Security Information
home
Authentication and Authorization
This document explains how to complete the necessary authentication and authorization steps in order to start using C.Hoare & Co. data API's
Prerequisites
- You must be registered with Open Banking. You can register here https://directory.openbanking.org.uk/s/login/
- You must have completed onboarding with the bank, and been issued with the Client Credentials
Get Access Token Using Client Credentials Grant
This allows an AISP to request an access token (also known as a Bearer Token) using the Client Credentials grant (provided in the Client onboarding). This access token is required before the AISP can invoke the POST /account-access-consents endpoint.
Request Parameters | Example | Description |
---|---|---|
grant_type | client_credentials | The grant type being requested |
scope | accounts | The scope being requested |
client_assertion_type | ||
client_assertion | JWT will be signed by the TPP and will be validated with Open Banking |
Response Parameters | Example | Description |
---|---|---|
access token | "2YotnFZFEjr1zCsicMWpAA" | The access token to be used in the Authorization call |
expires_in | 3600 | When the token will expire in seconds. E.g. the value of 3600 seconds means the token will expire in one hour from the time the response was generated |
token_type | "bearer" | |
Scope | "accounts" |
Example:
Request:
POST /auth/token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=client_credentials
=accounts
-assertion-type%3Ajwt-bearer
=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRw
czovL2p3dC1pZHAuZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmN
vbSIsIm5iZiI6MTQ5OTE4MzYwMSwiZXhwIjoxNDk5MTg3MjAxLCJpYXQiOjE0OTkxODM2MD
EsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3Rlc
iJ9.SAxPMaJK_wYl_W2idTQASjiEZ4UoI7-P2SbmnHKr6LvP8ZJZX6JlnpK_xClJswAni1T
p1UnHJslc08JrexctaeEIBrqwHG18iBcWKjhHK2Tv5m4nbTsSi1MFQOlMUTRFq3_LQiHqV2
M8Hf1v9q9YaQqxDa4MK0asDUtE_zYMHz8kKDb-jj-Vh4mVDeM4_FPiffd2C5ckjkrZBNOK0
01Xktm7xTqX6fk56KTrejeA4x6D_1ygJcGfjZCv6Knki7Jl-6MfwUKb9ZoZ9LiwHf5lLXPuy
_QrOyM0pONWKj9K4Mj7I4GPGvzyVqpaZUgjcOaZY_rlu_p9tnSlE781dDLuw
Success Response:
Content-Length: 1103
Content-Type: application/json
Date: Mon, 26 Jun 2017 15:18:28 GMT
{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"expires_in": 3600,
"token_type":
"bearer",
"scope":"accounts"
}
Error Responses
HTTP Code | ErrorDescription |
---|---|
400 Bad request | invalid_request |
400 Bad request | invalid_client |
400 Bad request | invalid_grant |
400 Bad request | unauthorised_client |
400 Bad request | unsupported_grant_type |
400 Bad request | invalid_scope |
500 | Server_Error |
Authorize Consent
This follows on from the POST / account access consents and allows the AISP to create an authorization request (using a signed JWT request containing the ConsentId as a claim) for the customer to authorize the consent request directly with the bank.
This API will authenticate the customer on the bank's platform, and on successful authentication, this will provide the AISP with an authorization code which can be used to get an access token to access account data
Request Parameter | Example | Description |
---|---|---|
reponse_type | code id_token | The OAuth flow type being used |
client_id | s6BhdRkqt3 | The client ID of your application registered in the developer portal |
state | af0ifjsldkj | The state as specified by the TPP |
scope | accounts | The scope being requested |
redirect_uri | https://example.com/redirect | The redirect URL of the application registered in the developer portal |
nonce | n-0S6_WzA2Mj | The nonce as specified by the TPP |
request | An OIDC request object containing the details of the Consent that needs to be authorized, |
GET /authorize?
response_type=code id_token
=s6BhdRkqt3
=af0ifjsldkj
=openid payments
=n-0S6_WzA2Mj
=https://api.mytpp.com/cb
=CJleHAiOjE0OTUxOTk1ODd.....JjVqsDuushgpwp0E.5leGFtcGxlI
iwianRpIjoiM....JleHAiOjE0.olnx_YKAm2J1rbpOP8wGhi1BDNHJjVqsDuushgpwp0E
HTTP/1.1 302 Found
Location: https://api.mytpp.com/cb#
code=SplxlOBeZQQYbYS6WxSbIA
=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
=af0ifjsldkj
Get Access Token using Authorization Code
This step allows an AISP to exchange the authorization code for the access token required to access the data APIs.
grant_type=authorization_code
=SplxlOBeZQQYbYS6WxSbIA
=https://api.mytpp.com/cb
=
urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRw
czovL2p3dC1pZHAuZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmN
vbSIsIm5iZiI6MTQ5OTE4MzYwMSwiZXhwIjoxNDk5MTg3MjAxLCJpYXQiOjE0OTkxODM2MD
EsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3Rlc
iJ9.SAxPMaJK_wYl_W2idTQASjiEZ4UoI7-P2SbmnHKr6LvP8ZJZX6JlnpK_xClJswAni1T
p1UnHJslc08JrexctaeEIBrqwHG18iBcWKjhHK2Tv5m4nbTsSi1MFQOlMUTRFq3_LQiHqV2
M8Hf1v9q9YaQqxDa4MK0asDUtE_zYMHz8kKDb-jj-Vh4mVDeM4_FPiffd2C5ckjkrZBNOK0
01Xktm7xTqX6fk56KTrejeA4x6D_1ygJcGfjZCv6Knki7Jl-6MfwUKb9ZoZ9LiwHf5lLXPuy
_QrOyM0pONWKj9K4Mj7I4GPGvzyVqpaZUgjcOaZY_rlu_p9tnSlE781dDLuw
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"expires_in": 3600
}