Back to CREATIS's Developer Portal Homepage

OAuth 2 Endpoints

PSD2 API Developer Portal OAuth 2 Endpoints

The SCA workflows reference a number of endpoints defined in various OAuth 2-related specifications, here is a summary of the available endpoints, their role, and their URLs.

The OAuth 2 endpoints are described in detail in an OpenAPI ("Swagger") Specification file: View the OpenAPI Specification

Client Registration Endpoints

Client Registration Endpoints, implemented according to RFC 7591 and RFC 7592 allow TPPs to register OAuth 2 clients.

All calls to these endpoints must be authenticated with Mutual TLS with an X509 Client Certificate marked for Website Authentication.

Implementation notes:

  • Localization of client name and logo image URLs are not implemented yet;
  • For token_endpoint_auth_method, two methods are defined for use by PSD2 TPPs:
    • denotes that the TPP is authenticated by a valid eIDAS QWAC, and that the requested OAuth 2 scopes must match the rolesOfPSP element in the ETSI PSD2 qcStatement field of the Qualified Website Access Certificate;
    • denotes that any certificate issued by a CA that is qualified in the scope of eIDAS to deliver QWACs, or delivered by CREATIS for sandbox use (as documented in Registration, Access to Sandbox APIs section), can be used - that method can be used only on the sandbox APIs;

Authorization Endpoints

The authorization endpoints are used as the entry point for the authorization code workflows, which, in the PSD2 context, are used to obtain consent for the user in an SCA process.

Authorization Endpoints are documented in RFC 6749, the parameters that we accept and require can be found in the Open API Specification.

They require a valid OAuth 2 Client to be registered to function.

As these endpoints are not API endpoints, but pages to which a Payment Service User's User Agent will be redirected to, they do not require Client Certificates.

User Grant Account Access Authorization Endpoints

This URL is to be used when asking the user for consent to share his data with the TPP, both for AISPs and CBPIIs.

AISPs can specify the following scopes:

  • aisp
  • aisp extended_transaction_history

CBPIIs can specify the following scope:

  • cbpii

The following endpoints URLs are available:

  • /oauth2/fr/sandbox/signin.html is the page that simulates a user granting access to a Third Party Payment Service Provider, for the sandbox environment;
  • /oauth2/fr/banque/oauth2_authorization.aspx is the URL for the banking environment, to which CREATIS PSUs should be redirected - after logging in, they will be shown a page that asks them to grant access to their accounts for TPP;

These endpoints are also available in the following languages: fr

Payment Initiation and Cancellation Endpoints

In the target Payment Initiation and Cancellation Workflows, the initial redirection URL will be an OAuth 2 endpoint.

URLs for these endpoints will be communicated in the response body of API requests for Payment Initiation and Cancellation.

The possible scope values for these endpoints will be communicated when the target Payment Initiation and Cancellation workflows are finalized by the STET PSD2 API Working Groups.

Token Endpoint

The token endpoint is implemented according to OAuth 2 specifications.

Depending on the circumstances and use cases, it supports Authorization Code, Refresh Token, and Client Credentials OAuth 2 Grants.

All calls to that endpoint must be authenticated with Mutual TLS with an X509 Client Certificate marked for Website Authentication.

Token Endpoints are documented in RFC 6749.

Authorization Code Grants

Authorization Code Grants are used at the end of an Authorization Code workflow, to exchange an Authorization Code against an Access Token and a Refresh Token.

As such, the Token Endpoint is used in Authorization Code Grants in exactly the same use cases as the ones in which the Authorization Endpoint is used, with the same scopes.

Refresh Token Grants

Refresh Token Grants are used so that a TPP can obtain a new access token for a previously given consent, in cases where an SCA exemption applies.

As such, it is available for both AISPs (with scope aisp only) and CBPIIs (with scope cbpii).

Client Credentials Grants

Client Credentials Grants are used for TPPs that need to call APIs that do not require a user consent registered with an SCA prior to the call.

As such, it is available only for PISPs, with scope pisp.

Token Revocation Endpoint

A Token Revocation endpoint implemented according to RFC 7009 will be available for TPPs to revoke issued access and refresh tokens.

All calls to that endpoint must be authenticated with Mutual TLS with an X509 Client Certificate marked for Website Authentication.