This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Account and Transaction

Owned by Former user (Deleted)
Last updated: Jun 26, 2019 by Former user (Deleted)
9 min read

This document explains the flow of events related to the 1.1 versions of the Account and Transaction API of WSO2 Open Banking solution. Customers can test the WSO2 Open Banking solution using these test scripts that are described below to validate the Account Information Service Provider (AISP) flow. Validate AISP flow before validating User Acceptance Testing (UAT)  to ensure if account access functionality is properly exposed.

Flow of events

Perform the following tasks as in the order to test the Account and Transaction API flow of events. 

Sign up as a TPP user

First, a TPP must sign up to the API store.

 Click to find how it's done...
  1. Navigate to the API Store using https://<<OBAM_HOST>>:9443/store.
  2. Select Sign-up that is on the top left corner of the homepage.

  3. Provide the requested details on the sign-up screen.

     Click here for more information...

    a. Generic details :

    FieldDescription
    Username/EmailThe username/email that the TPP user uses to sign in to the API Store.
    PasswordThe password that the TPP user uses to sign in to the API Store.
    Retype PasswordThis is to prevent the TPP user from accidentally setting an incorrect password.
    Last NameThis is the last name of the TPP user.
    First NameThis is the first name of the TPP user.

    b. Company details :

    FieldDescription
    Legal Entity NameOfficial name of the TPP.
    Country of RegistrationCountry in which the TPP is registered.
    Legal Identifier Number (LEI)This identifies the TPP.
    Company RegisterOrganization that registered the TPP.
    Company Registration NumberIdentifier issued at the TPP registration.
    Address Line 1Adress of the TPP.
    Address Line 2Adress of the TPP.
    CityCity in which the TPP is located.
    Postal CodePostal code of the geographical location of the TPP.
    CountryCountry in which the TPP is located.

    c. Competent Authority registration details :

    FieldDescription
    Competent AuthorityRegulatory body that authorizes and supervises the open banking services delivered by the TPP.
    Competent Authority CountryCountry of the competent authority that authorized the TPP to provide open banking services.
    Competent Authority Registration NumberRegistration number issued by the Competent Authority to the TPP.
    URL of the Competent Authority Register PageURL of the page that has the list of organizations authorized by the given competent authority.
    Open Banking Roles

    Captures the open banking roles the TPP is willing to take up:

    • Account Information Service Provider: An Account Information Service Provider (AISP) provides an aggregated view of all the accounts and past transactions that a customer has with different banks. To provide this view to the customer, the AISP should have authorization from the customer to view the corresponding transaction and balance information of all the payment accounts. The AISPs can also provide the facility to analyze the customer's spending patterns, expenses, and financial needs. Unlike a PISP, an AISP cannot transfer funds from a payment account.

    • Payment Initiation Service Provider: A Payment Initiation Service Provider (PISP) initiates credit transfers on behalf of a bank's customer.

    After selecting the AISP, indicate whether the TPP is authorized by a competent authority to provide the services of the selected roles.

    If the TPP is not yet registered to provide the services of the selected roles, indicate whether the TPP has applied for registration or not.

  4. Read terms and conditions. Click checkbox for the terms and conditions agree to proceed to the next step.


  5. Click Sign Up A request to approve the user sign up is sent to the Approver users.

Approve a TPP user

Now that you have signed up as a TPP user, an admin who overlooks all TPP sign-up forms must approve it.

 Click to find how it's done...
  1. Log in to the Admin portal as an approver using https://<OBAM_HOST>:9443/admin.
  2. Locate the approval request and click Assign To Me.

  3. Click Start to start the approval process.

  4. Select Approve and click Complete. The TPP user can now sign in to the API Store.

Sign in as a TPP user

The TPP can sign-in once an admin has approved the sign-up form.

 Click to find how it's done...
  1. Log in to the AAPI Store as a TPP user using https://<<OBAM_HOST>>:9443/store.
  2. Click Sign In and navigate to the sign in screen.

  3. Enter the username and the password you entered at the TPP sign-up.

  4. Click Sign In. The homepage of the API store is displayed along with the APIs.

Create an application

The TPP user must create applications in order to provide services via APIs.

 Click to find how it's done...
  1. Log in to the API store as a TPP user and click Applications.
  2. Click Add Application.

  3. Enter application details.

    FieldDescription
    NameApplication name.
    Per Token QuotaDetermines the maximum number of API requests accepted within a given duration.
    DescriptionThis describes the purpose of the application.

  4. Click Add. The application is now created.

Subscribe to APIs

Now that the TPP has created an application to an API, the TPP must subscribe to those APIs.

 Click to find how it's done...
  1. Log in to the API store as a TPP user.
  2. Click APIs.

  3. Select the preferred AccountInfo API version. e.g: v1.1.

  4. Select the application you created in the Create an application section.
  5. Set the throttling policy to Unlimited.
  6. Click Subscribe.

Create the certificates

 Click to find how it's done...
  1. Create a keystore file as a TPP user using the command below. 
keytool -genkey -alias <<alias>> -keyalg RSA -keystore <<filename>>.jks
    1. Make sure to update the following placeholders:
      1. <alias>: A preferred alias for the keystore file.
      2. <preferred-filename>: A preferred name for the keystore file.

  2. Convert the keystore from the jks format to PKCS12. Make sure you update the following placeholders:

    keytool -importkeystore -srckeystore <<keystoreStoreName>>.jks -destkeystore <<PKCS12FileName>>.p12 -deststoretype PKCS12

    1. Make sure to update the following placeholders:


      1. keyStoreNameThis is the name of the keystore.

      2. PKCS12FileName: This is the name of the keystore in the PKCS12 format.

  3. Create the application certificate (.pem) file in the PKCS12 format using the keystore. e.g: tpp.p12. 

    openssl pkcs12 -in <<PKCS12FileName>>.p12 -nokeys -out <<PEMFileName>>.pem


    1. Make sure to update the following placeholders:

      1. PKCS12FileName: This is the name of the keystore in the PKCS12 format.
      2. PEMFileName: This is the name of the application certificate that is created in the .pem format.

Request access keys

 Click to find how it's done...
  1. Log in to the API store as a TPP user and click either of the following on the Applications tab.
    1. Production Keys: Generates access tokens in the production environment.
    2. Sandbox Keys: Generates access tokens in the sandbox environment.

  2. Provide the requested information as defined below:  

    FieldDescription
    Grant Types

    These determine the credentials that are used to generate the access token. There are six types of grant types available in WSO2 Open Banking:

    • Refresh Token: This is to renew an expired access token.

    • Client Credential: This relates to the client credentials grant type and is applicable when consuming the API as an application.

    • Code: This relates to the authorization code grant type and is applicable when consuming the API as a user.

    Client ID

    OrganizationIdentifier as provided in the EIDAS certificate. The organizationIdentifier attribute contains information using the following structure in the presented order:

    • PSD as the 3-character legal person identity type reference;

    • 2-character ISO 3166 country code representing the NCA country;

    • hyphen-minus (-)

    • 2-8 character NCA identifier (A-Z upper case only, no separator)

    • hyphen-minus (-)

    • PSP (Payment Service Provider) identifier (authorization number as specified by NCA)

    Callback URLThis is the URL used by the Account Information Service Provider (AISP) / Payment Initiation Service Provider (PISP) to receive the authorization code sent from the Account Servicing Payment Service Provider (ASPSP), e.g: bank. The authorization code can be used later to generate an OAuth2 access token.
    Application CertificateThis is the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate (.PEM) that you created above.


  3. Click Request Access if you are generating production keys. It sends a request to Approver user to approve the token generation.
  4. Click Generate Keys if you are generating sandbox keys. It generates consumer key and consumer secret.

Approve production key generation

This step includes instructions to a Approver user to review and approve a request to generate production keys that is described in the step 3 under Request access keys.

 Click to find how it's done...
  1. Log in to the Admin portal as an Approver user.
  2. Click Tasks > Application Registration.

  3. Locate the approval request and click Assign To Me.

  4. Click Start to start the approval process.
  5. Navigate back to the API Store and click Applications.
  6. On the Applications tab, Click View of the application that you created.
  7. Click Production Keys tab to find the generated keys. It includes consumer key and consumer secret.

Generate application access token

When invoking APIs in the AISP flow, application access tokens must be generated using the client credential grant type.

 Click to find how it's done...

  1. Generate the client assertion by signing the following JSON payload using the supported algorithms.

    {
  "alg": "<<This will be the algorithm used for signing>>",
  "kid": "<<This will be the certificate fingerprint>>",
  "typ": "JWT"
}

{
  "iss": "<<This is the issue of the token, e.g., client ID of your application>>",
  "sub": "<<This is the subject identifier of the issuer, e.g., client ID of your application>>",
  "exp": <<This is epoch time of the token expiration date/time>>,
  "iat": <<This is epoch time of the token issuance date/time>>,
  "jti": "<<This is an incremental unique value>>",
  "aud": "<<This is the audience that the ID token is intended for, e.g., https://<<OB_HOST>>:8243/TokenAPI/v1.0.0>>"
}
<signature>

  2. Run the following cURL command in a command prompt to generate the access token. Update the placeholders with the relevant values.

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=ISO-8859-1" -k -d "grant_type=client_credentials&scope=accounts+openid&client_assertion_type=<<eg:-urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer>>&client_assertion=<<jwt_key>>&redirect_uri=<<The callback URL of your application>>" https://<<OB_HOST>>:8243/token

    The access token is now generated.

    You can use the same cURL command to re-generate the access token.

Invoke AccountInformationAPI API

In this step, TPP passes the customer-provided consents to the bank. The bank validates the request and stores the user consents.

 Click to find how it's done...
  1. Log in to the API store as a TPP user.
  2. Click APIs.
  3. Click AccountInformationAPI API.

  4. Click POST /consents resource.

    1. Use the following as the body.

      {
    "access": {
   	 "balances": [
   		 {
   			 "iban": "DE40100100103307118608"
   		 },
   		 {
   			 "iban": "DE02100100109307118603",
   			 "currency": "USD"
   		 },
   		 {
   			 "iban": "DE67100100101306118605"
   		 }
   	 ],
   	 "transactions": [
   		 {
   			 "iban": "DE40100100103307118608"
   		 },
   		 {
   			 "maskedPan": "123456xxxxxx1234"
   		 }    
   	 ]
   	 },
    "recurringIndicator": "true",
    "validUntil": “<<Valid until date for the requested consent retrieved in ISO format>>",
    "frequencyPerDay": "<<Maximum frequency for an access per day>>",
    "combinedServiceIndicator": "true"
}

    2. Enter a Universal Unique Identifier (UUID) that identifies the request to the X-Request-ID field.

    3. Enter the application access token you created under Generate Application Access Token to authorization field.

    4. Set the value application/json to field Content-Type.

    5. Click Try it out! The API response will now bear the AccountRequestId.

Invoke AuthorizeAPI API

In this step, the TPP redirects the consents provided in the application to the bank customer to authenticate consents and approve/deny the consent.

 Click to find how it's done...
  1. Get the well-known configuration endpoint returned from the above initiation call response as scaOAuth value in _links response object. Invoke the endpoint and get Authorize API URL value from the response.

  2. Run the following command in a browser to prompt the invocation of the AuthorizeAPI API. Update the placeholders with the relevant values.

    https://<<OB_HOST>>:8243/authorize}/?response_type=code%20id_token&client_id=<<the client-id of your application>>&scope=accounts+openid+<<consent id with the prefix AIS:<consentId>>&redirect_uri=<<The Callback URL of your application>>&state=<<state>>&prompt=login&nonce=<<nonce>>&code_challenge_method=<<code_challenge_method>>&code_challenge=<<code_challenge>>
  3. Once you pass this call, you are directed to a login page. Log in with the credentials of a user having a subscriber role.
  4. If a secondary factor (e.g:  SMSOTP) is required to provide, enter the relevant values.

  5. The user is redirected to consent management page once authentication is successfully set.

  6. Once a bank customer provides the consent, an authorization code is generated.

Generate user access token

You can generate a user access token using the authorization code generated in the Invoke AuthorizeAPI API.

 Click to find how it's done...

  1. Run the following cURL command in a command prompt to generate the access token as a TPP user.

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=ISO-8859-1" -k -d "grant_type=authorization_code&scope=accounts+openid&client_assertion_type=<<eg:-urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer>>&client_assertion=<<jwt_key>>&redirect_uri=<<The callback URL of your application>>&code_challenge_method=<<code_challenge_method>>&code_verifier=<<code_verifier>>&code=<<code>>" https://<<OB_HOST>>:8243/token

  2. Now, an access and refresh token are generated.

    You can renew an access token using the refresh token. To renew an access token, see Renew Access Token.

Invoke Account and Transaction APIs

The TPP invokes the actual Accounts APIs. The bank has already validated the Accounts API request done by the TPP, based on the consents provided by the bank customer (PSU).

 Click to find how it's done...

  1. Use the user access token generated in the previous step to invoke the APIs (v1.1.0) as shown below.

    Consent
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/consents/<<ConsentId>'
    All Accounts
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts'
    All accounts with balances
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts?withBalance=true'
    Specific Account
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts/<<account-id>>'
    Specific account with balances
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts/<<account-id>>?withBalance=true'
    Balance list for a specific account
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts/<<account-id>>/balances'
    Transaction list for a specific account
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts/<<account-id>>/transactions?bookingStatus=<<booking status>>'
    Specific transaction
    curl -X GET --header 'Accept: application/json' --header 'X-Request-ID: <<x-request-id>>' --header Consent-ID: <<ConsentId>>' --header 'Authorization: Bearer <<access token>>'  --header 'Content-Type: application/json' 'https://<<OB_HOST>>:8243/AccountsInfoAPI/<<version>>/accounts/<<account-id>>/transactions/<<resourceId>>'

Renew access token

In the following step, you will be regenerating the access token that was generated using the authorization code under Generate Application Access Token.

 Click to find how it's done...

  1. Run the following cURL command to call refresh_token endpoint and regenerate a new access token as a TPP user.

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=ISO-8859-1" -k -d "grant_type=authorization_code&scope=accounts+openid&client_assertion_type=<<eg:-urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer>>&client_assertion=<<jwt_key>>&redirect_uri=<<The callback URL of your application>>&code_challenge_method=<<code_challenge_method>>&code_verifier=<<code_verifier>>&code=<<code>>" https://<<OB_HOST>>:8243/token