Authorization code API call flow
API historyThis API allows to exchange authorization code for access token and refresh token.
Step 1: Exchange authorization code for access token and refresh token
Initiate POST requests for Autrhorization code witth valid atuthorization code (valid 5 min):
|
Authorization code
Version1
|
URL LIVE
URL SANDBOX
|
POST https://api.csob.sk/identity-server/connect/authorizationcode
POST https://api.csob.sk/identity-server-test/connect/authorizationcode
|
In case of payment order authorization, access token is binded to specific payment order (one-time token valid 20 min), and can be used only once. For 90 days access to accounts, access token is valid 20 min and can be renewed with refresh token during 90 days period. See Authorization API / Refresh token section. On API Explorer web site there is a possibility to test API online (Try it) and download API definition (WADL, Open API).
Request:
|
Request parameters
Version1
|
grant_type={grant_type}&client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&code_verifier={code_verifier} |
Attributes structure |
Optionality |
Type |
Description |
grant_type |
Mandatory |
String |
Value is „authorization_code“ |
client_id |
Mandatory |
String |
TPP ID obtained from enrollment |
client_secret |
Mandatory |
String |
Secret obtained from enrollment |
code |
Mandatory |
String |
Authorization code obtained from SCA / payment authorization |
redirect_uri |
Mandatory |
String |
Redirect URL to be redirected after SCA, redirect URL must be in list of URL addresses from enrollment |
code_verifier |
Mandatory |
String |
Code_verifier used to generate code_challenge from a previous request |
Response:
Attributes structure |
Optionality |
Type |
Description |
access_token |
Mandatory |
String |
Access token |
expires_in |
Mandatory |
String |
Validity of access token in seconds |
token_type |
Mandatory |
String |
Value is „Bearer“ |
refresh_token |
Optional |
String |
Can be used for renewing access token for 90 days access to account. For payment submitting, refresh token is not present. |
Example:
Request for obtaining long-term token (90 days access to account)
POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 209
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=DuQugUbbqDS99VLdGgtLb7jSWi3Keg5A&code=1f8247638988812f93f93053b71da73e3ef9c9a83e0f32b73c5158b7daa07379&redirect_uri=https://www.csob.sk/psd2tpp&code_verifier=dWYjJUAoa2d2QEF8XlV6OmxdZTZeTSBgOjVkQEBMOFo
Response with long-term token and refresh token (90 days access to account)
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: LA3XsYeknMmkyANNijtiPmusPRzcE3t7
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 11 Jun 2019 08:31:03 GMT
{
"access_token": "8a6e97446d3db61107cf60d68f769ca48bc7eeb965052b11390bded4a4236x1e",
"expires_in": 1200,
"token_type": "Bearer",
"refresh_token": "59ad5fd94b1c879356c870e2f36d1ce3ba023197d81c79e17731822fe7b9c71e"
}
Request for obtaining access token for payment submitting
POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 267
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=DuQugUbbqDS99VLdGgtLb7jSWi3Keg5A&code=6ba9fe5808e2b0e7d8901f56a24dbef28a5ae76425e6e2872eb0ce228c907c36&redirect_uri=https://www.csob.sk/psd2tpp&code_verifier=ZnZGfTJZRGVjLS1cPTQ6T343RDlrfUk-XTA8NkhOLlE
Response with access token for payment submitting
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: QRFzyzMYP9gL4UrSxBfmRCBqMGT7Spiy
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 11 Jun 2019 09:02:46 GMT
{
"access_token": "aa3a57d8f4d43aca8a5d853cd3552211f994e47645e6dc22e0325c5a6edd0ec3",
"expires_in": 1200,
"token_type": "Bearer"
}