This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Event Notification API v3.1.2

Owned by Former user (Deleted)
Last updated: Jul 01, 2021
17 min read

This document explains the flow of events related to the Event Notification APIs v3.1.2.  

Before you begin:

You need to configure and deploy the Event Notification APIs v3.1.2.  

  Click here to see how it is done...

Configuring the Event Notification APIs
  1. Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file.

  2. Update the placeholders in the following configurations:

    [open_banking.event_notifications]
enable = true
token_issuer = "www.openbank.com"
api_url = "https://<WSO2_OB_APIM_HOST>:8243/open-banking/v3.1/event-notification"
signing_alias = <KEYSTORE_ALIAS>
  3. Restart the Identity and Access Management server to reflect the changes.
Deploying the Event Notification APIs

To use the Event Notification feature an ASPSP should deploy both Event Notification and Aggregated Event Polling APIs. 



Step 1 - Sign up as a TPP

In this step, the TPP registers its TPP application in the WSO2 Open Banking Developer portal.

 Click here to see how it is done...

  1. Navigate to the WSO2 Open Banking Developer portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Select Applications in the menu. 
  3. In the Sign-in form, click Create Account.
  4. Provide a username and click Proceed Self Register.

  5. Fill the Create New Account form to complete registration.

  6. Read terms and conditions. Click the checkbox to agree to the terms and conditions.

  7. Click Register.



Step 2 - Sign in to the Developer Portal as the TPP

Users can sign in to WSO2 Open Banking Developer portal with the authentication details created during sign up.

 Click here to see how it is done...

  1. Sign in to the Developer portal as the TPP at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Enter the username and the password you entered when signing up as a TPP.  

  3. Click Continue

The homepage of the Developer Portal is now displayed along with the published APIs.



Step 3 - Create an application

The TPP with an application needs to create an application using WSO2 Open Banking Developer portal. The application created via the Developer portal allows to observe statistics of APIs, subscribe to APIs, and access the subscribed APIs.

 Click here to see how it is done...

  1. Go to the Applications tab in the Developer Portal.  

  2. Click ADD NEW APPLICATION.

  3. Enter application details.

    WSO2 Open Banking currently authenticates the TPP applications using the Reference (Opaque) method.

  4. Click SAVE

An application can be used to subscribe to multiple APIs. See Subscribe to an API for the instructions.


Step 4 - Subscribe to API

The TPP user needs to subscribe to both  Event Notification Subscription API  and  Aggregated Event Polling API  to complete the Even Notification flow. Once subscribed, the users can access all the supported services of these API resources.

 Click here to see how it is done...

  1. Go to the APIs tab in the Developer portal.

  2. Select the Event Notification Subscription API.

  3. Go to Subscriptions at the bottom of the API and select SUBSCRIBE.
  4. Select the Application from the drop-down list, set the Throttling Policy and click SUBSCRIBE.

  5. Once you subscribe, you can find the list of subscriptions in the bottom.

  6. Follow step 2,3, 4 and 5 and subscribe to the Aggregated Event Polling API using your application.

Now that you have subscribed to the APIs, generate access tokens and invoke the API.



Step 5 - Create and upload certificates

The TPP user needs to create certificates to validate whether the TPP is registered in a governing entity. It is verified in the TPP Onboarding process. There are two types of certifications that can be added to the client trust stores of the WSO2 Open Banking Identity and Access Management and WSO2 Open Banking API Management modules.

  1. Root and issuer certificates obtained from Open Banking Implementation Entity.
  2. eIDAS issuer certificates obtained from the Qualified Trust Service Providers.

See eIDAS Implementation for PSD2 Compliance to find out more information on the two approaches.

In order to support eIDAS or OB certificates in WSO2 Open Banking, you need to update the client trust stores. 

 Click here to see how it is done...

Step 6 - Generate keys

The TPP user requires a Client ID(Consumer Key) to access the subscribed APIs.

 Click here to see how it is done...

  1. Sign in to WSO2 Open Banking Developer portal as a TPP user.

  2. Go to the Applications tab and select the application you used to subscribe to the APIs.

  3. Scroll down and select either of the following types of keys:

    1. Production Keys: Generates access tokens in the production environment.

    2. Sandbox Keys: Generates access tokens in the sandbox environment.

  4. Click Manage at the bottom of the page.

  5. Provide the requested information as defined below:  

    Field

    Description

    Grant Types

    These determine the credentials that are used to generate the access token.

    • Code: This relates to the authorisation code grant type and is applicable when consuming the API as a user.
    • Implicit: This is similar to the code grant type, but instead of generating code, this directly provides the access token.
    • Refresh Token: This is to renew an expired access token.
    • Client Credential: This relates to the client credentials grant type and is applicable when consuming the API as an application.

    Callback URL

    This is the URL used by the TPP to receive the authorisation code sent from the Account Servicing Payment Service Provider (ASPSP), e.g: bank. The authorisation code can be used later to generate an OAuth2 access token.

    Application Certificate

    This is the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate (.PEM).  

    If you have configured the OB certificates, for testing purposes, you can use the sample application certificate available here.

  6. Click GENERATE KEYS to generate production or sandbox keys. It generates consumer key and consumer secret.

Step 7 - Generate application access token

When invoking the Event Notification Subscription API in the Event Notification flow, application access tokens must be generated using the client credential grant type. The generated application access token is used to invoke the API.

 Click here to see how it is done...

  1. Once the client is successfully registered, sign in to WSO2 Open Banking Developer Portal and go to the Applications tab.

  2. Select your client application from the Application List. 

  3. You can view the keys you generated at the bottom of this page:

  4. The Consumer Key shown above is the client ID of your application.

  5. Now, generate the client assertion by signing the following JSON payload using the supported algorithms. 

    If you have configured the OB certificates, you may use the attached certificate and keys for signing and transports layer security testing purposes.

    The value of the aud claim should contain the same value as the Identity Provider Entity ID.

     Click here to view the Identity Provider Entity ID:
    1. Sign in to the Identity and Access Management console at  https://<WSO2_OB_IAM_HOST>t:9446/carbon
    2. In the Main menu, go to Home > Identity > Identity Providers > Resident.
    3. View the value in Resident Identity Provider > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration > Identity Provider Entity ID. By default this value is set to  https://<WSO2_OB_APIM>:8243/token .

  6. Run the following cURL command in a command prompt to generate the access token. Update the placeholders with the relevant values. You need an 

    curl -X POST \
  https://<WSO2_OB_APIM_HOST>:8243/token \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded'   \
  --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
  -d 'client_id=<CLIENT_ID>&grant_type=client_credentials&scope=accounts%20payments%20fundsconfirmations&client_assertion=<CLIENT_ASSERTION_JWT>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&redirect_uri=<APPLICATION_CALLBACK_URL>'

    The access token is now generated.

    You can use the same cURL command to regenerate the access token.


Step 8 - Create an event-subscription resource

POST /event-subscriptions 

The TPP requests the ASPSP to create a new event-subscription resource using this API endpoint. On successful creation, the ASPSP responds with a unique EventSubscriptionId to refer to the resource. The TPP uses this resource to access event notifications.

 Click here to see the other endpoints

GET /event-subscriptions

The TPP requests the ASPSP to retrieve its event-subscription resource.

PUT /event-subscriptions/{EventSubscriptionId}

The TPP to requests the ASPSP to update an event-subscription resource.

DELETE /event-subscriptions/{EventSubscriptionId}

The TPP requests the ASPSP to delete an event-subscription resource.

Step 9 - Generate application access token

When invoking the Aggregated Event Polling API in the Event Notification flow, application access tokens must be generated using the client credential grant type. The generated application access token is used to invoke the API.

 Click here to see how it is done...

  1. Once the client is successfully registered, sign in to WSO2 Open Banking Developer Portal and go to the Applications tab.

  2. Select your client application from the Application List. 

  3. You can view the keys you generated at the bottom of this page:

  4. The Consumer Key shown above is the client ID of your application.

  5. Now, generate the client assertion by signing the following JSON payload using the supported algorithms. 

    If you have configured the OB certificates, you may use the attached certificate and keys for signing and transports layer security testing purposes.

    The value of the aud claim should contain the same value as the Identity Provider Entity ID.

     Click here to view the Identity Provider Entity ID:
    1. Sign in to the Identity and Access Management console at  https://<WSO2_OB_IAM_HOST>t:9446/carbon
    2. In the Main menu, go to Home > Identity > Identity Providers > Resident.
    3. View the value in Resident Identity Provider > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration > Identity Provider Entity ID. By default this value is set to  https://<WSO2_OB_APIM>:8243/token .

  6. Run the following cURL command in a command prompt to generate the access token. Update the placeholders with the relevant values. You need an 

    curl -X POST \
  https://<WSO2_OB_APIM_HOST>:8243/token \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded'   \
  --cert <PUBLIC_KEY_FILE_PATH> --key <PRIVATE_KEY_FILE_PATH> \
  -d 'client_id=<CLIENT_ID>&grant_type=client_credentials&scope=eventpolling&client_assertion=<CLIENT_ASSERTION_JWT>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&redirect_uri=<APPLICATION_CALLBACK_URL>'

    The access token is now generated.

    You can use the same cURL command to regenerate the access token.

Step 10 - Invoke Aggregated Event Polling API

POST /events

The endpoint allows a TPP to poll for, acknowledge, and receive event notifications. The TPPs communicate their polling parameters and event notification acknowledgements using this endpoint. The ASPSP responds accordingly, sending event notifications as indicated by the TPP's polling parameters.

The TPPs are able to perform the following using the POST /events endpoint using different payloads:

  • Poll for events
  • Acknowledge the received events
  • Poll for new events and acknowledge the received events at once

The TPPs send two polling parameters to indicate the polling behaviours:

  • returnImmediately: Indicates whether an ASPSP should return a response immediately or provide a long poll. 

    Long polling is currently not supported by WSO2 Open Banking. Therefore, the value of returnImmediately is always true.

  • maxEvents: The maximum number of events to be returned. A value of zero indicates the ASPSP should not return events even if available. The upper bound value of the parameter depends on the size of the payload and the connection. If maxEvents is not defined in the payload, the ASPSP sets the value according to the <NumberOfSetsToReturn> configuration in  <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml.

Given below is a sample request where the TPP is requesting for a response immediately, only to make sure there are events available. 

The TPP confirmed that there are events. For example, if there are 5 events available with the ASPSP and the TPP wants to receive only 3 events, the request looks as follows:

Now the TPP acknowledges the received events (both positive and negative acknowledgements) while accepting more events. As per the response, there are more events available with the ASPSP. The TPP continues requesting for events until there are no more events and the value of moreAvailable is false.