwd

Errors

Other HTTP code should be treated as an unknown error.

Samples

Success:

    
    HTTP/1.1 200 OK
    Content-Type: application/json
    {
    "access_token": "SlAV32hkKG",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": " eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.
    OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe
    ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb
    Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV
    mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8
    1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
    6UklfCpIMfIjf7iGdXKHzg.
    48V1_ALb6US04U3b.
    5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
    SdiwkIr3ajwQzaBtQD_A.
    XFBoMYUZodetZdvTiFvSkQ"
    }

Error:

    
    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    {
    "error": "invalid_request"
    }

4.2.2.3. Token Response Validation

This token response needs to be checked by us to be sure that :

• Authentication is successful,
• Authentication is performed by the expected Cardholder.

In addition to the OpenID Connect standard validation (section 3.1.3.5), the cardholder identifier(s) must be checked with data known by HUB.

If the ID Token doesn’t contain authentication data, the Subject Identifier included in response message (field sub) must contain the expected cardholder identifier stored in the HUB repository.

The HUB platform can manage 3 different types of identifier :

• SSN - Social Security number
• OPENID – Dedicated cardholder identifier for OpenID authentication method
• CARDHOLDERID – Cardholder identifier

 An Issuer Bank configuration is set during Project Phase to define what kind of identifier will be used. The corresponding information must be provided by Bank IS either by Referential Batch File or Web services.

The Subject Identifier is compared to data stored in card repository on HUB side. If it doesn’t match, the HUB will return “authentication failed” status to the ACS application.

If ID Token contains authentication data, in addition to verifying Subject Identifier, the authentication data are compared to data stored in card repository on HUB side. If they don’t match, the HUB will return “authentication failed” status to ACS application.

Currently supported authentication data types are:

• SSN
• DDN (birth date, formatted as “dd/MM/yyyy”)
• PWD (password)
• CARDHOLDERID

4.3. JWKS endpoint

4.3.1. Frequency of requests

The HUB will keep the signing keys in cache session with the corresponding kid value.

A call to the JWKS endpoint is done to retrieve the public key only in the following cases:

- On each restarting the application,

- On each renewing of the public key; when a new “kid” value is returned by OpenID Provider,

- Once a day to check the availability of the service.

4.3.2. Rotation of Asymmetric Signing Keys

Rotation of signing keys must be done every 2 years with the following approach.

The Bank OpenID Provider publishes its keys in a JWK Set at its jwks_uri location and includes the kid of the signing key in the JOSE Header of each message to indicate to the verifier which key is to be used to validate the signature.

Keys can be rolled over by adding new keys to the JWK Set at the JWKS endpoint.

The signer (OpenID provider) can begin using a new key at its discretion and signals the change to the verifier (HUB) using the kid value.

The HUB knows to go back to the jwks_uri location to re-retrieve the keys when it sees an unknown kid value.

The JWK Set document at the jwks_uri SHOULD retain recently decommissioned signing keys for a reasonable period of time to facilitate a smooth transition.

4.4. Provider Configuration endpoint

For details about the Provider Configuration endpoint implementation, see OpenID Connect Discovery documentation.

The claims used by the Authentication Hub are:

• issuer
• authorization_endpoint
• token_endpoint
• jwks_uri

All these claims are necessary. Any additional claim will be ignored.

Answer sample:

    
    HTTP/1.1 200 OK
    Content-Type: application/json
    {
    "issuer": "https://server.example.com",
    "authorization_endpoint": "https://server.example.com/connect/authorize",
    "token_endpoint": "https://server.example.com/connect/token",
    "jwks_uri": "https://server.example.com/jwks.json"