Authorization code API call flow

API history

This API allows to exchange authorization code for access token and refresh token.


Step 1: Exchange authorization code for access token and refresh token

Initiate POST requests for Autrhorization code witth valid atuthorization code (valid 5 min):

Authorization code
Version1
URL LIVE
URL SANDBOX
POST https://api.csob.sk/identity-server/connect/authorizationcode
POST https://api.csob.sk/identity-server-test/connect/authorizationcode

In case of payment order authorization, access token is binded to specific payment order (one-time token), and can be used only once. For 90 days access to accounts, access token is valid 20 min and can be renewed with refresh token during 90 days period. See Authorization API / Refresh token section. On API Explorer web site there is a possibility to test API online (Try it) and download API definition (WADL, Open API).


Request:

Request parameters
Version1
grant_type={grant_type}&client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&code_verifier={code_verifier}

Attributes structure
Optionality
Type
Description
grant_type
Mandatory
String
Value is „authorization_code“
client_id
Mandatory
String
TPP ID obtained from enrollment
client_secret
Mandatory
String
Secret obtained from enrollment
code
Mandatory
String
Authorization code obtained from SCA / payment authorization
redirect_uri
Mandatory
String
Redirect URL to be redirected after SCA, redirect URL must be in list of URL addresses from enrollment
code_verifier
Mandatory
String
Code_verifier used to generate code_challenge from a previous request


Response:

Attributes structure
Optionality
Type
Description
access_token
Mandatory
String
Access token
expires_in
Mandatory
String
Validity of access token in seconds
token_type
Mandatory
String
Value is „Bearer“
refresh_token
Optional
String
Can be used for renewing access token for 90 days access to account. For payment submitting, refresh token is not present.


Example:

Request for obtaining long-term token (90 days access to account)

POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 209
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=DuQugUbbqDS99VLdGgtLb7jSWi3Keg5A&code=1f8247638988812f93f93053b71da73e3ef9c9a83e0f32b73c5158b7daa07379&redirect_uri=https://www.csob.sk/psd2tpp&code_verifier=dWYjJUAoa2d2QEF8XlV6OmxdZTZeTSBgOjVkQEBMOFo


Response with long-term token and refresh token (90 days access to account)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: LA3XsYeknMmkyANNijtiPmusPRzcE3t7
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 11 Jun 2019 08:31:03 GMT

{
"access_token": "8a6e97446d3db61107cf60d68f769ca48bc7eeb965052b11390bded4a4236x1e",
"expires_in": 1200,
"token_type": "Bearer",
"refresh_token": "59ad5fd94b1c879356c870e2f36d1ce3ba023197d81c79e17731822fe7b9c71e"
}


Request for obtaining access token for payment submitting

POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 267
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=DuQugUbbqDS99VLdGgtLb7jSWi3Keg5A&code=6ba9fe5808e2b0e7d8901f56a24dbef28a5ae76425e6e2872eb0ce228c907c36&redirect_uri=https://www.csob.sk/psd2tpp&code_verifier=ZnZGfTJZRGVjLS1cPTQ6T343RDlrfUk-XTA8NkhOLlE


Response with access token for payment submitting

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: QRFzyzMYP9gL4UrSxBfmRCBqMGT7Spiy
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 11 Jun 2019 09:02:46 GMT

{
"access_token": "aa3a57d8f4d43aca8a5d853cd3552211f994e47645e6dc22e0325c5a6edd0ec3",
"expires_in": 1200,
"token_type": "Bearer"
}