The SCA workflows reference a number of endpoints defined in various OAuth 2-related specifications, here is a summary of the available endpoints, their role, and their URLs.
The OAuth 2 endpoints are described in detail in an OpenAPI ("Swagger") Specification file: View the OpenAPI Specification
Client Registration Endpoints
Client Registration Endpoints, implemented according to RFC 7591 and RFC 7592 allow TPPs to register OAuth 2 clients.
All calls to these endpoints must be authenticated with Mutual-TLS with an X509 Client Certificate marked for Website Authentication.
Implementation notes:
- Localization of client name and logo image URLs are not implemented yet;
- For
token_endpoint_auth_method
, the method to use istls_client_auth
, as defined by the Mutual-TLS Client Authentication IETF Draft.
Authorization Endpoints
The authorization endpoints are used as the entry point for the authorization code workflows, which, in the PSD2 context, are used so that the PSU can grant access to the TPP in an SCA process.
Authorization Endpoints are documented in RFC 6749, the parameters that we accept and require can be found in the Open API Specification.
They require a valid OAuth 2 Client to be registered to function.
As these endpoints are not API endpoints, but pages to which a Payment Service User's User Agent will be redirected to, they do not require Client Certificates.
User Grant Account Access Authorization Endpoints
This URL is to be used when asking the user to grant access to their data to the TPP, both for AISPs and CBPIIs.
AISPs can specify the following scopes:
aisp
aisp extended_transaction_history
CBPIIs can specify the following scope:
cbpii
The following endpoints URLs are available:
https://www.creatis.fr/oauth2/{lang}/sandbox/signin.html
is the page that simulates a user granting access to a Third Party Payment Service Provider, for the sandbox environment;https://www.creatis.fr/oauth2/{lang}/banque/oauth2_authorization.aspx
is the URL for the banking environment, to which CREATIS PSUs should be redirected - after logging in, they will be shown a page that asks them to grant access to their accounts for TPP;
The {lang}
tag can be replaced by one of the following values: fr
Payment Initiation and Cancellation Endpoints
In the target Payment Initiation and Cancellation Workflows, the initial redirection URL will be an OAuth 2 endpoint.
URLs for these endpoints will be communicated in the response body of API requests for Payment Initiation and Cancellation.
The possible scope values for these endpoints will be communicated when the target Payment Initiation and Cancellation workflows are finalized by the STET PSD2 API Working Groups.
Token Endpoint
The token endpoint is implemented according to OAuth 2 specifications.
Depending on the circumstances and use cases, it supports Authorization Code, Refresh Token, and Client Credentials OAuth 2 Grants.
All calls to that endpoint must be authenticated with Mutual-TLS with an X509 Client Certificate marked for Website Authentication.
Token Endpoints are documented in RFC 6749.
Authorization Code Grants
Authorization Code Grants are used at the end of an Authorization Code workflow, to exchange an Authorization Code against an Access Token and a Refresh Token.
As such, the Token Endpoint is used in Authorization Code Grants in exactly the same use cases as the ones in which the Authorization Endpoint is used, with the same scopes.
Refresh Token Grants
Refresh Token Grants are used so that a TPP can obtain a new access token for a PSU who has previously granted access to their data, in cases where an SCA exemption applies.
As such, it is available for both AISPs (with scope aisp
only) and CBPIIs
(with scope cbpii
).
Client Credentials Grants
Client Credentials Grants are used for TPPs that need to call APIs that do not require access to PSU data - in other words, in these cases, there is no need for a SCA process for a PSU to grant access to the TPP.
As such, it is available only for PISPs, with scope pisp
.
Token Revocation Endpoint
A Token Revocation endpoint implemented according to RFC 7009 is available for TPPs to revoke issued access and refresh tokens.
Note that revocation of a refresh token will also trigger the revocation of all associated access tokens.
All calls to that endpoint must be authenticated with Mutual-TLS with an X509 Client Certificate marked for Website Authentication.