Note. ConnectPay does not provide APIs to create and authorize Consent directly. Consent will be created in the ConnectPay Auth Web App, to which PSU must be redirected via the Get Secured Authorization API
To get the PSD2 AIS Consent authorization URL, TPP must provide these parameters:
flowId
– use valueCreateAndAuthorizePSD2AISConsent
TPP-Redirect-URI
– callback URL to where the Person should be redirected back after authentication and authorization. The hostname in the parameter will be validated against the callback URL list provided by TPP in the APP configuration at the Developer Portal.- Your callback URL cannot contain query parameters. There are no restrictions on path composition.
PSU-IP-Address
– IP address of the PSU
Sample Request
curl --location --request POST 'https://api-stage.connectpay.com/auth/v1/oauth2/code' \
--header 'Accept: application/json;version=2' \
--header 'Content-Type: application/json' \
--header 'X-Request-ID: 7ddf730a-d94e-40d4-8f25-1d654b5af404' \
--header 'Authorization: Bearer b7b4e589-1418-3046-b804-c3ad92bed247' \
--data-raw '{
"flowId": "CreateAndAuthorizePSD2AISConsent",
"TPP-Redirect-URI": "https://localhost/LKpQA0IRO5TqJB",
"PSU-IP-Address": "12.156.12.214" }'
Sample Response
Response body will contain URL where to redirect PSU for authentication and Conent authorization. Generated URL is valid for one time only and cannot be reused.
{
"_links": {
"scaRedirect": {
"href": "https://auth-stage.connectpay.com/auth/redirect?flowId=CreateAndAuthorizePSD2AISConsent&ApplicationId=b6d45a84-498a-3d98-af7c-64ae75d8d30a&redirectUrl=https://localhost&nonce=d867ed99-876f-4e88-9947-d5e353a7cccd"
}
}
}
Consent authorization flow
Login
When redirected, PSU will have to log in using his/her ConnectPay credentials.
As TPP will use an Access Token issued to a certain Person/Customer pair, the Person will not be asked to select the Customer.
Depending on existing Consent status, the Person will be presented with one of 3 options:
Option 1 – No Consent – create new
If PSU does not have valid Consent (never gave Consent or Consent expired), PSU will be asked to create one with predefined options:
- Access to all accounts
- Maximal validity duration (90 days)
- Multiple usage
PSU must confirm his Consent by entering OTP. Consent will be created and authorized in the same procedure.
Option 2 – Existing valid Authorized Consent
In rare cases, Consent can exist, but TPP may not have a record of it on their system and may ask PSU to consent again. If there is a valid Consent registered at ConnectPay, PSU will be presented with details of existing Consent and redirected back to TPP with ConsentId in URL.
As valid Consent already exists, no new Consent is generated and authorization is not required.
Option 3 – Created, but not authorized Consent
In rare cases, Consent could be created but not authorized. In such case, PSU will be presented with the details of existing Consent and will be asked to Authorize it or create a new one:
If PSU chooses to Create new, existing Consent will be revoked, and new Consent will be created and authorized following the same Option 1 – No Consent -Create new flow
If PSU chooses to use Existing Consent, PSU will have to authorize it by entering OTP.
Redirect back to TPP
After Consent authorization procedure, PSU will be presented with Status page. When PSU will press Back to TPP button, he/she will be redirected back to TPP. Callback URL will contain ConsentId that must be used in AIS API calls along with Access Token.
Sample callback URL
https://app.tpp.com/callback/?consentid=2f632262-0a87-47f6-8f59-abbbffb47851&flowId=CreateAndAuthorizePSD2AISConsent