Account Information Service for Berlin

This document explains the Account Information Service flow. The Account Information Service Provider (AISP) can use the API endpoints described here to do the following.

Register a resource to retrieve account information by creating a consent. This registers data that the customer (PSU) has consented to provide to the AISP such as data permissions, expiration and historical period allowed for transactions and statements.
Subsequently, retrieve account and transaction data.

Basic flow

The diagram below provides a general outline of an Account Information Service:

Request account information - The PSU consents to allow an AISP(in this case a TPP) to access account information data.
Create account request - The AISP connects to the ASPSP that serves the PSU's accounts and creates a consent resource. This informs the ASPSP that one of its PSUs is granting access to account and transaction information to an AISP.
1. The AISP initiates the flow by creating consent to access account information.
2. The ASPSP responds with an identifier for the resource (the ConsentId).
3. An AISP can be a broker for data to other parties. The ASPSP can customise the account details that a PSU needs to authorise according to the banking requirement. Note that it is valid for a PSU to have multiple consents for the same account.
Authorise consent - The AISP requests the PSU to authorise the consent.
Request Data - The AISP makes a GET request the relevant resource. The unique AccountIds that are valid for the consent will be returned with a call to GET /accounts. This will always be the first call that an AISP can make one he has a valid access token.

Sequence Diagram

The account information service flow includes 3 main flows:

1. Account initiation flow

Generate application access token

The AISP requests the ASPSP for an application access token. This call targets the Gateway in WSO2 Open Banking API Management (WSO2 OB APIM) module.
There, the APIM Gateway validates the AISP’s certificates using Mutual TLS authentication and forward the request to the WSO2 Open Banking Identity and Access Management (WSO2 OB IAM) module.
The OAuth2 Framework in the IAM module performs further validation and provides the AISP with an application access token in the Client Credentials grant type.

Initiate consent

The AISP communicates with the ASPSP using the Account Information Service available in the WSO2 Open Banking solution.
AISP sends an account initiation request to ASPSP with the purpose of retrieving account information of a particular PSU. This request contains the application access token generated in the previous step.
This request targets the WSO2 OB APIM module in the WSO2 Open Banking solution.
The Request Schema Validation Handler and Signature Validation Handler inside the WSO2 OB APIM module then validate the request against the respective(Account) Swagger file. For example, mandatory header, payload fields, pattern matching for fields.
The back end call of the initiation request is redirected to the WSO2 Identity and Access Management module in the solution where a unique UUID for the consent (Consent Id) is generated.

2.Consent authorisation

AISP sends the authorisation request and this will be captured from the Authorisation endpoint in the WSO2 OB APIM module.
The request details are then passed to the WSO2 OB IAM module.
The AISP needs to redirect the PSU to this URL.
The PSU uses the authentication URL to log in to the authentication endpoint.
Based on the authenticators that the ASPSP has configured (basic authentication or two-factor authentication), the PSU needs to provide the relevant values. Upon successful authentication, the PSU is redirected to the consent management page.
The consent management module updates the consent details and persists them in a database.
The Authentication endpoint invokes the Response Type Handler inside the WSO2 OB IAM module and it stores a custom scope against the access token with the Consent Id. This newly added scope provides necessary permissions to retrieve account information.
Then the WSO2 OB IAM module generates the authorization code and shares it with the AISP through the redirect URL.

3. Retrieve account information

Generate user access token

The AISP requests for a user access token using the generated authorisation code. This call targets the Gateway in WSO2 OB APIM module.
There, the APIM Gateway validates the AISP’s certificates using Mutual TLS authentication and forward the request to the WSO2 OB IAM module.
The OAuth2 Framework in the WSO2 OB IAM module performs further validation and provides the AISP with the user access token.

Retrieve account information

The AISP makes another API call to the published NextGenPSD2XS2A Framework API in the WSO2 API store to retrieve account information using the access token obtained from the step above.
The APIM Gateway module then validates the AISP’s certificates and the access token.
Then the request is forwarded to the WSO2 OB IAM module for consent validation. The Consent Validation module inside WSO2 OB IAM validates the following:

Status of the consent is Authorised.
Consent is valid/not expired.
Permissions granted for the respective Consent Id and if they match with the accessing API resource.
Published API version against the requested API version as the specification allows cross-version accessing.

The Consent Management module validates the Consent Id in the request against the databases.
After successful validations, the Consent Validation module sends consent related information in a header as mentioned in Integrating with the Core Banking System for Berlin- AISP Flow.
Then the bank backend is queried to retrieve account information and the response is shared with the AISP.