You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Open API for FSP Interoperability - Change Request
The sharing of account information from a DFSP to a PISP can only occur after explicit permission for that has been granted by the Party. This requirement is outlined in the open banking standard guidelines. The current API doesn't directly support this.
It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.
1.1 Change Request Information
Requested By
Paul Baker, INFITX
Change Request Status
In review ☐ / Approved ☐ / Rejected ☐
Approved/Rejected Date
1.2 Document Version Information
Version
Date
Author
Change Description
1.0
2023-06-01
Paul Baker
Initial version.
2. Problem Description
___
2.1 Background
The sharing of account information from a DFSP to a Third Party Provider can only occur after explicit permission for that has been granted by the Party. The current third party API v1.0 and v2.0 do not support obtaining the consent directly and would require obtaining this consent out of band.
In the API documentation the account linking discovery occurs before the /tppConsentRequests and /tppConsents are called.
It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.
Example : GET /tppAccounts/{userId} can only be fulfilled by the DFSP after Party provides consent to the DFSP for this.
2.2 Current Behaviour
The Current /tppConsentRequests API requires
accounts to be provided with actions (this cannot be provided as the account information has not yet been obtained),
consents that are once off.
Example :
It is not possible to create a once off consent to obtain account information from a DFSP using /tppConsentRequests and /tppConsents
2.3 Requested Behaviour
Before the account linking third party discovery call may not be required for the web auth flow, as the selected account could be returned in the JWT, however in the OTP this cannot be done so the Party will be required to authenticate twice.
The first time to obtain consent to get the account information for the user, and the second to define the third party scope action that is defined against a particular account.
Example:
E.g. the account access consent is added prior to the account discovery flow. (This is described in more detail in the sequence diagram example below.)
3. Proposed Solution Options
___
Please see a sequence diagram for the proposed change.
**Note.** A once off permission does not require credential registration.
The text was updated successfully, but these errors were encountered:
Open API for FSP Interoperability - Change Request
The sharing of account information from a DFSP to a PISP can only occur after explicit permission for that has been granted by the Party. This requirement is outlined in the open banking standard guidelines. The current API doesn't directly support this.
Table of Contents
1. Preface
___It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.
1.1 Change Request Information
1.2 Document Version Information
2. Problem Description
___2.1 Background
The sharing of account information from a DFSP to a Third Party Provider can only occur after explicit permission for that has been granted by the Party. The current third party API v1.0 and v2.0 do not support obtaining the consent directly and would require obtaining this consent out of band.
In the API documentation the account linking discovery occurs before the /tppConsentRequests and /tppConsents are called.
It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.
Example :
GET /tppAccounts/{userId} can only be fulfilled by the DFSP after Party provides consent to the DFSP for this.
2.2 Current Behaviour
The Current /tppConsentRequests API requires
Example :
It is not possible to create a once off consent to obtain account information from a DFSP using /tppConsentRequests and /tppConsents
2.3 Requested Behaviour
Before the account linking third party discovery call may not be required for the web auth flow, as the selected account could be returned in the JWT, however in the OTP this cannot be done so the Party will be required to authenticate twice. The first time to obtain consent to get the account information for the user, and the second to define the third party scope action that is defined against a particular account.Example:
E.g. the account access consent is added prior to the account discovery flow. (This is described in more detail in the sequence diagram example below.)
3. Proposed Solution Options
___ Please see a sequence diagram for the proposed change. **Note.** A once off permission does not require credential registration.The text was updated successfully, but these errors were encountered: