This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
App-to-App redirection
Strong Customer Authentication (SCA) can be implemented using the redirect method, in which the Payment Service User (PSU) is redirected from the Third Party Provider's (TPP's) interface to the Account Servicing Payment Service Provider's (ASPSP's) authentication interface. The PSU will be redirected back to the TPP's interface upon successful authentication. App-to-App redirection is the method when this redirection happens in a mobile web browser or a mobile application.Â
App-to-App redirection is a recommended way of implementing SCA according to Open Banking Implementation Entity.
The ASPSP’s interface and redirection can vary according to the service it is providing with.
Account Information Service
If the TPP is aggregating account information on behalf of the PSU, APP-to-APP redirection looks as follows
According to the Customer Experience Guidelines, the following implementation steps are described explicitly:
Implementation | Requirement | Participant |
---|---|---|
A- AISP requests the PSU to identify the ASPSP | Required | AISP |
B- The ASPSP app loads for the authentication (If the ASPSP app resides in the same mobile device, or else redirect to the browser) | Required | ASPSP |
C- The PSU consents to the accounts, which the AISP is allowed to have access | Required | ASPSP |
D- Confirms the completion of AIS request | Recommended | AISP |
Payment Information Service
If the TPP is initiating a credit transfer on behalf of the PSU, App-to-App redirection looks as follows:
According to the Customer Experience Guidelines, the following implementation steps are described explicitly:
Implementation | Requirement | Participant |
---|---|---|
A- PSU enters/selects the account associated with their ASPSP | Required | PISP |
B- Shares the information to obtain PSU consent before initiating a payment | Required | PISP |
C- The ASPSP app loads for the authentication (If the ASPSP app resides in the same mobile device, or else redirect to the browser) | Required | PISP |
D- Display the minimum payment amount, currency, and payee account name to the PSU | Required | ASPSP |
E- ASPSP app-based authentication must not be more than the number of steps the PSU would go through when directly accessing the ASPSP interface | Required | ASPSP |
F- PSU needs to be directed back to the TPP’s interface displaying the confirmation of successful payment initiation. | Required | PISP |
How WSO2 Open Banking supports App-to-App redirection
Let’s now see how WSO2 Open Banking supports App-to-App redirection.
The TPP mobile application invokes the /oauth2/authorize
endpoint in WSO2 OB KM for authentication and authorisation of PSU before sharing the account information or initiating a payment. WSO2 OB KM responds to the TPP mobile application with the authentication step after checking the authentication steps configured for that TPP mobile application.
In App-to-App redirection,
- The TPP mobile application loads the ASPSP mobile app via Deep linking for PSU authentication. So that the PSU enters the user Id and password to the sign-in page.
Upon invoking the
/commonAuth
endpoint, WSO2 OB KM submits the entered-authentication information, checks the next authentication step (if available), and respond with the URL.At the completion of pre-configured authentication steps, the consent page is displayed to the user by invoking the
GET /consent/data/{session-data-key}
endpoint. The user's consent is then captured and persisted by invoking thePATCH /authorize/{consent-id}
endpoint. For examples, see Integrate the bank's consent page.
These authentication steps can be configured using the instructions provided under Adding Custom Authenticators. Thereby, WSO2 OB KM will check the authentication steps associated with the ASPSP mobile app and respond with them to the ASPSP mobile application accordingly.