Skip to main content
Skip table of contents

Creation and Authorisation of an AIS Consent in Steps

This article gives an example of the creation and authorisation of a detailed consent that will give TPP access to 2 different accounts of a single PSU.

Learn more about consent models XS2A Consent Models and Access Rights.

In this example, the embedded SCA approach is used. Learn more about SCA approaches that are supported in XS2A Supported Authentication Methods.

Prerequisites

Your certificate must contain the PSP role = PSP_AI.

Exclusions

  1. One-time consents are not supported ("recurringIndicator": false).

  2. Combined AIS and PIS sessions are not supported ("combinedServiceIndicator": true).

Step 1 - Consent creation

In this step, a request to create a consent with consent data is sent to XS2A.

XS2A validates the role from the certificate, PSU-ID, and request syntax. If all the validations have been completed successfully, XS2A returns a consentId.

It means that a consent resource has been created and must be authorised by PSU.

The created consent resource will be accessible under the given consentId during 30 minutes from the moment of creation. Authorisation of given consent must be completed within this time.

If a consent is not authorised and its validity time is over, access to this resource will be canceled, and the consent creation flow will be terminated.

Flow

Data field

Value

HTTP-Method

POST

Header PSU-ID

one of PSU-IDs from Sandbox Test Accounts and Test Data

Header X-Request-ID

Random UUID for this request

  • Fill in consent data according to the consent model

  • Execute the request.

  • The response should have the HTTP status code: 201 - Created

Step 2 - Consent authorisation initiation

In this step, consent authorisation is initiated.

XS2A validates the role from the certificate, consentId and request syntax. If all the validations have been completed successfully, XS2A returns an authorisationId inside the updatePsuAuthentication link.

It means that an authorisation sub-resource has been created for given consentId.

The created authorisation sub-resource will be accessible under given authorisationId during 30 minutes from the moment of creation. Authorisation of the given consent must be completed within this time.

If a consent is not authorised and its validity time is over, access to this resource will be canceled, and the consent creation flow will be terminated.

Flow

  • Go to /v1/consents/{consentId}/authorisations or follow the startAuthorisation link from the response in Step 1.

  • Fill in mandatory data

Data field

Value

HTTP-Method

POST

Header PSU-ID

same as in Step 1

Header X-Request-ID

Random UUID for this request

URL path variable {consentId}

consentId received in response in Step 1

Body

no body

  • Execute the request.

  • The response should have the HTTP status code: 200 - Ok

Step 3 - Provide PSU password

In this step, PSU password must be provided.

Please, use the correspondent password from Sandbox Test Accounts and Test Data.

Flow

  • Go to /v1/consents/{consentId}/authorisations/{authorisationId} or follow the updatePsuAuthentication link from the response in Step 2.

  • Fill in mandatory data

Data field

Value

HTTP-Method

PUT

Header PSU-ID

same as in Step 1

Header X-Request-ID

Random UUID for this request

URL path variable {consentId}

consentId received in response in Step 1

URL path variable {authorisationId}

authorisationId received in response in Step 2

  • Fill in the body of psuData

  • Execute the request.

  • The response should have the HTTP status code: 200 - Ok

Step 4 - Select SCA method

PSU was authenticated successfully with its PSU-ID and password in the previous step, and now XS2A offers a selection of authentication methods.

An authentication method is a format of the 2nd factor that must be provided by PSU in order to complete the authorisation of a consent.

To trigger Decoupled SCA, please use authenticationMethodId where authenticationType = PUSH_OTP in the response in Step 3.

Flow

  • Go to /v1/consents/{consentId}/authorisations/{authorisationId} or follow the selectAuthenticationMethod link from the response in Step 3.

  • Fill in mandatory data

Data field

Value

HTTP-Method

PUT

Header PSU-ID

same as in Step 1

Header X-Request-ID

Random UUID for this request

URL path variable {consentId}

consentId received in response in Step 1

URL path variable {authorisationId}

authorisationId received in response in Step 2

  • Fill in body of the authenticationMethodId 

  • Execute.

  • The response should have the HTTP status code: 200 - Ok

Step 5 - Provide 2nd factor

This is the final step where PSU completes the consent authorisation by providing the 2nd factor (this is only applicable for EMBEDDED SCA approach).

In real-life operations, a Bank will generate and send the 2nd factor to PSU.

In the Sandbox the behaviour of a bank is simulated: XS2A doesn't generate and sent any 2nd factors but offers a default format of authentication data. Please, see Sandbox Test Accounts and Test Data .

Flow

  • Go to /v1/consents/{consentId}/authorisations/{authorisationId} or follow the authoriseTransaction link from the response in Step 4.

  • Fill in mandatory attributes

Data field

Value

HTTP-Method

PUT

Header PSU-ID

same as in Step 1

Header X-Request-ID

Random UUID for this request

URL path variable {consentId}

consentId received in response in Step 1

URL path variable {authorisationId}

authorisationId received in response in Step 2

  • Fill in the body of scaAuthenticationData according to the authentication method selected in the previous step. Please see Sandbox Test Accounts and Test Data.

  • Execute the request.

  • The response should have the HTTP status code: 200 - Ok

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.