Authorization code API call flow
API historyThis API allows to exchange authorization code for access token and refresh token.
Step 1: Exchange authorization code for access token and refresh token
Initiate POST requests for Autrhorization code witth valid atuthorization code (valid 5 min):
|
Authorization code
Version1
|
URL LIVE
URL SANDBOX
|
POST https://api.csob.sk/identity-server/connect/authorizationcode
POST https://api.csob.sk/identity-server-test/connect/authorizationcode
|
In case of payment order authorization, access token is binded to specific payment order (one-time token), and can be used only once. For 90 days access to accounts, access token is valid 20 min and can be renewed with refresh token during 90 days period. See Authorization API / Refresh token section. On API Explorer web site there is a possibility to test API online (Try it) and download API definition (WADL, Open API).
Request:
|
Request parameters
Version1
|
grant_type={grant_type}&client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri} |
Attributes structure |
Optionality |
Type |
Description |
grant_type |
Mandatory |
String |
Value is „authorization_code“ |
client_id |
Mandatory |
String |
TPP ID obtained from enrollment |
client_secret |
Mandatory |
String |
Secret obtained from enrollment |
code |
Mandatory |
String |
Authorization code obtained from SCA / payment authorization |
redirect_uri |
Mandatory |
String |
Redirect URL to be redirected after SCA, redirect URL must be in list of URL addresses from enrollment |
Response:
Attributes structure |
Optionality |
Type |
Description |
id_token |
Mandatory |
String |
Encoded user‘s authentication information including nonce value |
access_token |
Mandatory |
String |
Access token |
expires_in |
Mandatory |
String |
Validity of access token in seconds |
token_type |
Mandatory |
String |
Value is „Bearer“ |
refresh_token |
Optional |
String |
Can be used for renewing access token for 90 days access to account. For payment submitting, refresh token is not present. |
Example:
Request for obtaining long-term token (90 days access to account)
POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 209
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=Uv483B6zptU2xEEwhkWwKQdvxLHX76A9&code=d32207b98fac5bcf021a00c8ffeeb13435f9683b9e86b3fe4759f49257f26bff&redirect_uri=https://www.csob.sk/psd2tpp
Response with long-term token and refresh token (90 days access to account)
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: 4PQPmyFYqimXP7dQSmKX7bSya3zagRv5
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Fri, 15 Mar 2019 09:43:40 GMT
{
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjExYzBhNzg1YWMyZGZiZjEzYmJiNmMyNjhmZTI0ZDY1IiwidHlwIjoiSldUIn1.eyJuYmYiOjE1NTI2NjQyOTQsImV4cCI6MTU1MjY2NDU5NCwiaXNzIjoiaHR0cHM6Ly9wc2QyLWFwaWF1dGhvcml6YXRpb24tY3NvYnNrLWFjYy5henVyZXdlYnNpdGVzLm5ldCIsImF1ZCI6IlRJRGdqekt1UzdrIiwibm9uY2UiOiJhYWFhIiwiaWF0IjoxNTUyNjY0Mjk0LCJhdF9oYXNoIjoiU3RBVUl6dWhPcGszQTUxM3N4YjFHQSIsInNpZCI6IjdhNTgzYWNiY2EyMDViMDQ2NDFiN2Q5OWJhNGVhOTg3Iiwic3ViIjoiRnRXQnV0VG1TbDhPMUNnQ2t1aU4yT2FpMWMzczh2c0V5VGRNIiwiYXV0aF90aW1lIjoxMTUyNjY0MjgyLCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.TpH2pCGCwLmrhdwxavYFvo_qgwzB0ZBwR6SEV-6SlgUaNFnaum2HvjUphf_XJZP-6yHc-mSOxsEyZkImETUPXlpT3f_VNQQGLDOmoN5es2paAdjm7ptcjpJSaeNdMMSu4Yqd8HOI1WmQJG-IGy1nb3sDvzvxuqkwg9UDeYX-wLHPr6rUGG9clgkhqSIeEgDQnWsSvRiNGOmVsqt64sAIm19Bb508beRYwQg44x2nl6VYAXgHdAdDUvKRfiavr_WrdxnWotKTHieBd070ieHdy9gwQJSsoByXJL-e52sl1rgQu3sqqRv4AAndE8S8jlwEnjORLeyLrCeS2ES9Rks2Uw",
"access_token": "8a6e97446d3db61107cf60d68f769ca48bc7eeb965052b11390bded4a4236x1e",
"expires_in": 1200,
"token_type": "Bearer",
"refresh_token": "eab1ffc4b4f562f58c0212be690bc74e80bab2905a6e15118df44fef6fe91269"
}
Request for obtaining access token for payment submitting
POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 210
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=mwryTJUjquusiG9TeqxseT7UxUvK42bd&code=a158ba8c9301f693e7ea4d3038441f2f1d8f9d1f9c6ee6fe40ea5f98d5f546b0&redirect_uri=https://www.csob.sk/psd2tpp
Response with access token for payment submitting
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: 2P4PdTRdD6cdqJMi4nQtQg5kcsm5p4xi
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 28 Mar 2019 13:59:55 GMT
{
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjBiYjk3OGU2NjE3ZDdmMGQ2YTM5ZTE1YTEzOGJjNzkyIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTM3ODE1OTUsImV4cCI6MTU1Mzc4MTg5NSwiaXNzIjoiaHR0cHM6Ly9wc2QyLWFwaWF1dGhvcml6YXRpb24tY3NvYnNrLmF6dXJld2Vic2l0ZXMubmV0IiwiYXVkIjoiVElESktwdEN2YmEiLCJub25jZSI6ImFhYWEiLCJpYXQiOjE1NTM3ODE1OTUsImF0X2hhc2giOiJtdjY1Rmx2YnBBVWVNaGFFT2pERzhnIiwic2lkIjoiOTk0ODUyY2UwYjA1MDYyOWMxNjMzZDJjNGJjMjg3YmQiLCJzdWIiOiJiQmQxYVdGaDFVbUY1M2JQNkhjY3preExpUEJka1hXa0xHZmgiLCJhdXRoX3RpbWUiOjE1NTM3ODE1MRYsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.lQDauXuSWKxrKwZhgjnZdj9FXyCv7f5iBZ67OVw7DIGwZBxEizoEOO6_wiwJYDsNUc4GEEV0IM6qyc5KX7FVpDBdeNiiwHITQs43Oko-DqupcRvJ7Nr39a7YGenF-scBQb7GBb8DSfwCc2XOYU0izTXbR-9JJTX0x8fRU9lu9EQirT14CSXdX3BOCoAQpIRfVo7FTS9wk5sgDsj8jjBwL6bEBomD9GTg283o8jrUZDGmE9Ke6th8I7yriYwhyWqC-hoLSnX7V7HmTeGJ7KuUGC8GaDPEPqy_GXXewjCUdHM0N6ojgqR6rEZV8ayI_xDdWkkn4yvRLfjgWC3NIspcUQ",
"access_token": "5a700ffe382eb5cfsc06ce42aa9c839a1b5ff09f8277c899178930afc6ca8469",
"expires_in": 1200,
"token_type": "Bearer"
}