This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Consent Revocation Apps for Berlin

Owned by Former user (Deleted)
Last updated: Oct 27, 2020 by Former user (Deleted)Version comment
6 min read

After a certain period, some bank customers, Banks, or Third Party Providers (TPPs) may prefer to revoke the consents they have given to Third-Party Providers (TPPs) to access account data. In WSO2 Open Banking, you can revoke these consents as follows:

Revoking the consents by Payment Service Users

WSO2 Open Banking Consent Manager is a self-care portal where a Payment Service Users (PSU) can view payments and revoke the consents granted for accounts. The Consent Manager portal is used in the following instances:

  • A PSU wants to view the payments done through a particular payment account.
  • A PSU wants to revoke consent granted to a payment account.

Before you begin:

Configure the Consent Management application to try out the Consent Manager Portal.

 Click here to see how to configure Consent Management application

WSO2 Open Banking solution includes consent revocation apps that support bank customers (PSUs) and banks (ASPSPs) to revoke consents. The consent revocation app provided to PSU is known as Self-care portal and the consent revocation app provided to ASPSP is known as Customer Care portal

In order to manage the consents granted to a Third-Party Provider using the Self-care portal,  do the following configurations. 

  1. Go to the Identity and Access Management Console at https://<WSO2_OB_KM_HOST>:9446/carbon.
  2. On the Main tab, click Home > Identity > Service Providers> Add.
  3. Enter consentmgt as the Service Provider’s name. 
  4. Click Register.
  5. Click Inbound Authentication configuration > OAuth/OpenID Connect configuration > Configure.

  6. Set the values for the following parameters and keep the default value for the other parameters.

    ParameterValue
    OAuth Version2.0
    Allowed Grant Type

    code

    Callback URL

    regexp=(https://<WSO2_OB_KM_HOST>:9446/consentmgt|https://<WSO2_OB_KM_HOST>:9446/consentmgt)

    The first and second URLs are respectively; redirect and logout URLs.

    Regex-based consumer URLs are supported when defining the callback URL. This enables you to configure multiple callback URLs for one application by entering a regex pattern as the value for the callback URL field.

    You must have the prefix regexp= before your regex pattern. To define a normal URL, you can specify the callback URL without this prefix.

  7. Click Add.

    The OAuth client key/client ID and OAuth client secret are generated. Those are used in Configuring consent management jaggery application.

  8. Open the < WSO2_OB_KM_HOME> /repository/deployment/server/jaggeryapps/consentmgt/configs/conf.json file. Modify the apimHostapplicationIdauthCredentialredirectUrl, and logoutUrl parameters as follows. 

    In authCredential, be sure to encode the CLIENT_ID:CLIENT_SECRET with BASE64ENCODE encoding. 

    {
	"app" : "consentmgt",
	"applicationType" : "oauth2",
	"tenantDomain": "carbon.super",
	"apimHost":"http://<WSO2_OB_APIM_HOST>",
	"apimNioPort":"8280",
	"apimHttpPort":"9763",
	"kmHost" : "https://<WSO2_OB_KM_HOST>",
	"kmPort" : "9446",
	"kmTokenAPI" : "oauth2/token",
	"kmAuthorizeAPI" : "oauth2/authorize",
	"applicationId":"<CLIENT_ID>",
	"authCredential":"<BASE64ENCODED CLIENT CREDENTIALS>",
	"redirectUrl":"https://<WSO2_OB_KM_HOST>:9446/consentmgt",
	"logoutUrl": "https://<WSO2_OB_KM_HOST>:9446/consentmgt",
	"tokenApiName" : "token",
	"tokenApiVersion" : "",
	"authorizeApiName" : "authorize",
	"authorizeApiVersion" : "",
	"pagination" : {
		"limit" : 11,
		"actualLimit" : 10,
		"offset": 0
	},
	"DeployedSpecification" : "BERLIN"
}

    Important

    Update the specification under the DeployedSpecification parameter. Possible values are UK, BERLINAU, and STET. By default, the value is set to UK.



Let's take a look at how you can access and sign in to the WSO2 Open Banking Consent Manager

  1. Access the Consent Manager portal using https://<WSO2_OB_KM_HOST>:9446/consentmgt.

  2. Enter the username and password. Click Sign In and navigate to the Consent Manager portal's home page.

  3. The default home page directs you to the Account consents tab of the Consent Manager portal. The payment accounts for which you have given consent to the TPP are listed here.
    • There can be several payment accounts for the same ASPSP where you have granted consent to access different data.
    • The Account consents tab displays the account payment consents created through the Accounts API.

    • The consent statuses for Accounts are listed down:

      StatusDescription
      ReceivedThe consent data is received and technically correct, but it is not authorised yet.
      RejectedThe consent is rejected as data is not authorised.
      ValidThe consent is accepted and can GET account data.
      Revoked by PSUThe consent is revoked by the PSU towards the ASPSP.
      ExpiredThe consent is expired. The expiration time can be defined by the TPP.
      Terminated by TPPThe consent type used when the TPP deletes the consent resource.

    • Consents for payments are either Received or Rejected.

  4. Click Revoke to revoke the payment account.

  5. Enter a reason for revoking the payment account. Click Revoke to proceed revoking the account consent.

  6. You can still find the revoked consents under the Account list. The consent status of revoked accounts is set to Revoked.

  7. A PSU can view the following information of a payment consent. 

    You can only view the payment consents as it is impossible to revoke a payment that is authorised.

    • Payment update details: Date and time at which the payment was made.

    • Consent ID: The consent ID generated for the fund transaction.

    • Permissions: The permissions can be granted to Accounts, Balances, Transactions, Available accounts, All PSD2.

  8.  You have come to the end of the Consent Manager portal. You can log out once your consent revocation is executed:

    1. Click the PSU user profile that is on the top right corner.

    2. Click Logout.

    3. A confirmation message is displayed. Confirm the logout.

Revoking the consents by Customer Care Representatives

The Customer Care portal of WSO2 Open Banking allows users to revoke consents on behalf of Payment Service Users (PSUs). To do this, log in as a user that has the Customer Care Officer role enabled. For more information on roles and the users, see Configuring roles and users.

Before you begin:

Follow the steps below and create a user whose role is defined as a customer care officer:

  1. Sign in to the Identity and Access Management console (https://<WSO2_OB_KM_HOST>:9446/carbon). Use the default super admin credentials:

    Username: admin@wso2.com

    Password: wso2123

    The above credentials are used for demo purposes only. It is recommended to change them in a production environment.

  2. On the Main  tab, click  Identity > Users and Roles > Add > Add New Role and create the following user:

    DomainRolePermissions

    Internal

    CustomerCareOfficer

    		No permissions required.

  3. On the  Main  tab, click  Identity > Users and Roles > Add > Add New User and create the following user:

    UserRoles
    ann@gold.comInternal/CustomerCareOfficer

  4. Click Finish.

Configuring SSO:

You can configure SSO for the Customer Care Portal.

 Click here to see how it is done
  1. Create a Service provider with the following parameters.

    1. Sign in to the Identity and Access Management console at https://<WSO2_OB_KM_HOST>:9446/carbon.

    2. Go to Home > Identity > Service Providers > Add.

    3. Use the Manual Configuration option and fill in the Basic Information.

    4. Click Register.

    5. Go to Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure.

    6. Configure the following:

      Manual ConfigurationValue
      Issuerccportal
      Assertion Consumer URLshttps://<OB_KM_HOST>:9446/ccportal/jagg/jaggery_acs.jag

    7. Click Add to add Assertion Consumer URL.

    8. Click Register.

    9. Expand the Local and Outbound Authentication Configuration section and select the authenticators that are used to authenticate users in this service provider (sample value: Default).

    10. Check the Enable Authorization checkbox and click Update.

  2. Setting up the policy.
    1. Follow the instructions in Configuring Access Control Policy for a Service Provider - Setting up the policy and publish a policy using the authn_role_based_policy_template for the Internal/CustomerCareOfficer role.

    2. Given below is a sample policy file:

      <Policy
	xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_ccportal_role_based_policy"        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
	<Description>This policy authorizes Internal/CustomerCareOfficer users to the ccportal service provider in the authentication flow based on the roles of the user. Other users will be denied.</Description>
	<Target>
		<AnyOf>
			<AllOf>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ccportal</AttributeValue>
					<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
				</Match>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
					<AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				</Match>
			</AllOf>
		</AnyOf>
	</Target>
	<Rule Effect="Permit" RuleId="permit_by_roles">
		<Condition>
			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/CustomerCareOfficer</AttributeValue>
					<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				</Apply>
			</Apply>
		</Condition>
	</Rule>
	<Rule Effect="Deny" RuleId="deny_others"/>
</Policy>
  3. Update SSO configurations.
    1. Open the <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/ccportal/configs/conf.json file.

    2. Update the ssoConfiguration section. Given below is a sample configuration:

         "ssoConfiguration":{
      "enabled":"true",
      "issuer":"ccportal",
      "identityProviderURL":"https://localhost:9446/samlsso",
      "keyStorePassword":"wso2carbon",
      "identityAlias":"wso2carbon",
      "verifyAssertionValidityPeriod":"true",
      "timestampSkewInSeconds":"300",
      "audienceRestrictionsEnabled":"true",
      "responseSigningEnabled":"true",
      "assertionSigningEnabled":"true",
      "keyStoreName":"<WSO2_OB_KM_HOME>/repository/resources/security/wso2carbon.jks",
      "signRequests":"true",
      "assertionEncryptionEnabled":"false",
      "idpInit":"false",
      "idpInitSSOURL":"https://localhost:9446/samlsso?spEntityID=ccportal",
      "loginUserNameAttribute":""
   }

  4. Make sure the <WSO2_OB_KM_HOME>/modules/sso/module.xml file contains the following:

    <hostObject>
	<className>org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject</className>
	<name>SSORelyingParty</name>
</hostObject>

Let's take a look at how you can access and sign in to the WSO2 Open Banking Customer Care portal. 

  1. Access the Customer Care portal using https://<WSO2_OB_KM_HOST>:9446/ccportal.

  2. Enter the username and password. Click Sign In and navigate to the Customer Care portal home page.

    You can use ann@gold.com as the username for testing purposes.

  3. The consent type is selected as Accounts by default. You can select between the Accounts, Payments, and CBPII consents. Filter the search results using the following parameters:

    • User ID: The user ID created for a PSU in the online baking application. This is the same ID used to generate the Consent ID.

    • The consent type is selected as  Accounts  by default. You can select between Accounts, Payments and CBPIIs.

    • Application: The TPP applications authorized for the ASPSP are listed here. Select the TPP application that the PSU has given consent to.

    • Status: Select the consent status. Possible values for Accounts are: Received, Rejected, Partial Authorized, Valid, Revoked by PSU, Expired, Terminated by TPP. Possible values for payment consent are received or rejected.

    • Set Date Range: The date range for which the PSU’s consent is valid.

      Use one or more filter options and proceed to search.

      You cannot revoke a payment consent.

  4. Click Search. A list of search results is displayed as shown below. View the Account and Payment consent information by clicking the consent.

  5. The PSU can revoke the Consent ID by clicking Revoke with a reason for revocation.