This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Pushed Authorisation Endpoint

Owned by Former user (Deleted)
Last updated: Dec 15, 2021 by Former user (Deleted)
3 min read

According to the Consumer Data Standards specification, there are two methods to send request_object in the authorisation URL. Authorisation and Pushed Authorisation endpoints are used by the bank to redirect the bank customer to authenticate and approve/deny consents before a Data Recipient accesses account or transaction information. Let's see how it is done in WSO2 Open Banking:

  1. Using the authorisation details in the authorisation URL.

  2. Using a reference to the authorisation details in the authorisation URL. 

Request objects which contain the cdr_arrangement_id claim must only be sent using the Push Authorisation Request (PAR). cdr_arrangement_id is a unique value representing a consent arrangement between a Data Recipient and Data Holder for a given consumer. You have to include it in the request object of the consent amendment request in PAR. 

In order to understand the two methods, let's see the difference between the Authorisation and Pushed Authorisation endpoints and how they work in the Consumer Data Standards API.

Authorisation Endpoint

Authorisation endpoint uses request_object, which consists of authorisation details in the authorisation URL. 

 Click here to see how it is done

Generate the request object by signing the following JSON payload using the supported algorithms.

The scope claim is required to access the data available via an endpoint. See Consumer Data Standards Australia - Authorisation Scopes, for more information on Authorisation scopes.

The refresh token is used to regenerate an access token. The  sharing_duration  claim in the request object defines the validity period of the refresh token. This is to limit the validity of the CDR Arrangement ID to the defined period.

Run the following authorisation URL in a browser to prompt the invocation of the authorize API. Make sure you update the placeholders with the relevant values:

Once you run the authorisation URL, you are directed to a login page.

  1. Log in with the credentials of a user that has a Subscriber role.
  2. If a secondary factor is required. For example, SMS OTP, provide the relevant values.
  3. Upon successful authentication, the user is redirected to a page where the user needs to select the accounts that need to be authorised.
  4. Then confirm or deny the access to displayed details in the selected account(s).

  5. Upon agreement, the consumer is redirected to the callback URL of the ADR with the authorization code. For example:

    https://www.google.com/redirects/redirect1#code=2c8a03f7-af33-326f-839a-63a4eebfe3f5&id_token=eyJraWQiOiJEd01LZFdNbWo3UFdpbnZvcWZReVhWenlaNlEiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0.KaRhQA63F2Sm72zSZrkoRucIiz4IC0pzqApjTzSOJSyV_J6fYBwHuIAjLn4MZA36ZfVCmm3-KzqJcGAv9W9sDWBi7aI80CVKLFVJ2rh9l_9bMnANjm5fCsZ-pE_F4eW5BnqiU7xOoel31W2WF2brEWf9l5dibILU5E7inYKkQ9qPCS3Ei7uo9LTYQMWR4RQSglAsb5TsnijOPtGBvQgyuwOeI9vWBIcm7Y64NXuWKiv1iManbTepggpKhCSj9qPPizVV4v7Vv1IgHbvViRCE0uIvomLsL9qTxkBVK2s_h3welM9-9CE0WvoGkbYgsDc3nBQEx7Vj4hBiYJ0nD2_dWw.zslxDgOETvBaMOTQ.XAPYdrt5HXhvF53llXp40YkRHWBSrosYDc0UVLnqwJkAcNs3CQo8vWKSNqfc8l6CezvFPinul4LEp-eRrOqrpnhzAMf-W4O-s0jjF0dPsa3NII_qdi5bmCQhwxTVzo31SBiKn1aCBu8lQXSLUAz7z3UF6JyH1OkCXU3Ld8puF45QTRoTRPru8oNy8W8ZbchDj11IhEzrT9RPmWznCDQ3rs8M16R636-TuULXdSqJUGtXB3wteXu8lcgGpIMno1T6Bq2rI8Ncg_rCe6RgepAlEjlC0J0hpgMOk-EiXFDXN5N0NfEo6VSv9-M1v5THSJBThZIlcZrL-njz4G2NiDa30PSrQFqLgusYpZNpL1bHGsUbz_Xqvwlpjq-A5TcrqjxwWHkK383pY-tE064FKQuk93HnOee1gp4iRc9GLiqOK4vawSKStaSWe1oWxeFkDDuY85H3rFL1U8JzAC-vbPpozju82q7mONQto0q1fnCa80jtl5rDVsxzXLkEDbfwrvE-_13MKTLGc9io-PbEy6UgD9bAz5qvoOtNLWh0rcAbT5yhnZnruecB9l3yBsnbo60HQC_83mMzPWjGQaTm-ujO-hockrUSkezEO2JhNKrMWI5V-2aBNin_0UcSShMQnFy4P9baFKcyvrt2r3LNOvqfl_mK9qh57AOQw4vjhJRRaPVVacB8h5WCoiq8ut8wnHq3L2MvF9HId9T0Ug9FaPP76ofLziM.u19pyEql02PpVrFrki3RWA&state=af0ifjsldkj&session_state=c57cc0825bf8838fd2b6f14597ed34b5d9404493b216092e9daa766749cdac40.-1D9AEiTjPN-3hzlRFN97Q
  6. The authorization code from the above URL is in the code parameter (code=4489572f-83c9-3589-b403-c4ecf8fb77f4).



Pushed Authorisation Endpoint

Unlike in the Authorisation endpoint, in the Pushed Authorisation endpoint, Data Recipients pushes authorisation details directly to the authorisation server and obtains a reference. The reference is notated by the claim;  request_uri .Thereby, it prevents:

  • Intruders from intercepting the authorisation information sent in the request_object
  • Authorisation request calls becoming large with the authorisation details signed in the JWT

and protects the confidentiality and integrity of the authorisation details when passing through a third-party application. Let's see how it is done in WSO2 Open Banking:

  1. Configure <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml as follows:

    1. To resolve authorisation request calls with  request_uri,  a new request object builder must be added as follows:

      [[oauth.oidc.custom_request_object_builder]]
type = "request_uri_param_value_builder"
class = "com.wso2.finance.open.banking.identity.extensions.builders.RequestUriRequestObjectBuilder"

    2. By default, the expiry time of the request_uri is set to 60 seconds. If you need to change the value, use the sample configuration as follows: 

      [open_banking.au.push_authorisation]
expiry_time = "60"

    3. Add the following configuration to have the Data Holde identifier in the response under the request_uri parameter:

      [open_banking.au]
holder_identifier = "abc-bank"

  2. Data Recipient shares the authorisation details with the authorisation server as a signed JWT and obtains request_uri in the response:

    You can update scope, accounts, and sharing duration of an existing consent that you retrieved from the PAR endpoint. If you want to update the existing consent, include the cdr_arrangement_id parameter in the request object as follows:

    This is available only as a WSO2 Update and is effective from July 14, 2021 (07-14-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

    See the sample request given below:

    curl --location --request POST 'https://localhost:8243/par' \
--header 'Accept: application/json' \
--header 'Cache-Control: no-cache' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'request=<signed request object> \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'request=eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkR3TUtkV01tajdQV2ludm9xZlF5WFZ6eVo2USJ9.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdDo4MjQzL3Rva2VuIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJjbGllbnRfaWQiOiJIeGFJVXQyTUtvMnBZekJZZlBhRm9iSER0WlFhIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9yZWRpcmVjdHMvcmVkaXJlY3QxIiwic2NvcGUiOiJvcGVuaWQgYmFuazpwYXllZXM6cmVhZCIsInN0YXRlIjoiYWYwaWZqc2xka2oiLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsImNsYWltcyI6eyJzaGFyaW5nX2R1cmF0aW9uIjoiODY0MDAwIiwiY2RyX2FycmFuZ2VtZW50X2lkIjoiOGVjMzRjNjAtZDljOS00YTc4LThlMGUtZTliM2ZkMTAwYjc0IiwiaWRfdG9rZW4iOnsiYWNyIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWVzIjpbInVybjpjZHMuYXU6Y2RyOjMiXX19LCJ1c2VyaW5mbyI6eyJnaXZlbl9uYW1lIjpudWxsLCJmYW1pbHlfbmFtZSI6bnVsbH19fQ.MX_eTIrhnYf-u64Yn2rKpaF51s_JJsCiRbn0Ec9GxpGweeWWJLj-uwSJcOuu6ck3fGG5mr9OeE2014hTMzgn3jd7aBRbsXVOqjb3OapdnR84k5VDl5lK31i0Uf4HFxjKWIwrG6hu0_O3IYGNdev_DuNb26KO3FWYKgDp_eHn12KWYUVpPm1SGcFEo_o5JHZp50k3NNiE0nPCdzP0lOXrmi99y4SB1Q-tf85YhvqsCqQLhSpv5xmwvWPG8XLowTEdnVCu68Je-Jomw_OLQI9LZJZJPHrcfUlUshIw4Hswd1O2Wp1aolbH_zWQJlLE2LXrfL0KVLRA17WFmjK-kXhq5'\
--data-urlencode 'client_assertion=eyJraWQiOiJXX1RjblFWY0hBeTIwcTh6Q01jZEJ5cm9vdHciLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiJVT05ZVGlGVll2a09mcUlyVkRxeTkwUmtMTU1hIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6ODI0My9wYXIiLCJpc3MiOiJVT05ZVGlGVll2a09mcUlyVkRxeTkwUmtMTU1hIiwiZXhwIjoxNjM4NjIzMjU5LCJqdGkiOiIzOTIxMzExMjE0OTEifQ.id6Yi6DS-KVnpKmHt9uZwN5X9gaFcZD6L0b9vrss_iA46RtpzlqRNeRdtMtoWYW1fKbqCvgz-gq-7HlzRBm9XO5CxTevCVliO-ObWju4Vyc9iLXYYBWpUo9H04HJkU8HUY3KPQDLtrijNBoEwOTv0zcEwxy-qVdkrT4F6t5eU6aZQf2MSiG-XdAd54vE-m2vx2pNsFE_ZLUXSv3YVfHuGFXzA21C0kumRhc4Mr1W3svzaNxHPb5E7w-61RXeJtnQY2WsgxmdYkSzg_rYJ1kAVfkZjW2l1KNP9uYpIewUMPnayiZ-RT1vDYCIcjnqbBOGrfStGASTg-2tFaWN8xI7eQ'

  3. Run the following authorisation URL in a browser to prompt the invocation of the authorize API. Make sure you update the placeholders with the relevant values:

  4. Once you run the authorisation URL, you are directed to a login page.
    1. Log in with the credentials of a user that has a Subscriber role.
    2. If a secondary factor is required. For example, SMS OTP, provide the relevant values.
    3. Upon successful authentication, the user is redirected to a page where the user needs to select the accounts that need to be authorised.
    4. Then confirm or deny the access to displayed details in the selected account(s).

    5. Upon agreement, the consumer is redirected to the callback URL of the ADR with the authorization code. For example:

      https://www.google.com/redirects/redirect1#code=2c8a03f7-af33-326f-839a-63a4eebfe3f5&id_token=eyJraWQiOiJEd01LZFdNbWo3UFdpbnZvcWZReVhWenlaNlEiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0.KaRhQA63F2Sm72zSZrkoRucIiz4IC0pzqApjTzSOJSyV_J6fYBwHuIAjLn4MZA36ZfVCmm3-KzqJcGAv9W9sDWBi7aI80CVKLFVJ2rh9l_9bMnANjm5fCsZ-pE_F4eW5BnqiU7xOoel31W2WF2brEWf9l5dibILU5E7inYKkQ9qPCS3Ei7uo9LTYQMWR4RQSglAsb5TsnijOPtGBvQgyuwOeI9vWBIcm7Y64NXuWKiv1iManbTepggpKhCSj9qPPizVV4v7Vv1IgHbvViRCE0uIvomLsL9qTxkBVK2s_h3welM9-9CE0WvoGkbYgsDc3nBQEx7Vj4hBiYJ0nD2_dWw.zslxDgOETvBaMOTQ.XAPYdrt5HXhvF53llXp40YkRHWBSrosYDc0UVLnqwJkAcNs3CQo8vWKSNqfc8l6CezvFPinul4LEp-eRrOqrpnhzAMf-W4O-s0jjF0dPsa3NII_qdi5bmCQhwxTVzo31SBiKn1aCBu8lQXSLUAz7z3UF6JyH1OkCXU3Ld8puF45QTRoTRPru8oNy8W8ZbchDj11IhEzrT9RPmWznCDQ3rs8M16R636-TuULXdSqJUGtXB3wteXu8lcgGpIMno1T6Bq2rI8Ncg_rCe6RgepAlEjlC0J0hpgMOk-EiXFDXN5N0NfEo6VSv9-M1v5THSJBThZIlcZrL-njz4G2NiDa30PSrQFqLgusYpZNpL1bHGsUbz_Xqvwlpjq-A5TcrqjxwWHkK383pY-tE064FKQuk93HnOee1gp4iRc9GLiqOK4vawSKStaSWe1oWxeFkDDuY85H3rFL1U8JzAC-vbPpozju82q7mONQto0q1fnCa80jtl5rDVsxzXLkEDbfwrvE-_13MKTLGc9io-PbEy6UgD9bAz5qvoOtNLWh0rcAbT5yhnZnruecB9l3yBsnbo60HQC_83mMzPWjGQaTm-ujO-hockrUSkezEO2JhNKrMWI5V-2aBNin_0UcSShMQnFy4P9baFKcyvrt2r3LNOvqfl_mK9qh57AOQw4vjhJRRaPVVacB8h5WCoiq8ut8wnHq3L2MvF9HId9T0Ug9FaPP76ofLziM.u19pyEql02PpVrFrki3RWA&state=af0ifjsldkj&session_state=c57cc0825bf8838fd2b6f14597ed34b5d9404493b216092e9daa766749cdac40.-1D9AEiTjPN-3hzlRFN97Q
    6. The authorization code from the above URL is in the code parameter (code=4489572f-83c9-3589-b403-c4ecf8fb77f4).


Once you authorise the consent, follow the instructions given in Consumer Data Standards API v1.3.0 to try out the API.