Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After a certain period, some bank customers , Banks, or Third Party Providers (TPPs) (Payment Service Users/(PSUs), may prefer to revoke the consents they have given to gave Third-Party Providers (TPPs) to access account data. In WSO2 Open Banking, you can revoke these consents as follows:

Table of Contents

Revoking the consents by Payment Service Users

...

Let's learn more about these two methods! 

Note

WSO2 Open Banking Consent Manager is a self-care portal where a Payment Service Users (PSU) can view payments and revoke the consents granted for accounts. The Consent Manager portal is used in the following instances:

  • A PSU wants to view the payments done through a particular payment account.
  • A PSU wants to revoke consent granted to a payment account.

adheres to PSD2, which states that a PSU cannot revoke a payment-order consent after it has been authorised, you can only revoke account consents, not payment consents.

...

Revoking the Consents by Payment Service Users

Tip
titleBefore you begin:

Configure the Consent Management application to try out the Consent Manager Portal.

Expand
titleClick here to see how to configure Consent Management application

WSO2 Open Banking solution includes consent revocation apps that support bank customers (PSUs) and banks (ASPSPs) to revoke consents. The consent revocation app provided to PSU is known as Self-care portal and the consent revocation app provided to ASPSP is known as Customer Care portal

In order to manage the consents granted to a Third-Party Provider using the Self-care portal,  do the following configurations. 

Multiexcerpt
MultiExcerptNameConfiguringConsentManagementApplication
  1. Go to the Identity and Access Management Console at https://<WSO2_OB_
KM
  1. IAM_HOST>:9446/carbon.
  2. On the Main tab, click Home > Identity >
Service Providers> Add
  1. Service Providers > Add.
  2. By default, the mode is set to Manual Configuration. Leave it as it is.
  3. Enter consentmgt as the Service Provider’s name. 
  4. Click Register.
  5. Click Inbound Authentication configuration > OAuth/OpenID Connect configuration > Configure.

  6. Set the values for the following parameters and keep the default value for the other parameters.

    ParameterValue
    OAuth Version2.0
    Allowed Grant Type

    code

    Callback URL

regexp=(https://<WSO2_OB_KM_HOST>:9446/consentmgt|https://<WSO2_OB_KM_HOST>:9446/consentmgt)

  1. The first and second URLs are respectively; redirect and logout URLs.

    Regex-based consumer URLs are supported when defining the callback URL. This enables you to configure multiple callback URLs for one application by entering a regex pattern as the value for the callback URL field.

    You must have the prefix regexp= before your regex pattern. To define a normal URL, you can specify the callback URL without this prefix.

  2. Click Add.

    The OAuth client key/client ID and OAuth client secret are generated. Those are used in .

  3. Open the <WSO2_OB_

KM

  1. IAM_

HOME>

  1. HOME>/repository/deployment/server/jaggeryapps/consentmgt/configs/conf.json

file. Modify the apimHostapplicationIdauthCredentialredirectUrl, and logoutUrl parameters as follows. In authCredential, be sure to encode the CLIENT

  1.  file and modify the following parameters:

    ParameterDescription

    apimHost

    		Hostname of the API Management server

    applicationId

    		OAuth Client Key generated in the above step
    authCredential

    Base64 encoded CLIENT_ID:CLIENT_SECRET

 with BASE64ENCODE encoding. 

ClientIDAndSecret

ImportantUpdate the specification under the DeployedSpecification parameter.

  1. value (in the given format). 

    For example, 

    Values to encodeBase64 encoded value

    Y2VuZFhvTTJ5U0RtMndQU1FXdGxSejMzTjdFYTpJMjZlN3kxODlUbnQ0czkybmh3NFV4NUhxaDBh

    redirectUrl

    		The URL you are redirected to when you log in to the application.

    logoutUrl

    		The URL you are redirected to when you log out from the application.
    DeployedSpecificationPossible values are UK, BERLIN,
 
  1. AU, and STET. By default, the value is set to UK.

    ClientIDAndSecret

    Given below is a sample file for the Berlin specification:



The WSO2 Open Banking Consent Manager portal also known as the Self-care portal, enables Payment Service Users (PSUs) to review and revoke the consents they provided to access account details. 

Let's take a look at how

...

a PSU can revoke consent.

  1. Go to the Consent Manager portal

...

  1. at https://<WSO2_OB_

...

  1. IAM_HOST>:9446/consentmgt.

...

  1. Image Added

  2. Enter the username and password provided by the bank. Click

...

  1. Continue.

  2. In the Consent Manager portal's home page

...

The consent statuses for Accounts are listed down:

...

Consents for payments are either Received or Rejected.

...

Click Revoke to revoke the payment account.

...

You can still find the revoked consents under the Account list. The consent status of revoked accounts is set to Revoked.

...

A PSU can view the following information of a payment consent. 

Note

You can only view the payment consents as it is impossible to revoke a payment that is authorised.

  • Payment update details: Date and time at which the payment was made.

  • Consent ID: The consent ID generated for the fund transaction.

  • Permissions: The permissions can be granted to Accounts, Balances, Transactions, Available accounts, All PSD2.

...

 You have come to the end of the Consent Manager portal. You can log out once your consent revocation is executed:

  1. Click the PSU user profile that is on the top right corner.

  2. Click Logout.

  3. A confirmation message is displayed. Confirm the logout.

Revoking the consents by Customer Care Representatives

...

  1. , you can view a list of Accounts and Payments consents that you have granted access to account information.

    Image AddedConsent status is displayed to the right of the selected consent. Available consent statuses are rejected, awaiting authorisation, authorised, and revoked.

  2. After reviewing the consent, you may revoke it. 

  3. Optionally, you can enter a reason for the revocation.

    Tip

    Revocation reasons help you to find more information later. It is not mandatory to provide a reason for revocation.

    Image Added

  4. Click Revoke to confirm the revocation. 

  5. The status of the consent is now changed to Revoked. You can still find the history of consents remaining in the list.
    Image Added

...

Revoking the consents by Customer Care Representatives

The WSO2 Open Banking Customer Care portal enables the Customer Care Representatives to revoke the consents on behalf of the PSUs.

Tip
titleBefore you begin:
Follow the steps below and create

Create a user whose role is defined as a customer care officer

:


Expand
titleClick here to see how it is done...

  1. Sign in to the Identity and Access Management console (https://<WSO2_OB_

KM

  1. IAM_HOST>:9446/carbon). Use the default super admin credentials:

    Username:

 admin@wso2

  1.  admin@wso2.com

    Password: wso2123

    Note

    The above credentials are used for demo purposes only. It is recommended to change them in a production environment.

  2. On the Main  tab, click  Identity > Users and Roles > Add > Add New Role and create the following user:

    DomainRolePermissions

    Internal

    CustomerCareOfficer

    		No permissions required.

  3. On the  Main  tab, click  Identity > Users and Roles > Add

> Add

  1. > Add New User and create the following user:

    UserRoles
    ann@gold.comInternal/CustomerCareOfficer

  2. Click Finish.

ConfiguringSSO
Multiexcerpt
hiddentrue
MultiExcerptNameHideSSOConfigs

Let's take a look at how you can access and sign in to the WSO2 Open Banking Customer Care portal. 

Access the Customer Care portal using https://<WSO2_OB_KM_HOST>:9446/ccportal.

Image Removed

title
Excerpt
Warning
ConfiguringSSO
Configuring SSO:

You can configure SSO for the Customer Care Portal.

Click here to see how it is done
  1. Create a Service provider with the following parameters.

    1. Sign in to the Identity and Access Management console at https://<WSO2_OB_KM_HOST>:9446/carbon.

    2. Go to Home > Identity > Service Providers > Add.

    3. Use the Manual Configuration option and fill in the Basic Information.

    4. Click Register.

    5. Go to Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure.

    6. Configure the following:

      Manual ConfigurationValue
      Issuerccportal
      Assertion Consumer URLshttps://<OB_KM_HOST>:9446/ccportal/jagg/jaggery_acs.jag

    7. Click Add to add Assertion Consumer URL.

    8. Click Register.

    9. Expand the Local and Outbound Authentication Configuration section and select the authenticators that are used to authenticate users in this service provider (sample value: Default).

    10. Check the Enable Authorization checkbox and click Update.

  2. Setting up the policy.
    1. Follow the instructions in Configuring Access Control Policy for a Service Provider - Setting up the policy and publish a policy using the authn_role_based_policy_template for the Internal/CustomerCareOfficer role.

    2. Given below is a sample policy file:

      xml
  3. Update SSO configurations.
    1. Open the <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/ccportal/configs/conf.json file.

    2. Update the ssoConfiguration section. Given below is a sample configuration:

      js

  4. Make sure the <WSO2_OB_KM_HOME>/modules/sso/module.xml file contains the following:

    xml

  1. Sign in to the Customer Care Portal (https://<WSO2_OB_KM_HOST>:9446/ccportal) using the username and password of a user with the Customer Care role. See Configuring Users and Roles, for more information on user roles.

    Image Added

    Multiexcerpt
    MultiExcerptNametroubleshootingForCustomerCarePortal
    Troubleshooting

    If you get hostname verification errors when accessing the Customer Care portal, add the following to the <WSO2_OB_

...

  1. IAM_HOME>/bin/wso2server.sh file and restart.

...

    • Dhttpclient.hostnameVerifier="DefaultAndLocalhost" \

...

    • Dorg.wso2.ignoreHostnameVerification=true \

...

Enter the username and password. Click Sign In and navigate to the Customer Care portal home page.

Info

You can use ann@gold.com as the username for testing purposes.

...

  1.  You can filter the search results using the following parameters:

    • User ID: The user ID created for

...

    • the PSU in the online

...

    • banking application. This is the same

...

    • user that is used for generating the consent IDs.

    • Consent Type: Selected Accounts by default. You can select between Accounts, Payments and CBPIIs.

    • Application: The TPP applications

...

    • authorised for the ASPSP are listed here.

...

    • You can select the TPP application

...

    • the PSU has given consent to.

    • Status: Select the consent status. Possible values

...

    • are:

...

    •  Rejected,

...

    •  Awaiting AuthorisationAuthorised, and Revoked

    • Set Date Range: The date range

...

    • in which the PSU’s consent is valid.

      Tip

...

    • You can use one or more filter options and proceed to search.

    Image Modified

...

  1. Info

    WSO2 Open Baking is a solution developed with compliance to the PSD2. It is stated in the PSD2, a PSU cannot revoke a payment-order consent once it has been authorized.

  2. Click Search.

  3. A list of search results is displayed, as shown below.

...

  1. You can view the Account and Payment consent information by clicking the consent.

...

  1. Image Added

  2. Click the consent you want to revoke and view the consent details. Image Added
  3. One consent ID can be granted to many accounts that belong to the same PSU. Therefore, there are two methods to revoke account consent.
    1. Revoke a consent -
      When a PSU has asked a customer care representative to revoke consent, customer care representative revokes all account consents with that consent ID.
    2. Revoke an account consent -
      An individual account consent can be revoked. It revokes only that account consent. 

  4. Click Revoke.

  5. Optionally, you are asked to enter a reason for the revocation.

    Tip

    Revocation reasons will help you to find more information later. It is not mandatory to provide a reason for revocation.

...


  1. Image Added

  2. Click Revoke to confirm the revocation.