This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Consent Re-Authentication

Owned by Former user (Deleted)
Last updated: Jul 08, 2019
2 min read

Consent re-authentication is the process that enables an ASPSP to authenticate a PSU more than once for the same consent. In order to re-authenticate a consent:

  • The consent must be in the authorized state.
  • The ExpirationDateTime of the consent should not have elapsed.

Once re-authentication is successful, a TPP must not use or refresh access tokens that were issued for the same consent. The ASPSP can decide to invalidate the previously issued tokens for the same consent.

Following are the topics discussed in this page:

Change the authorized accounts during re-authentication

In the accounts flow, the account ID can be changed by a PSU during consent re-authentication. The ASPSP can allow the PSU to change the account IDs using the following configurations:

To allow the PSU to change the account ID during consent re-authorization:

  1. Open the open-banking.xml file in the <OB_KM_HOME>/repository/conf/finance directory and set the value as true, as follows:

    <UK>
        <ConsentReAuthentication>
        	<EnableAccountUpdateByPSU>true</EnableAccountUpdateByPSU>
        </ConsentReAuthentication>
</UK>
  2. Open the open-banking.xml file in the <OB_AM_HOME>/repository/conf/finance directory and repeat the same configuration as in step 1.

Revoke previously issued tokens to an existing consent 

During consent re-authentication, an ASPSP can revoke a previously issued token for an existing consent. The default configuration revokes the previous token request with the same client-id and scopes as in the existing consent. By default, RenewTokenPerRequest is set as false. You can find the default configuration in the <OB_KM_HOME>/repository/conf/identity/identity.xml file as follows:

<OAuth>
<RenewTokenPerRequest>false</RenewTokenPerRequest>
</OAuth>


Refresh token validity period

In WSO2 Open Banking, an ASPSP can re-authenticate the consent at a configured time.

The TPP can request re-authentication for a given consent from the PSU at any time. The refresh token for the consent ID is refreshed, once the PSU re-authorises the re-authentication request. If the TPP doesn’t send the re-authentication request, according to the SCA exemption rules, the ASPSP can enforce it for the configured time that is configured under the RefreshTokenValidityPeriod. When the validity period is reached, the refresh token expires. In that case, the refresh token has to be re-authorised for the given consent. 

None of the permissions in the consent can be altered as the consent is re-authenticated.

  1. Open the identity.xml file in the <OB_KM_HOME>/ repository/conf/identity directory and configure the validity period for the access token of the consent.

    The validity period must be defined in seconds. In this example, it is 90 days. Therefore, the value is set to 7776000.

    <OAuth>
<RefreshTokenValidityPeriod>7776000</RefreshTokenValidityPeriod>
	....
<RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
</OAuth>

    RenewRefreshTokenForRefreshGrant is the configuration that enables the TPP to renew the refresh token for a given consent. 

    Recommendation

    Set the value as false. There is only one refresh token for a consent that can be re-authenticated. It cannot be renewed by the TPP itself. 

    <RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>