This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Confirmation of Funds API v3.1.5

Owned by Former user (Deleted)
Last updated: Sept 05, 2022Version comment
15 min read

This document explains the flow of events related to the Confirmation of Funds API v3.1.5. 

Before you begin:

You need to deploy the Confirmation of Funds API v3.1.5.  

  Click here to see how to deploy the API...

You can configure APIs through the API Publisher by signing in as a user whose role includes Internal/publisher.  

If you have already deployed v3.1 APIs:

According to OBIE, the v3.1 and v3.1.x APIs have the same context values. Therefore, if you have already deployed v3.1 APIs, the v3.1.x APIs cannot be deployed as new versions of existing APIs. You have to update the Swagger file by replacing the current content with the latest content of the API you wish to deploy. For more information, refer to Deploying APIs for UK.

  1. Sign in to the API Publisher Portal (https://<WSO2_OB_APIM_HOST>:9443/publisher).

  2. In the APIs tab, select CREATE NEW API > I Have an Existing REST API. 

  3. Set the Input Type to OpenAPI File. 
  4. Click BROWSE FILE TO UPLOAD and select the <WSO2_OB_APIM_HOME>/repository/resources/finance/apis/openbanking.org.uk/FundsConfirmation/3.1.5/funds-confirmation-swagger.yaml Swagger definition.
  5. Click Next. 

  6. Set the Context value as follows: 

    If you are using WSO2 Open Banking API Manager Level 2.0.0.114 or above:

    If you are configuring an API of v3.1.8 or above, set the following context value manually.  

    /open-banking/{version}/cbpii
  7. Leave the Endpoint field empty as it is.
  8. Set the business plan to Unlimited : Allows unlimited  requests unless you want to limit the requests. 
  9. Click Create to create the API.
  10. Once you get the message that the API is successfully updated, go to Runtime Configurations using the left menu panel.
  11. Click the edit button under Request > Message Mediation. 
  12. Now, select the Custom Policy option.
  13. Upload the <WSO2_OB_APIM_HOME>/repository/resources/finance/apis/openbanking.org.uk/FundsConfirmation/3.1.5/funds-confirmation-dynamic-endpoint-insequence-3.1.5.xml in-sequence file and click SELECT.  
  14. Scroll down and click SAVE.
  15. Go to Endpoints using the left menu panel.
  16. Select Dynamic Endpoint. 
  17. Select the endpoint types; Production Endpoint/Sandbox Endpoint.
  18. Click  Save.
  19. Now, go to Properties using the left menu panel.
  20. Click Add New Property.

  21. Add the API Properties according to your API and click  the Add button.  

    API property nameAPI property value
    ob-specuk
    ob-api-typecof
    ob-api-version3.1.5

    For example: 

  22. Click SAVE.
  23. Go back to Overview using the left menu panel. 
  24. Click PUBLISH.
  25. The published API is available in the Developer Portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

If you have integrated with OBIE you can use the Dynamic Client Registration v3.2 API. Once you deploy the API you can continue from the Generate application access token step.

Step 1 - Sign up as a TPP

In this step, the TPP registers its TPP application in the WSO2 Open Banking Developer portal.

 Click here to see how it is done...

  1. Navigate to the WSO2 Open Banking Developer portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Select Applications in the menu. 
  3. In the Sign-in form, click Create Account.
  4. Provide a username and click Proceed Self Register.

  5. Fill the Create New Account form to complete registration.

  6. Read terms and conditions. Click the checkbox to agree to the terms and conditions.

  7. Click Register.



Step 2 - Sign in to the Developer Portal as the TPP

Users can sign in to WSO2 Open Banking Developer portal with the authentication details created during sign up.

 Click here to see how it is done...

  1. Sign in to the Developer portal as the TPP at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Enter the username and the password you entered when signing up as a TPP.  

  3. Click Continue

The homepage of the Developer Portal is now displayed along with the published APIs.



Step 3 - Create an application

The TPP with a CBPII application needs to create an application using WSO2 Open Banking Developer portal. The application created via the Developer portal allows to observe statistics of APIs, subscribe to APIs, and access the subscribed APIs.

 Click here to see how it is done...

  1. Go to the Applications tab in the Developer Portal.  

  2. Click ADD NEW APPLICATION.

  3. Enter application details.

    WSO2 Open Banking currently authenticates the TPP applications using the Reference (Opaque) method.

  4. Click SAVE

An application can be used to subscribe to multiple APIs. See Subscribe to an API for the instructions.


Step 4 - Subscribe to API

The TPP user needs to subscribe to the Confirmation Of Funds API in order to access the API resources. Once subscribed, the users can access all the supported services of the API resources.

 Click here to see how it is done...

  1. Go to the APIs tab in the Developer portal.

  2. Select the Confirmation Of Funds API.

  3. Go to Subscriptions at the bottom of the API and select SUBSCRIBE.
  4. Select an Application from the drop-down list, set the Throttling Policy and click SUBSCRIBE.

  5. Once you subscribe, you can find the list of subscriptions in the bottom.

Now that you have subscribed to the API, generate access tokens and invoke the API.


Step 5 - Create and upload certificates

The TPP user needs to create certificates to validate whether the TPP is registered in a governing entity. It is verified in the TPP Onboarding process. There are two types of certifications that can be added to the client trust stores of the WSO2 Open Banking Identity and Access Management and WSO2 Open Banking API Management modules.

  1. Root and issuer certificates obtained from Open Banking Implementation Entity.
  2. eIDAS issuer certificates obtained from the Qualified Trust Service Providers.

See eIDAS Implementation for PSD2 Compliance to find out more information on the two approaches.

In order to support eIDAS or OB certificates in WSO2 Open Banking, you need to update the client trust stores. 

 Click here to see how it is done...

Step 6 - Generate keys

The TPP user requires a Client ID(Consumer Key) to access the subscribed APIs.

 Click here to see how it is done...

  1. Sign in to WSO2 Open Banking Developer portal as a TPP user.

  2. Go to the Applications tab and select the application you used to subscribe to the Confirmation of Funds API.

  3. Scroll down and select either of the following types of keys:

    1. Production Keys: Generates access tokens in the production environment.

    2. Sandbox Keys: Generates access tokens in the sandbox environment.

  4. Click Manage at the bottom of the page.

  5. Provide the requested information as defined below:  

    Field

    Description

    Grant Types

    These determine the credentials that are used to generate the access token.

    • Code: This relates to the authorisation code grant type and is applicable when consuming the API as a user.
    • Implicit: This is similar to the code grant type, but instead of generating code, this directly provides the access token.
    • Refresh Token: This is to renew an expired access token.
    • Client Credential: This relates to the client credentials grant type and is applicable when consuming the API as an application.

    Callback URL

    This is the URL used by the TPP to receive the authorisation code sent from the Account Servicing Payment Service Provider (ASPSP), e.g: bank. The authorisation code can be used later to generate an OAuth2 access token.

    Application Certificate

    This is the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate (.PEM).  

    If you have configured the OB certificates, for testing purposes, you can use the sample application certificate available here.

  6. Click GENERATE KEYS to generate production or sandbox keys. It generates consumer key and consumer secret.



Step 7 - Generate application access token

When invoking APIs in the Confirmation of Funds flow, application access tokens must be generated using the client credential grant type. The generated application access token is used to invoke the API.

 Click here to see how it is done...

You can skip the above steps and use DCR v3.2 API to dynamically register the clients.

  1. Once the client is successfully registered, sign in to WSO2 Open Banking Developer Portal and go to the Applications tab.

  2. Select your client application from the Application List. 

  3. You can view the keys you generated at the bottom of this page:

  4. The Consumer Key shown above is the client ID of your application.

  5. Now, generate the client assertion by signing the following JSON payload using the supported algorithms. 

    If you have configured the OB certificates, you may use the attached certificate and keys for signing and transports layer security testing purposes.

    The value of the aud claim should contain the same value as the Identity Provider Entity ID.

     Click here to view the Identity Provider Entity ID:
    1. Sign in to the Identity and Access Management console at  https://<WSO2_OB_IAM_HOST>t:9446/carbon
    2. In the Main menu, go to Home > Identity > Identity Providers > Resident.
    3. View the value in Resident Identity Provider > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration > Identity Provider Entity ID. By default this value is set to  https://<WSO2_OB_APIM>:8243/token .

  6. Run the following cURL command in a command prompt to generate the access token. Update the placeholders with the relevant values.

    curl -X POST \
  https://<WSO2_OB_APIM_HOST>:8243/token \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded'   \
  --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
  -d 'client_id=<CLIENT_ID>&grant_type=client_credentials&scope=fundsconfirmations%20openid%20&client_assertion=<CLIENT_ASSERTION_JWT>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&redirect_uri=<APPLICATION_CALLBACK_URL>'

    The access token is now generated.

    You can use the same cURL command to regenerate the access token.


Step 8 - Initiate funds confirmation consents

In this step, the TPP creates a request to get the consent of the PSU to confirm the funds available in the bank account. The Bank sends the request to the PSU stating the accounts and information that the TPP wants to access. Upon the user approving or denying the account consent, the TPP is now eligible to access to confirm funds are available.

 Click here to see how it is done

POST /funds-confirmation-consents

  • This resource creates a consent to access the accounts to confirm that the funds are available. Use the following format in the request body.

    {
   "Data":{
      "ExpirationDateTime":"2021-05-02T00:00:00+00:00",
      "DebtorAccount":{
         "SchemeName":"UK.OBIE.SortCodeAccountNumber",
         "Identification":"12334",
         "Name":"Account1",
         "SecondaryIdentification":"Account1"
      }
   }
}
  • Add all mandatory header fields.
    • x-fapi-financial-id - The unique id of the ASPSP to which the request is issued. This id will be issued by OBIE.

    • Authorization - An Authorisation Token as per https://tools.ietf.org/html/rfc6750. Enter the application access token, you generated from the above step.

  • A sample request follows the format given below.

    curl -X POST \
  https://localhost:8243/open-banking/v3.1/cbpii/funds-confirmation-consents \
  -H 'Authorization: Bearer <APPLICATION_ACCESS_TOKEN>' \
  -H 'Content-Type: application/json' \
  -H 'accept: application/json' \
  -H 'x-fapi-financial-id: open-bank' \
  --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
  -d '{
   "Data":{
      "ExpirationDateTime":"2021-05-02T00:00:00+00:00",
      "DebtorAccount":{
         "SchemeName":"UK.OBIE.SortCodeAccountNumber",
         "Identification":"12334",
         "Name":"Account1",
         "SecondaryIdentification":"Account1"
      }
   }
}'

  • The response will bear the ConsentId.

    {
   "Data":{
      "Status":"AwaitingAuthorisation",
      "StatusUpdateDateTime":"2020-10-09T12:32:33Z",
      "DebtorAccount":{
         "SecondaryIdentification":"Account1",
         "SchemeName":"UK.OBIE.SortCodeAccountNumber",
         "Identification":"12334",
         "Name":"Account1"
      },
      "CreationDateTime":"2020-10-09T12:32:33Z",
      "ExpirationDateTime":"2021-05-02T00:00:00+00:00",
      "ConsentId":"139a17c5-4145-4308-ad1e-6a2c63745235"
   },
   "Links":{
      "Self":"https://localhost:8243/open-banking/v3.1/cbpii/funds-confirmation-consents/139a17c5-4145-4308-ad1e-6a2c63745235"
   },
   "Meta":{
      "TotalPages":1
   }
}

GET /funds-confirmation-consents/{ConsentId}

  • A CBPII may retrieve a funds-confirmation-consent resource that they have created to check its status. In order to make this request, the CBPII must have an access token issued by the ASPSP using client credentials grant.

  • Add all mandatory header fields.
  • ConsentId -  The unique id of the consent which you want to retrieve.
  • x-fapi-financial-id - The unique id of the ASPSP to which the request is issued. This id will be issued by the OBIE.

  • Authorization - An Authorisation Token as per https://tools.ietf.org/html/rfc6750. Enter the application access token, you generated from the above step.

DELETE /funds-confirmation-consents/{ConsentId}

  • If the PSU revokes the consent to data access with the CBPII, the CBPII must delete the funds-confirmation-consent resource. In order to make this request, the CBPII must have an access token issued by the ASPSP using client credentials grant.
  • Add all mandatory header fields.
    • ConsentId -  The unique id of the consent which you want to delete.
    • x-fapi-financial-id - The unique id of the ASPSP to which the request is issued. This id will be issued by OBIE.

    • Authorization - An Authorisation Token as per https://tools.ietf.org/html/rfc6750. Enter the application access token, you generated from the above step. Use the following format and replace the placeholders.

Given below is a sample request.  

If the deletion is successful you will get a 204 No Content response.

Step 9 - Authorizing funds-confirmation-consents

The CBPII redirects the bank customer to authenticate and approve/deny application-provided consents.

 Click here to see how it is done

Generate the request object by signing the following JSON payload using the supported algorithms. 

Run the following in a browser to prompt the invocation of the authorize API. Make sure you update the placeholders with the relevant values: 

You are directed to a login page.

  1. Log in with the credentials of a user that has a  Subscriber  role.
  2. If a secondary factor is required. For example, SMS OTP, provide the relevant values.
  3. Upon successful authentication, the user is redirected to a page where the user needs to select the accounts that need to be authorised.

  4. Upon providing consent, the consumer is redirected to the callback URL of the TPP with the authorization code. For example: 

    https://wso2.com/#code=e61579c3-fe9c-3dfe-9af2-0d2f03b95775&id_token=eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBelpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05tTkRjeE5HWXdZbU00WlRBM01XSTJOREF6WkdRek5HTTBaR1JsTmpKa09ERmtaRFJpT1RGa01XRmhNelUyWkdWbE5nX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiV0VQQnV2T2t2VTNNZnVqYlI0VFhaQSIsImF1ZCI6WyI0RWJRZmpSZFV2UVJxZThmNlJrMDlWb1Q5bFVhIiwiaHR0cDpcL1wvb3JnLndzbzIuYXBpbWd0XC9nYXRld2F5Il0sInN1YiI6ImFkbWluQHdzbzIuY29tQGNhcmJvbi5zdXBlciIsImNfaGFzaCI6ImZGWjZjQUh4dUw4aWk5YzEzSXRKUUEiLCJvcGVuYmFua2luZ19pbnRlbnRfaWQiOiIxMzlhMTdjNS00MTQ1LTQzMDgtYWQxZS02YTJjNjM3NDUyMzUiLCJzX2hhc2giOiIxY0hpV0ExU3Y2akpzS3pINEVueTVBIiwiYXpwIjoiNEViUWZqUmRVdlFScWU4ZjZSazA5Vm9UOWxVYSIsImFtciI6WyJCYXNpY0F1dGhlbnRpY2F0b3IiXSwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo4MjQzXC90b2tlbiIsImV4cCI6MTYwMjI1NDE3MCwiaWF0IjoxNjAyMjUwNTcwLCJub25jZSI6Im4tMFM2X1d6QTJNaiJ9.Ros0CEkX7hzfft0rq7ek1Ia-lLoSRT55DRy3nUri35IiQjHYOeY34y6HSHbdnDlW4Yw6mCkB6gZlw7O49zulKcyNUoZn7DdrnldKMhPC2z-mtGhr00x7s0dMNyfH05ZOCIr3cWU2LqhKqyCyhCVP6ZbNDNultPeYQ62NxlTPRnuOi-j7jTsmqQfeiGEuHDpFm431A_6a2XnO5Wt9Awg0nQRpDzEDFD1VL7Ec1ogT3myowbg8YNjm0lQ9f_MV5P7rocG0RQB83hgijbjFYr9CNBuqPU0P_Oi42tWndbSbHqKgdgevuAH2A6_zk-gufJ3cvcFjoy6jFTov1VqIGpTUbA&state=YWlzcDozMTQ2&session_state=9ea1eb6454c3b34a3d1708affde1c25e00f931a4f936c74e2ca7f4250208aa42.sk_04ejciXBj6DnpALyYaw

    The authorization code from the above URL is in the code parameter (code=e61579c3-fe9c-3dfe-9af2-0d2f03b95775).

Step 10 - Generate user access token

In this section, you will be generating an access token using the authorization code generated in the above section.

 Click here to see how it is done

The client_assertion is a JSON Web Token (JWT). Generate the client_assertion by signing the following JSON payload using the supported algorithms:

Run the following cURL command in a command prompt to generate the access token as a TPP user.  

curl -X POST \
  https://<WSO2_OB_APIM_HOST>:8243/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
  -d 'client_id=<APPLICATION_ID>&grant_type=authorization_code&code=<GENERATED_CODE>&redirect_uri=<APPLICATION_REDIRECT_URI>&client_assertion=<CLIENT_ASSERTION>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer'

The response contains an access token and a refresh token.

The access tokens have an expiration period, once an access token expires, you need to regenerate it. Run the following cURL command to generate a new access token as a CBPII:

curl -X POST \
 https://<WSO2_OB_APIM_HOST>:8243/token \
 -H 'Authorization: Basic <APPLICATION CLIENTID:CLIENT_SECRET_BASE64_ENCODED>' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -k --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
 -d 'grant_type=refresh_token&refresh_token=<REFRESH_TOKEN>'

Step 11 - Invoke Confirmation of Funds API

Following API functionality is available in the Confirmation of Funds API. These requests use the access token generated in the step  above .

POST /funds-confirmations

If the CBPII would like to confirm funds with the ASPSP, it should create a new funds-confirmation resource, and check the FundsAvailable flag in the response.