Consent Management 2.0 with Consent as a Service (CaaS)
Via consent as a service, SIX offers the Service User to hold the Service Provider token in a token store operated by SIX in accordance with the specifications of the participation agreement (CaaS). The participant’s use of CaaS causes the participant and its customer to be authenticated by SIX for each service call request. After successful authentication, SIX forwards the service call request with the provider token to the Service Provider on behalf of the participant.
CaaS thus enables the participant to make the service calls that are intended and to be authenticated in accordance with the Participation Contract via the bLink platform without having to store the provider token in its infrastructure in accordance with the specifications of the Participation Contract.
Similar to what is defined in Consent Management 2.0, Consent Management 2.0 with CaaS has some deviations from the original OAuth 2.0 flow:
- OAuth Client-Secret is not supported in the consent management flow: the Client is authenticated by bLink by a client certificate.
- The Auth Server of the Service Provider authenticates the Client by means of the "X-CorAPI-Client-ID" header. See Custom Headers
- Token endpoints of Service Providers are not accessible to Clients.
- The Service User will work with the so-called CaaS-Permission instead of the Service Provider Access-Token
Goals for Consent Management 2.0 with CaaS
Consent Management 2.0 with CaaS was defined with the following goals:
- User can start the consent flow from the Client side.
- Implement standard OAuth 2.0 flow.
- Improve security, resilience, and error handling.
- Provide secure Provider Token storage to Clients.
Assumptions
Service Provider's Authorization Server supports transaction signing of consent using a 2nd factor, similar to signing of new creditors.
User Journey
From a very high level, the user journey for CaaS is similar to what the normal Consent Flow 2.0 does, but with the difference that the Service Provider will redirect the client to CaaS so that CaaS can use the authorization code to retrieve the OAuth tokens, and the Service User will never gain access to the tokens.
- User-Agent is logged in to the Service User Application and chooses to connect to a specific Service Provider
- User-Agent is redirected to the Service Provider Authentication UI
- once authenticated, the User-Agent is redirected to the Consent-Page
- once the consent has been signed, the User-Agent is redirected to CaaS (with the OAuth authorization code)
- once CaaS has retrieved the access_token, the User-Agent is redirected back to the Service User Application
CaaS-Permission
With CaaS, the Service User will not be able to gain access to the Provider Token. The system will instead use the CaaS-Permission which will be known to the Service User. A CaaS-Permission is a CaaS-internal construct which is used to look up the correct Provider Token.
After the Permission has been activated successfully, it can be used during business calls, where CaaS will inject the correct Provider-Token for each API-invocation separately. For the Service Provider, this process is transparent, and it looks as if the Service User has provided the correct Token on each API-call.
The CaaS-Permission has its own lifecycle, but it is heavily dependent on the Provider Token:
-
After initial Setup, the Permission has status
received
: -
As soon as the End-User lands on the redirect-endpoint during the oauth-flow (see below), CaaS attempts to retrieve the Provider Token using the provided authorization-code and state.
- If this succeeds, the status changes to
valid
. The permission can now be used to invoke the business-apis - otherwise, the permission will expire immediately and a new permission has to be created
- If this succeeds, the status changes to
-
If the Provider Access-Token expires:
- CaaS will attempt to refresh it in the background during the next business API call, and in case it is successful, the permission will remain in status
valid
. In case it fails for some technical reason (anything else thaninvalid_grant
), the API-call will fail, but the permission will remain in statusvalid
, and the API-call can be attempted again which will trigger another refresh-attempt. - if the refresh fails for a business-reason, the Permission will change to status
expired
permanently, and API-Calls with this permission will therefore fail permanently. In this case, a new Permission has to be initiated and the end-user will have to go through the consent-flow again. There are two possibilities why it could fail:- Provider Token has been revoked on Provider side, or
- There has not been any activity with the Provider Access-Token for longer than the validity of the Refresh Token
- CaaS will attempt to refresh it in the background during the next business API call, and in case it is successful, the permission will remain in status
-
The Service User can also explicitly revoke a permission by calling the DELETE endpoint (see Permission Revocation). In this case, the status will change to
revoked
permanently.
There is one extra case where the Permission can transition to the status revoked_by_psu
. This happens if the same User-ID is used for the same Provider-ID. See also userId
-explanation for Step B in the Flow.
Detailed Consent Management 2.0 with CaaS Flow
The Consent Flow with CaaS consists of two parts: the consent 2.0 OAuth flow starting at the Service User (steps 1 to 31) and a new flow between the Service User and CaaS (steps A to E).
Preparation Steps
- The user logs into Client.
- Client creates a session.
- User navigates to consent page.
- Client retrieves a list of active Service Providers from bLink API directory using
GET /directory/providers?status=ACTIVE
. An example of this request is presented as follows:GET /api/bankingservices/b-link/platform/v2/directory/providers?status=ACTIVE
host: api.six-group.com - The user selects the Provider and approves it.
- Client retrieves information about the chosen Service Provider from bLink API directory using
GET /directory/providers/<providerID>
. An example of this request is presented as follows:GET /api/bankingservices/b-link/platform/v2/directory/providers/99999
host: api.six-group.com
Pushed Authorization Request Flow
Steps before OAuth 2.0 Consent Flow
A. The Client posts permission request to CaaS. For example (please refer to the api specification for parameter limits):
POST /permissions/99999/aa240b58-be68-42e1-89d7-19a92f73f5c2
host: api.six-group.com
username=john.doe@acme.com
&scope="urn:blink:xs2a:ais urn:blink:xs2a:pss:write"
&externalReference=5b3e0d40-c768-45b2-b569-9fa3d2feee5e
B. CaaS creates (or updates) a permission using the clientId
, userId
, username
, providerId
, scope
and optional externalReference
from the request. CaaS generates a redirect URI with a state and adds them to the permission. The permission is stored and returned to the Client. For example:
"providerId": "CIDX9999999991",
"username": "hans.muster@six-group.com",
"permissionId": "31d78ef8-238d-4547-9a8d-9f057f321eeb",
"authorizationUri": "https://secure.fi.example.com/oauth/authorize?response_type=code&client_id=654321&redirect_uri=https%3A%2F%2Fapi.six-group.com%2Foauth%2Fauthresponse&state=d60dbae3-b1b2-419c-bc72-1054fab294ec&scope=urn%3Ablink%3Aa2a%3Aais%20urn%3Ablink%3Aa2a%3Apss%3Awrite&username=john.doe%40acme.com&provider_id=99999"
"status": "received"
The Service User can choose the User-ID value freely. It is allowed to assign multiple User-ID values to the same Customer. The only requirement is that each User-ID can be traced back to the correct end-user unambiguously.
For a specific User-ID value and Provider-ID combination, there can only be one valid Permission at a time. As soon as a new permission is initiated using the same User-ID and Provider-ID, the bLink CaaS Service will revoke any previously valid permission of the same User-ID and Provider-ID.
Please note: Even when using different User-IDs to create multiple valid permissions, it could still happen that the Service Provider doesn't allow multiple valid Access Tokens in parallel for the same E-Banking Access, which will result in previous permissions being invalidated as soon as they are used in an API-call.
C. The Client stores the permission in the context of user. The redirect URI and state from the permission are used in the authorization request in step 7.
Steps after OAuth 2.0 Consent Flow
D. CaaS redirects back to Client (using the internally configured clientCallbackUri
) indicating the status of the OAuth 2.0 Consent Flow.
Callback URL is configured during the Service User Onboarding
E. Depending on status of OAuth 2.0 Consent Flow the Client uses the externalReference
to handle its own state.
OAuth 2.0 Consent Flow and Username Validation
The steps below follow the same numbering of the diagram of the Consent Management 2.0 Flow:
-
Client starts standard OAuth 2.0 authorization code grant flow (
response_type=code
) by using the generated RedirectURL of the stored permission (Step C) to redirect to the Auth Server of the Service Provider. The following code snippet provides an examples of the initiation of the OAuth 2.0 authorization code grant flow:HTTP/1.1 302 Found
location: https://secure.fi.example.com/oauth/authorize?response_type=code&client_id=654321&redirect_uri=https%3A%2F%2Fapi.client.example.com%2Foauth%2Fauthresponse&state=d60dbae3-b1b2-419c-bc72-1054fab294ec&scope=urn%3Ablink%3Aa2a%3Aais%20urn%3Ablink%3Aa2a%3Apss%3Awrite&username=john.doe%40acme.com&provider_id=99999 -
The Auth Server of the Service Provider follow the steps below:
- Validates the (existence of)
client_id
. Executes any other actions required to verify if the request is correct, including a check to verify the requested redirect URI is currently whitelisted in the bLink directory.
Uses the
provider_id
in multi-tenant environments to determine the corresponding tenant for login and consent (optional step).Redirects to login page if the User Agent is not logged in, otherwise it will redirect directly to consent page.
- Validates the (existence of)
-
The User logs into Service Provider application. A restricted session is created, where only functions required in the context of consent giving are allowed.
-
The User is redirected to the consent page.
-
Using the
client_id
from the authorization code request, the Service Provider application retrieves the Client information from bLink API directory. An example of this request is presented as follows:GET /api/bankingservices/b-link/platform/v2/directory/clients/654321
host: api.six-group.com -
The consent page is prefilled with Client information and, if the Client username validation is supported by the Service Provider, the Client username. It is up to the user to user define the consent to be given (e.g. for access to account and payments).
-
Service Provider application stores Client, consent and, if supported by Service Provider, the Client username (preferably as a hashed value) in the user's profile.
-
The User signs the consent, the Client and optionally the Client username according to the policies of the Service Provider (e.g. using 2nd factor, similar to signing new creditors in e-Banking).
-
The Service Provider stores the signature in the Consent Server.
-
The Resource Server retrieves an authorization code from the Auth Server.
-
The Resource Server redirects to the
redirect_uri
received from Client and include the authorization code received from the Auth Server and the state provided by the client. At this point the restricted session is finished. The following code snippet shows an example of the redirect:HTTP/1.1 302 Found
location: https://webapp.api.six-group.com/redirect/bankingservices/b-link/v2/api-token?code=abcdefg&state=d60dbae3-b1b2-419c-bc72-1054fab294ec -
CaaS verifies if the requested URI matches the
redirect_uri
and if the state returned matches the state sent. If the verification is successful, CaaS requests the access and refresh tokens through bLink API and, going forward, acts as authenticating proxy towards the Service Provider's token endpoint. The username parameter (max. length: 64) of the logged user in step 12 must be added to the request. For proper routing by bLink API, the request must include ax-corapi-target-id
header with theprovider_id
of the target Service Provider. An example is presented in following code snippet:POST /api/bankingservices/b-link/consent-flow/v2/oauth/token
x-corapi-target-id: 99999
host: api.six-group.com
client_id=654321
&grant_type=authorization_code
&code=abcdefg
&redirect_uri=https://api.client.example.com/oauth/authresponse
&username=john.doe@acme.com
... -
bLink API token endpoint:
Authenticates the CaaS Component
Extracts the
provider_id
from thex-corapi-target-id
request header.Determines the hostname/IP address and basepath of Auth Server token endpoint at target Service Provider.
Sends the token request with the
x-corapi-client-id
header to target Service Provider.
POST /proprietaryBackendPath/api/v2/oauth/token
x-corapi-client-id: 654321
host: api.fi.example.com
client_id=654321
&grant_type=authorization_code
&code=abcdefg
&redirect_uri=https://api.client.example.com/oauth/authresponse
&username=john.doe@acme.com -
The Auth Server token endpoint of the Service Provider proceeds as follows:
Identifies the Client using the
x-corapi-client-id
request header.Verifies authorization code, which must have been issued for this Client in the steps above.
Verifies the
redirect_uri
, which must match exactly with theredirect_uri
parameter from the initial authorization request.If supported by the Service Provider, validates the username from the POST request by hashing and comparing it against the hash value stored with the consent in step 15.
-
The Consent Server verifies the consent, which depends on Service Provider's implementation (optional: validation of the username by hashing the value received in the request and comparing it with the value stored with the consent).
-
The Auth Server generates access and refresh tokens and returns them to the Client according to the 5.1 section of the OAuth 2.0 specification:
- If the issued access token scope is different from the one requested by the client, the auth server must include the
scope
parameter to inform the Client of the actual scope granted according to OAuth 2.0 specification, 3.3. - If the request fails for any reason, the Auth Server should inform the Resource Owner according to the 5.2. section of the OAuth 2.0 specification.
- If the issued access token scope is different from the one requested by the client, the auth server must include the
-
CaaS (on behalf of the Client) stores the access and refresh tokens in the profile of the user.
-
CaaS (on behalf of the Client) the use POST <sixUsernameValidationEndPointUri> username=<username> request to send the username of the user to the bLink username validation endpoint. An example of this request is presented below:
POST /api/bankingservices/b-link/consent-flow/v2/oauth/username
x-corapi-target-id: 99999
host: api.six-group.com
authorization: bearer yJz93a3490dK7jlawk4laUWw
username=john.doe@acme.com
... -
The bLink API username validation endpoint proceeds as follows:
- Authenticates the CaaS (on behalf of the Client).
Extracts the provider_id from the
x-corapi-target-id
request header.
-
bLink determines if the provider supports username validation:
- If yes, then bLink determines the hostname/IP address and basepath of Service Providers' username validation endpoint and sends username validation request with the
x-corapi-client-id
header to it. An example is presented as follows:POST /proprietaryBackendPath/api/v2/oauth/username
x-corapi-client-id: 654321
host: api.fi.example.com
authorization: bearer yJz93a3490dK7jlawk4laUWw
username=john.doe@acme.com
... - If not, bLink return status OK and continue skips to step 29.
- If yes, then bLink determines the hostname/IP address and basepath of Service Providers' username validation endpoint and sends username validation request with the
-
If username validation is supported by the Service Provider, it authenticates CaaS (impersonating the Client) using the access token from the POST request. The Consent Server calculates hash value of username from POST request and compares it against the hash value stored with consent (in step 5). If the hash values are identical, the consent is activated. Consent Server returns the result of the comparison (OK/NOK, see error below).
-
If username validation is supported by the Service Provider and the result of step 27 is NOK, the Service Provider revokes the tokens issued in step 22. The Consent server returns the result (OK/NOK, see error handling table below for NOK). Subsequent correct calls to this endpoint must be idempotent.
-
Depending on the result of step 23 the CaaS takes any actions required ("activate consent", delete tokens, etc.).
Finalizing Steps
- Optional step: Client redirects the user to its own landing page with a parameter indicating the flow status.
- User journey ends on a landing page of Client, which informs the user about the status of the flow. In case of error the user is informed on how to resolve the issues.
Permission Revocation
- Currently there can only exist one permission for a User-ID/Provider-ID combination with a status other than "revoked"/"revokedByPsu". As soon as a new permission is created for a User-ID and Provider-ID, any pre-existing permission for the same User-ID and Provider-ID is revoked.
- A permission can be revoked by the Service User using the revokePermission-endpoint (
DELETE /permissions/{providerId}/{userId}
)
If tokens are revoked on Service Provider side (not through DELETE permission), there is no way for CaaS to know about it, other than that there will be error messages on subsequent calls when using some revoked token.
The CaaS Service will call the revoke-token endpoint in the background, provided that
- the respective Service Provider supports revoke
- the Service Provider has submitted the URL to be configured in bLink through the Support Portal
Some Service Providers only allow one token per bank login/contract. For permissions this means, that if you create two permissions for the same Provider-ID, but with different User-IDs and if the resource owner uses the same login to log into his/her e-banking both times then the token issued for the first completed consent flow is revoked by the second. bLink cannot recognize if a token was revoked through this mechanism, and therefore the permission with the revoked token will appear to be "valid" until it is used in a use-case call.
Error Handling
In the event of errors, the Resource Owner is redirected back to the client landing page with a status
parameter in the redirect indicating which error occurred. In case of missing, invalid, or mismatching
redirect URI, or if the client identifier is missing or invalid, the Service Provider should inform the Resource Owner of the error and must not automatically redirect the user-agent to the invalid redirect URI (as described in OAuth 2.0 Specification Section 4.1.2.1). Based on the error code, the Service User renders an error page and returns it to the Resource Owner.
The following table provides information on error handling as defined by the OAuth 2.0 Specification.
Phase | Error | Handling | Flow Steps |
---|---|---|---|
OAuth2 Authorization Request | Resource Owner cannot login at Service Provider. | The Service Provider redirects to CaaS as described in OAuth 2.0 Specification Section 4.1.2.1 with the following error code added to the redirect URI: error=access_denied CaaS redirects to the Service User with the parameter
| 8 |
OAuth2 Authorization Request | Scope parameter is missing or invalid. | The Service Provider redirects to CaaS as described in OAuth 2.0 Specification Section 4.1.2.1 with the following error code added to the redirect URI: error=invalid_scope CaaS redirects to the Service User with the parameter
| 8 |
OAuth2 Authorization Request | ProviderId and/or Username parameter is missing or invalid. | The Service Provider redirects to CaaS as described in OAuth 2.0 Specification Section 4.1.2.1 with the following error code added to the redirect URI: error=invalid_request CaaS redirects to the Service User with the parameter
| 8 |
OAuth2 Authorization Response | State parameter is missing or unknown. | CaaS redirects to a whitelabel error page of bLink indicating the missing or unknown state. | 18 |
OAuth2 Authorization Response | CaaS cannot verify redirect URI and state. | CaaS redirects to the Service User with the parameter
status=invalid_request_client added to the | 18 |
OAuth2 Authorization Request | Service Provider cannot verify redirect URI. | The Service Provider should inform the resource owner as described in OAuth 2.0 Specification Section 4.1.2.1. In any case the Service Provider must not automatically redirect the user-agent to the invalid redirect URI | 8 |
OAuth2 Token Request | Service Provider cannot verify authCode (code ) or redirect_uri . | In case the authCode cannot be verified the Service Provider responds with a HTTP 400 (Bad Request) according in OAuth 2.0 Specification Section 5.2 with the following error code included in the response:
In any other case the Service Provider includes the following error code in the response:
CaaS redirects to the Service User with the parameter
status=<error code received from Service Provider> added to the
| 20 |
OAuth2 Token Request | Service Provider cannot verify username (if implemented). | The Service Provider does not return any tokens. The Service Provider responds with a HTTP 400 (Bad Request) according in OAuth 2.0 Specification Section 5.2 with the following error code included in the response:
CaaS redirects to the Service User with the parameter
| 21 |
Username validation request | The username from the request does not match with the username from the consent (if implemented). | The Service Provider revokes access and refresh tokens issued in step 22
and responds to CaaS with
| 25 |
Username validation request | Service Provider cannot verify username due to missing username parameter, empty username or invalid token (if implemented). | The Service Provider revokes access and refresh tokens issued in step 22 and responds to CaaS with an error message in Problem Details Format (RFC 7807). Example:
CaaS deletes the access and refresh tokens received and stored in step
23 and redirects to the Service User with the parameter
status=invalid_username added to the | |
API-Call with invalid Permission-ID | CaaS is blocking the API call with INSUFFICIENT_PRIVILEGES error | CaaS permission doesn't exist or is not in status Example:
| |
API-Call with invalid Permission-ID | During an API-Call, CaaS tries to refresh the access-token using the refresh-token, but gets an expired response from the Service Provider. | Refresh-Token has expired, and Permission therefore has expired too. Example:
|
Timeouts
Step Range | Description | Timeout value | Handling Service Provider | Handling Service User |
---|---|---|---|---|
7 - 23 | Complete OAuth consent flow times out. | 30 min | n/a | Take any actions to clean-up (state, etc.). If possible: notify Resource Owner. |
18 - 23 | Timeout between Token Request and Token Response | 30 sec | n/a | CaaS redirects to the Service User with the parameter
status=restart_flow added to the |
22 - 27 | Timeout between Token Response from Service Provider and username validation / consent activation request by CaaS (if username validation supported by Service Provider) | 30 sec | Revoke access and refresh tokens issued in step 22. | If supported by Service Provider: Any future request to access the actual API will fail. Access token may not be refreshed. |
22 - 27 | Timeout between username validation / consent activation request by Service User and corresponding response by Service Provider | 30 sec | n/a | State of username validation / consent activation not clear. |
If an adapter service setup is chosen, there is an additional session that can be implemented to enhance the security of your integration. This is the session between the adapter service and your business application that is used to transfer data from the service provider to your application and vice versa. Limiting the duration of this separate session adds another protective layer to your adapter service.
Scopes
The Service User uses the scope request parameter of the access request to specify its desired access rights. Every API published on bLink must document its scope requirements as a list of accepted strings to be used in the scope parameter. A best practice is to assign each scope a unique name, in the form of an URN.
Scopes for bLink shall match the following pattern: urn:blink:<api_name>:<name_of_use_case>
For use cases that execute write operations, the suffix :write
shall be added to the URN. For use cases that execute delete operations, the suffix :delete
shall be added. For use cases that execture read operations, the suffix :read
may be added.
Every API gets an unique name assigned by bLink. The owner of an API defines the unique names for the use cases including the suffixes. Some examples are presented below for AIS and PSS:
API | Use Case | Unique name of scope |
---|---|---|
Access to Account | AIS | urn:blink:xs2a:ais |
Access to Account | PSS | urn:blink:xs2a:pss:write |
Given that:
- urn:blink = Fixed prefix defined by bLink
- xs2a = name of API assigned by bLink
- ais , pss:write = names of use-cases and suffixes defined by API owner
Access to Account API Scopes
The following scopes are defined for the Access to Account API:
Use case | Scope read | Scope write (incl. read/update/delete) |
---|---|---|
AIS | urn:blink:xs2a:ais | n/a |
PSS | n/a*) | urn:blink:xs2a:pss:write |
OpenWealth API Scopes
The following scopes are defined for the OpenWealth API:
Use Case | Scope read | Scope write (incl. read/update/delete) |
---|---|---|
Custody services | urn:blink:ow:cstdy | n/a |
Customer management | urn:blink:ow:custmgmt | urn:blink:ow:custmgmt:write |
Order placement | urn:blink:ow:ordrplc | urn:blink:ow:ordrplc:write |