layout | title | intro | toc |
---|---|---|---|
ob-base-toc-page |
Quick Start Guide |
How developers can simply start consuming secured Open Banking APIs |
true |
This guide walks you through the WSO2 Open Banking solution.
If you want to start from scratch by creating your own application, start from Create an Application. If not, start from the Subscribe to APIs section where you can use our default application.
-
In the main menu, go to Try Developer Portal > App (Sandbox) - UK.
-
If you already have a user account at wso2.com click Sign in. Else, click Sign-up to create an account.
- When you create an account, provide a valid phone number with the country code to complete the two factor authentication, for example, +44 xxx xxx xxxx for a UK phone number. - Once you create and verify the user account at wso2.com, use those credentials to sign in to WSO2 Open Banking App (Sandbox) - UK. -
In the left menu, click Applications to see all the applications. NOTE: WSO2 Open Banking comes with a sample application named DefaultApplication.
-
Click Add Application.
- Enter a name for the application.
- Set the Throttling Tier.
NOTE: You can select an SLA via the dropdown. By default, this value is set to unlimited. If you do not select an SLA, the default SLA value is applied.
-
In the left menu, click APIs to see all available APIs.
The API store displays all available APIs. These APIs can be consumed by AISPs and PISPs. Some APIs require proper authorisation and consumer consent to provide data.
-
Browse the Accounts and Transaction API.
-
To subscribe to the API:
- Select the application you created in STEP 1 from the Applications drop-down.
- Set the Tiers accordingly.
- Click Subscribe.
NOTE: If you did not create your own application, select DefaultApplication.
The APIs are secured using the OAuth2.0 protocol. In order to invoke secured APIs, you should submit a valid OAuth2.0 token with required authorisation levels. Depending on the security requirements, we use the Authorization Code grant type and Client Credentials grant type to generate access tokens.
In this guide, the application directs the consumer to the website of the customer’s bank to perform authentication, delegate authorisation, and get consent for the application to retrieve data or perform a transaction on the consumer’s account.
**Generate keys**
The application requires a Client ID (Consumer Key) and a Client Secret (Consumer Secret) to access the subscribed APIs.
-
Go to the Applications tab.
-
Choose your application from the Application List and go to the Sandbox Keys tab to generate access tokens in the sandbox environment.
-
Provide the requested information as defined below:
-
Grant Types: Determine the credentials used to generate the access token. You may use the selected default Grant Types.
-
Callback URL: The URL used by the application to receive the authorisation code sent from the bank. The authorisation code can be used later to generate an OAuth2 access token.
-
Scopes: The access tokens required for accessing the APIs must have relevant scopes. The drop-down contains the scopes available for the APIs, the application has subscribed for.
NOTE: An application access token can have multiple scopes. -
Access token validity period: By default, the token validity periods are set to 3600 seconds.
-
Application Certificate: To validate whether the TPP is registered in a governing entity. You can download a sample application certificate from here. Copy the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate.
-
-
Click Generate Keys.
NOTE: Follow the above steps to regenerate the access token.
**Create a new consent**
-
In the left menu, click APIs.
-
Select the Accounts and Transaction API.
-
Go to the API Console tab.
- Select your application from the drop-down lists.
- Select Sandbox as the environment.
- The request header is set by the API Store.
-
Mutual Transport Layer Security (MTLS) is a protocol recommended by the Open Banking Implementation Entity. In the WSO2 Open Banking solution, MTLS is enforced by using handlers in order to ensure that the authenticated client uses the pre-registered transport certificate to communicate with APIs.
- To invoke the APIs in the demo, download the certificate available here and import it into your web browser.
-
Create a consent using the POST /account-access-consents resource. Use the Try it out option.
- Modify the request payload with a valid date and time values.
- Set the x-fapi-financial-id value to open-bank.
- Click Execute to create a consent resource.
- If the creation is successful, the response body will contain a unique ID for the consent named ConsentId.
## STEP 4: Consent Authorisation
This step explains authorising account consents. The AISP redirects the bank customer to authenticate and approve/deny application-provided consents.
-
In the left menu, click APIs and browse the Authorize API.
-
Go to the API Console tab and click Generate signed request.
-
Fill the expanded form.
- Client ID: The Consumer Key of the application.
- Scopes: To invoke the Accounts API, set the value as accounts openid.
- Redirect URI: The Callback URL of the application.
- Consent ID: The unique id of the consent resource created in STEP 3.
- Use the default values for the State, Nonce, and Response type fields.
-
Click Generate.
NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.
-
Obtain an authorization code. Use the Try it out option.
-
Copy the Request URL to a browser. You are redirected to a login page, sign in using the credentials of your WSO2 account.
-
As SMSOTP is configured as the second step of Two-factor authentication, enter the code sent to your mobile phone.
-
Upon successful authentication, the PSU is redirected to the consent management page.
-
PSU needs to select the accounts to which the consent is granted; click Approve.
-
The browser is redirected to the redirect URL of the application and an authorization code is generated. Note down the authorization code.
-
Copy the code from the URL.
Generate user access token
-
In the left menu, click APIs and browse the Token API.
-
Go to the API Console tab and click Generate signed request.
-
Fill the expanded form.
- Client ID: The Consumer Key of the application.
-
Click Generate.
NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.
-
Obtain an OAuth2 access token. Use the Try it out option.
- The value of grant_type field should be authorization_code.
- Set the scope to accounts.
- code is the authorization code generated in the above step.
- redirect_uri should be the Callback URL of the application.
- client_id is the Consumer Key of the application.
- Set the client_assertion_type to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
- client_assertion is the Generated token in the Generate client assertion form.
-
Click Execute. Note down the user access token in the response.
-
In the left menu, click APIs.
-
Browse the Accounts and Transaction API.
-
Go to the API Console tab.
- Select your application from the drop-down lists.
- Select Sandbox as the environment.
- Replace the token in the request header with the user access token obtained in STEP 4.
-
Invoke the submission resources using the Try It Out option.
For example, retrieve the accounts using the GET /accounts resource.