...
Redirect + decoupled + decoupled (ErsteGroup/Sparkasse AT banks)
...
For unlicensed mandators (web form)
Embedded approach
...
Redirect approach
...
Decoupled approach
...
Info |
---|
This example illustrates a case when a bank requires multiple SCAs to be confirmed by the end-user. The diagram below shows that the flow contains a few optional steps. That’s why the client application should always check a status returned by the API so that it can react accordingly. |
...
Step | HTTP(S) message | |||||
---|---|---|---|---|---|---|
Step #1 Mandatory request fields
Explanation The client application loads a bank, chosen by the end-user (“Erste Group Bank AG” in this particular case). Then the application asks the end-user for credentials if they are required by the bank interface (no login fields for this bank). Also, the application checks whether the chosen bank interface has |
| |||||
Step #2 How to recognise the step Field Mandatory response fields of
Explanation The API builds a redirect URL that will route the end-user to a page on the bank side, where the user can complete the authentication process. On this step, the client’s application should store values from |
| |||||
Step #3 The client application should redirect the end-user to the given redirectUrl. Example
| ||||||
Step #4 When the end-user successfully completes the authentication process on the bank’s side, he is redirected to the URL given on the step #1. Additionally, the bank adds some more data to the URL (as query parameters). But the most important part for the client application is this Example
| ||||||
Step #5 Mandatory request fields
Explanation The client application submits a query string as a value of |
| |||||
Step #6 How to recognize the step Field Mandatory response fields of
Explanation The bank doesn’t allow to chose any SCA methods, but asks for a decoupled authentication, and then the API responses with this error. The client application should notify the end-user that the bank will send a notification. |
| |||||
Step #7 Mandatory request fields
Explanation The client application asks the API to continue the authentication process and send a notification to the end-user. Value of |
| |||||
Step #8 How to recognize the step Field Mandatory response fields of
Explanation The API returns this error if the authentication is still not completed on the bank side. The client application should continue repeating a step #7 while the API returns this error. |
| |||||
Step #9 Mandatory request fields
Explanation The client application asks the API to continue the authentication process and send a notification to the end-user. Value of |
| |||||
Step #10 How to recognize the step Field Mandatory response fields of
Explanation The bank requires the decoupled authnencation two times. The client application should notify the end-user that the bank will send a notification. |
| |||||
Step #11 Mandatory request fields
Explanation The client application asks the API to continue the authentication process and send a notification to the end-user. Value of |
| |||||
Step #12 How to recognize the step Field Mandatory response fields of
Explanation The API returns this error if the authentication is still not completed on the bank side. The client application should continue repeating a step #11 while the API returns this error. |
| |||||
Step #13 Mandatory request fields
Explanation The client application asks the API to continue the authentication process and send a notification to the end-user. Value of |
| |||||
Step #14 The API completes the import process and returns a bank connection resource. |
|
For unlicensed mandators (web form)
Embedded approach
Info |
---|
When applicable? If a bank interface has neither |
...
Step | HTTP(S) request | |||||
---|---|---|---|---|---|---|
Step #1 Mandatory request fields
Explanation The client application loads a bank, chosen by the end-user, and then triggers a request to “Import a bank connection” REST service. |
| |||||
Step #2 How to recognize the step
Mandatory response fields:
Explanation According to the license type of a mandator, the client application cannot handle user’s credentials by itself. That’s why the web form will handle the whole process of the import. The client application should store the web form ID (field |
| |||||
Step #3 Optional parameters:
Explanation The end-user should open the web-form in order to continue the import process. This process might include a few steps: entering user’s credentials and account references (IBAN’s), selecting an SCA method and providing a challenge response. Example
| ||||||
Step #4 When the end-user successfully completes the authentication process on the web-form, he is either redirected back to the client's application (if the .
| ||||||
Step #5 Mandatory request fields
Explanation As the web-form will never show any error messages to the end-user, you might want to check whether the import was successful or not. |
| |||||
Step #6 Explanation The response includes the actual service response code/body. |
|
Redirect approach
Info |
---|
When applicable? If a bank interface has |
...
Step | HTTP(S) message | |||||
---|---|---|---|---|---|---|
Step #1 Mandatory request fields
Explanation The client application loads a bank, chosen by the end-user. Then the application should forward the end-user to a given web-form in order to proceed with further authentication. If the bank requires to prompt the credentials and/or account references, the end-user must provide them in the web-form. |
| |||||
How to recognize the step
Mandatory response fields:
Explanation According to the license type of a mandator, the client application cannot handle user’s credentials by itself. That’s why the web form will handle the whole process of the import. The client application should store the web form ID (field message) and just redirect the end-user to the URL given in the Location header. |
| |||||
Step #3 Optional parameters:
Explanation The end-user should open the web-form in order to continue the import process. This process includes redirecting to the bank’s website and completing the authentication challenge. Example
| ||||||
Step #4 The web-form automatically redirects the end-user to the bank’s website. | ||||||
Step #5 When the end-user successfully completes the authentication process on the bank’s side, he is redirected back to the web-form. | ||||||
Step #6 When the end-user successfully completes the authentication process on the web-form, he is redirected back to the client's application.
| ||||||
Step #7 Mandatory request fields
Explanation As the web-form will never show any error messages to the end-user, you might want to check whether the import was successful or not. |
| |||||
Step #8 Explanation The response includes the actual service response code/body. |
|
Decoupled approach
Info |
---|
When applicable? If a bank interface has |
...
Step | HTTP(S) message | |||||
---|---|---|---|---|---|---|
Step #1 Mandatory request fields
Explanation The client application loads a bank, chosen by the end-user. Then the application should forward the end-user to a given web-form in order to proceed with further authentication. If the bank requires to prompt the credentials and/or account references, the end-user must provide them in the web-form. |
| |||||
How to recognize the step
Mandatory response fields:
Explanation According to the license type of a mandator, the client application cannot handle user’s credentials by itself. That’s why the web form will handle the whole process of the import. The client application should store the web form ID (field message) and just redirect the end-user to the URL given in the Location header. |
| |||||
Step #3 Optional parameters:
Explanation The end-user should open the web-form in order to continue the import process. This process might include a few steps: entering user’s credentials and account references (IBAN’s), selecting an SCA method and providing a challenge response. Example
| ||||||
Step #4 When the end-user successfully completes the authentication process on the web-form, he is redirected back to the client's application.
| ||||||
Step #5 Mandatory request fields
Explanation As the web-form will never show any error messages to the end-user, you might want to check whether the import was successful or not. |
| |||||
Step #6 Explanation The response includes the actual service response code/body. |
|