This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Payment Initiation Service for Berlin

Owned by Former user (Deleted)
Last updated: Dec 01, 2020
4 min read

This document explains the flow of the Payment Initiation Service. The API endpoints described here allow a PISP to: 

  • Authorise a payment consent.
  • Confirm available funds for a payment-order.
  • Cancel a payment.

Basic flow

The diagram below shows the basic payment initiation service flow:

PSU requests the PISP to process a transaction. The consent is between the PSU and the PISP. The PISP connects to the ASPSP that services the PSU's payment account and requests the ASPSP to initiate the transaction, a consent is created. The PISP requests the PSU to authorise the consent.

Payment Initiation Service in WSO2 Open Banking:

1. Payment initiation flow

Generate application access token

  • The PISP requests the ASPSP for an application access token. This call targets the Gateway in WSO2 Open Banking API Management (WSO2 OB APIM) module.
  • There, the APIM Gateway validates the PISP’s certificates using Mutual TLS authentication and forward the request to the WSO2 Open Banking Identity and Access Management (WSO2 OB IAM) module.
  • The OAuth2 Framework in the IAM module performs further validation and provides the PISP with an application access token in the Client Credentials grant type.

Initiate a payment consent

  • The PISP communicates with the ASPSP using the Payment Initiation Service available in the WSO2 Open Banking solution.
  • PISP sends another request to the ASPSP to initiate a payment, this request contains the application access token generated in the previous step. 
  • This request targets the WSO2 API Management module in the WSO2 Open Banking solution. 
  • The following handlers in the API Management module will perform the given validations:
    • Signature Validation Handler:  In the request, the header of the payload contains a signature. This is a detached signature, which means the encoded signature values are not attached to the payload. The Signature Validation handler validates the signature.
    • Request schema validation Handler: Validates the request against the respective(Payments) Swagger file. For example, mandatory header, payload fields, pattern matching for fields.
  •  The back end call of the initiation request is then redirected to the consent management module in WSO2 OB IAM where a unique UUID for the consent (Consent Id) is generated. PISP uses the Consent Id to refer to the consent resource to check its status.

Payment Initiation Request can vary according to the payment service and payment product as follows:

2. Payment consent authorisation flow

Authorisation for a payment consent can be done in two methods:

Consent authorisation includes the following:

  • ASPSP authenticates the PSU.
  • ASPSP sends back the consent to the PSU to get consent authorisation. The PSU may accept/reject the consent.
  • If the consent did not indicate a debtor account the ASPSP presents the PSU with a list of accounts from which the PSU may select one.

Once these steps are complete, the consent is considered to have been authorised by the PSU.

  • PISP sends the authorisation request and this will be captured from the Authorisation endpoint in the WSO2 OB APIM module.
  • The request details are then passed to the WSO2 OB IAM module. 
  • The PISP needs to redirect the PSU to this URL.
  • The PSU uses the authentication URL to log in to the authentication endpoint.
  • Based on the authenticators that the ASPSP has configured (basic authentication or two-factor authentication), the PSU needs to provide the relevant values. Upon successful authentication, the PSU is redirected to the consent management page.
  • When the Shareable Accounts API is invoked, a list of bank accounts that belong to the PSU is retrieved. This list is displayed in the consent management page mentioned above. 
  • Now the PSU selects the account(s) and authorise the consent.
  • The Consent Management module updates the consent details and persists them in a database.
  • The Authentication endpoint invokes the Response Type Handler inside the WSO2 OB IAM module and it stores a custom scope against the access token with the ConsentId. This newly added scope provides necessary permissions to retrieve account information.
  • Then the WSO2 OB IAM module generates the authorization code and shares it with the AISP through the redirect URL.