Consent Re-Authentication for UK

Consent re-authentication is the process that enables an ASPSP to authenticate a PSU more than once for the same consent. In order to re-authenticate a consent:

The consent must be in the authorized state.
The ExpirationDateTime of the consent should not have elapsed.

Once re-authentication is successful, a TPP must not use or refresh access tokens that were issued for the same consent. The ASPSP can decide to invalidate the previously issued tokens for the same consent.

Following are the topics discussed in this page:

Change the authorized accounts during re-authentication

In the accounts flow, the account ID can be changed by a PSU during consent re-authentication. The ASPSP can allow the PSU to change the account IDs using the following configurations:

To allow the PSU to change the account ID during consent re-authorization:

Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file.

Set the following configuration to true as follows:

[open_banking.uk.acc_update_by_psu]
enable = false

Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and update the configuration as explained in the step above.
Restart the API Management and Identity and Access Management servers.

Revoke previously issued tokens to an existing consent

During consent re-authentication, an ASPSP can revoke a previously issued token for an existing consent. The default configuration revokes the previous token request with the same client-id and scopes as in the existing consent. By default, this configuration is set as false. To enable this feature, add the following configurations to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file as follows:

[oauth.token_renewal]
renew_access_token_per_request = false

Refresh token validity period

In WSO2 Open Banking, an ASPSP can re-authenticate the consent at a configured time.

The TPP can request re-authentication for a given consent from the PSU at any time. The refresh token for the consent ID is refreshed, once the PSU re-authorises the re-authentication request. If the TPP doesn’t send the re-authentication request, according to the SCA exemption rules, the ASPSP can enforce it for the configured time that is configured under the RefreshTokenValidityPeriod. When the validity period is reached, the refresh token expires. In that case, the refresh token has to be re-authorised for the given consent.

None of the permissions in the consent can be altered as the consent is re-authenticated.

Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file and add the following to configure the validity period for the access token of the consent.

The validity period must be defined in seconds. In this example, it is 90 days. Therefore, the value is set to 7776000.
```
[oauth.token_validation]
refresh_token_validity = 7776000
```
The renew_refresh_token property enables the TPP to renew the refresh token for a given consent.
Recommendation
Set the value as false. There is only one refresh token for a consent that can be re-authenticated. It cannot be renewed by the TPP itself.
[oauth.token_renewal] renew_refresh_token = false
For Open Banking Standard v3.1.10:
Previously the Open Banking Standard required the re-authentication of refresh tokens issued for Account and Transaction API when the token issue date has passed 90 days. With v3.1.10 this mandate has been removed.

This is only available as a WSO2 Update from WSO2 Open Banking API Manager Level 2.0.0.180 and WSO2 Open Banking Identity Server Level 2.0.0.188 onwards. For more information on updating WSO2 Open Banking, see Updating WSO2 Products.
1. Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file.
2. Add the following tags to configure the validity and authorisation date limit for refresh tokens:
```
[open_banking.uk.account_refresh_token_validity]
token_expiry_duration = 15552000
last_authorised_date_limit = 90
```