This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Revoking the consents for UK

After a certain period, some bank customers (Payment Service Users/(PSUs), may prefer to revoke the consents they gave Third-Party Providers (TPPs) to access account data. In WSO2 Open Banking, you can revoke these consents as follows:

Let's learn more about these two methods! 

WSO2 Open Banking adheres to PSD2, which states that a PSU cannot revoke a payment-order consent after it has been authorised, you can only revoke account consents, not payment consents.


Revoking the Consents by Payment Service Users

Before you begin:

Configure the consent management application to try out the Consent Manager Portal.

The WSO2 Open Banking Consent Manager portal also known as the Self-care portal, enables Payment Service Users (PSUs) to review and revoke the consents they provided to access account details. 

Let's take a look at how a PSU can revoke consent.

  1. Go to the Consent Manager portal at https://<WSO2_OB_KM_HOST>:9446/consentmgt.

  2. Enter the username and password provided by the bank. Click SIGN IN.
  3. In the Consent Manager portal's home page, you can view a list of the consents you granted to Accounts and Payments. Click on an account consent to see its details, as shown below:

    Consent status is displayed to the right of the selected consent. Available consent statuses are rejected, awaiting authorisation, authorised, and revoked.

    Below is the list of permissions that a PSU can grant to Account consents:

    Permission typeDescriptionPermission variation
    ReadAccountsDetailReads account informationBasic Detail - ability to identify account using information in the payload
    ReadBalancesReads all balance information-
    ReadBeneficiariesDetailReads beneficiary informationBasic Detail - ability to identify an account for the beneficiary using information in the payload
    ReadDirectDebitsReads all beneficiary information-
    ReadProductsReads all product information related to an account-
    ReadStandingOrderDetailReads standing order informationBasic Detail - ability to identify an account for the beneficiary of  the standing order using information in the payload
    ReadTransactionsCreditsReads credit transaction informationBasic Detail - Reads transaction data elements which may hold silent party details
    ReadTransactionsDebitsReads debit transaction informationBasic Detail - Reads transaction data elements which may hold silent party details
    ReadOffersReads offer information-
    ReadPANReads Permanent Access Number (PAN) in the clear-
    ReadPartyReads party information of the account owner-
    ReadPartyPSUReads party information of the PSU logged in-
    ReadStatementDetailReads statement detailsBasic Detail - Reads identification details accessing certain elements in the payload
    ReadScheduledPaymentDetail

  4. After reviewing the consent, click revoke. 

    Optionally, you can enter a reason for the revocation.

    Revocation reasons help you to find more information later. It is not mandatory to provide a reason for revocation.

  5. Click Revoke to confirm the revocation. 

  6. The status of the consent is now changed to Revoked. You can still find the history of consents remaining in the list.


Revoking the consents by Customer Care Representatives

The WSO2 Open Banking Customer Care portal enables the Customer Care Representatives to revoke the consents on behalf of the PSUs.

Before you begin:

Follow the steps below and create a user whose role is defined as a customer care officer:
  1. Sign in to the Identity and Access Management console (https://<WSO2_OB_KM_HOST>:9446/carbon). Use the default super admin credentials:

    Username: admin@wso2.com

    Password: wso2123

    The above credentials are used for demo purposes only. It is recommended to change them in a production environment.

  2. On the Main  tab, click  Identity > Users and Roles > Add > Add New Role and create the following user:

    DomainRolePermissions

    Internal

    CustomerCareOfficer

    No permissions required.
  3. On the  Main  tab, click  Identity > Users and Roles > Add > Add New User and create the following user:

    UserRoles
    ann@gold.comInternal/CustomerCareOfficer
  4. Click Finish.

Configuring SSO:

You can configure SSO for the Customer Care Portal.

 Click here to see how it is done
  1. Create a Service provider with the following parameters.
    1. Sign in to the Identity and Access Management console at https://<WSO2_OB_KM_HOST>:9446/carbon.

    2. Go to Home > Identity > Service Providers > Add.

    3. Use the Manual Configuration option and fill in the Basic Information.

    4. Click Register.

    5. Go to Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure.
    6. Configure the following:

      Manual ConfigurationValue
      Issuerccportal
      Assertion Consumer URLshttps://<OB_KM_HOST>:9446/ccportal/jagg/jaggery_acs.jag

    7. Click Add to add Assertion Consumer URL.

    8. Click Register.

    9. Expand the Local and Outbound Authentication Configuration section and select the authenticators that are used to authenticate users in this service provider (sample value: Default).

    10. Check the Enable Authorization checkbox and click Update.

  2. Setting up the policy.
    1. Follow the instructions in Configuring Access Control Policy for a Service Provider - Setting up the policy and publish a policy using the authn_role_based_policy_template for the Internal/CustomerCareOfficer role.
    2. Given below is a sample policy file:

      <Policy
      	xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_ccportal_role_based_policy"        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
      	<Description>This policy authorizes Internal/CustomerCareOfficer users to the ccportal service provider in the authentication flow based on the roles of the user. Other users will be denied.</Description>
      	<Target>
      		<AnyOf>
      			<AllOf>
      				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ccportal</AttributeValue>
      					<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
      				</Match>
      				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
      					<AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
      				</Match>
      			</AllOf>
      		</AnyOf>
      	</Target>
      	<Rule Effect="Permit" RuleId="permit_by_roles">
      		<Condition>
      			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
      				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
      					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/CustomerCareOfficer</AttributeValue>
      					<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
      				</Apply>
      			</Apply>
      		</Condition>
      	</Rule>
      	<Rule Effect="Deny" RuleId="deny_others"/>
      </Policy> 
  3. Update SSO configurations.
    1. Open the <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/ccportal/configs/conf.json file.
    2. Update the ssoConfiguration section. Given below is a sample configuration:

         "ssoConfiguration":{
            "enabled":"true",
            "issuer":"ccportal",
            "identityProviderURL":"https://localhost:9446/samlsso",
            "keyStorePassword":"wso2carbon",
            "identityAlias":"wso2carbon",
            "verifyAssertionValidityPeriod":"true",
            "timestampSkewInSeconds":"300",
            "audienceRestrictionsEnabled":"true",
            "responseSigningEnabled":"true",
            "assertionSigningEnabled":"true",
            "keyStoreName":"<WSO2_OB_KM_HOME>/repository/resources/security/wso2carbon.jks",
            "signRequests":"true",
            "assertionEncryptionEnabled":"false",
            "idpInit":"false",
            "idpInitSSOURL":"https://localhost:9446/samlsso?spEntityID=ccportal",
            "loginUserNameAttribute":""
         }
  4. Make sure the <WSO2_OB_KM_HOME>/modules/sso/module.xml file contains the following:

    <hostObject>
    	<className>org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject</className>
    	<name>SSORelyingParty</name>
    </hostObject>
Now, let's take a look at how a customer care representative can revoke consent.

  1. Sign in to the Customer Care Portal (https://<WSO2_OB_KM_HOST>:9446/ccportal) using the username and password of the Customer Care user.

  2.  You can filter the search results using the following parameters:
    • User ID: The user ID created for the PSU in the online banking application. This is the same user that is used for generating the consent IDs.

    • The consent type is selected as Accounts by default. You can select between Accounts or Payments.
    • TPP Application: The TPP applications authorised for the ASPSP are listed here. You can select the TPP application the PSU has given consent to.

    • Status: Select the consent status. Possible values are: RejectedAwaiting AuthorisationAuthorised, and Revoked

    • Set Date Range: The date range in which the PSU’s consent is valid.

      You can use one or more filter options and proceed to search.

    WSO2 Open Baking is a solution developed with compliance to the PSD2. It is stated in the PSD2 as "A PSU cannot revoke a payment-order consent once it has been authorized".

  3. Click Search.
  4. A list of search results is displayed, as shown below. You can view the Account and Payment consent information by clicking the consent.

  5. Click the consent you want to revoke and view the consent details. 

    One consent ID can be granted to many accounts that belong to the same PSU. Therefore, there are two methods to revoke account consent.
        1. Revoke consent ID -
          When a PSU has asked a customer care representative to revoke consent, customer care representative revokes all account consents with that consent ID.
        2. Revoke an account consent -
          An individual account consent can be revoked. It revokes only that account consent. 

          The above mentioned two options are as follows:

  6. Click Revoke. Optionally, you are asked to enter a reason for the revocation.

    Revocation reasons will help you to find more information later. It is not mandatory to provide a reason for revocation.


    Confirmation windows appear for the two methods separately:

      1. Confirmation to revoke an account

      2. Confirmation to revoke a consent ID
  7. Click Revoke to confirm the revocation.