Strong customer authentication (SCA)
API historyThis process allows to authenticate user in bank environment and authorize user requests. If process is successful, it returns authorization code for:
AISP/PISP/PIISP – code for 90 days access to account (binding accounts to scope(s) and TPP)
PISP - code for submitting payment order (binding token to specific payment order)
Step 1: Redirect to CSOB for Strong Customer Authentication (SCA) and requests authorization
Strong Customer Authentication (SCA) is based on OAuth 2.0 Authorization code grant flow. SCA and request authorization is realized by the client after redirection to bank environment using credentials isued by the bank.
Redirect URL
TPP has to prepare the redirect URL by adding parameters to the query component of the authorization URL using the "application/x-www-form-urlencoded" format.
|
Redirect URL
Version1
|
URL LIVE |
https://apiauthorization.csob.sk/connect/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&scope={scope}&state={state}&nonce={nonce}&request={orderId}
|
Attributes structure |
Optionality |
Type |
Description |
client_id |
Mandatory |
String |
TPP ID obtained from enrollment |
response_type |
Mandatory |
String |
Hybrid flow, value is „code id_token“ |
redirect_uri |
Mandatory |
String |
Redirect URL to be redirected after SCA, redirect URL must be in list of URL addresses from enrollment |
scope |
Mandatory |
String |
The scope of the access request according to SBAS: AISP, PISP, PIISP. These scopes can be combined according to TPP rights. With requested scopes there must also be the scope openid. If 90 days access is needed, scope offline_access must be present (not for payment authorization). Example for obtaining long-term token: AISP openid offline_access Example for obtaining token for submitting payment: PISP openid |
State |
Mandatory |
String |
An opaque value used by the TPP to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the TPP. The parameter should be used for preventing cross-site request forgery |
Nonce |
Mandatory |
String |
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. |
Request |
Optional |
String |
OrderId from Payment initialization must be used when payment is being authorized during SCA process. |
Response URL
After succesfull SCA proces and request authorization, the authorization server issues an authorization code and delivers it to the TPP by adding the following parameters to the query component of the redirection URL using the "application/x-www-form-urlencoded" format. Code validity is due to security reasons limited to 5 min.
|
Response URL
Version1
|
URL LIVE |
https://{redirectURL}#code={code}&id_token={id_token}&scope=
{requested scopes}&state={state}&session_state={session_state}
|
Attributes structure |
Optionality |
Type |
Description |
code |
Mandatory |
String |
The authorization code generated by the authorization server. The authorization code expires in 5 min after it is issued to mitigate the risk of leaks. The client must not use the authorization code more than once. If an authorization code is used more than once, the authorization server deny the request. |
id_token |
Mandatory |
String |
JSON Web Token (JWT) that contains encoded user‘s authentication information which is represented in the form of claims. These claims are statements about the user, which can be trusted if the consumer of the token can verify its signature. |
scope |
Mandatory |
String |
The exact value of scope parameter received from the client. |
State |
Mandatory |
String |
The exact value of state parameter received from the client. |
session_state |
Mandatory |
String |
JSON string that represents the End-User's login state at the OP. |
Error Response URL
If the SCA or request authorization fails, the authorization server informs TPP by adding the following parameters to the query component of the redirection URL using the "application/x-www-form-urlencoded" format.
|
Error response URL
Version1
|
URL LIVE |
https://{redirectURL}?error={error}&error_description={error_description}
|
Attributes structure |
Optionality |
Type |
Description |
error |
Mandatory |
String |
One of the following error codes may be present:
|
error_description |
Optional |
String |
Additional information to the error code |
Example:
Redirect URL for obtaining authorization code for token for payment submitting
https://apiauthorization.csob.sk/connect/authorize?client_id=TIDgjzKuS7k&response_type=code id_token&redirect_uri=https://www.csob.sk/psd2tpp&scope=PISP openid&state=aaaa&nonce=aaaa&request=n8Teu8Y1BXVnXSatumk5
Response URL with authorization code for token for payment submitting
https://www.csob.sk/psd2tpp#code=d32207b98fac5bcf021a00c8ffeeb13435f9683b9e86b3fe4759f49257f26bff&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjExYzBhNzg1YWMyZGZiZjEzYmJiNmMyNjhmZTI0ZDY1IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTI2NDI5MjQsImV4cCI6MTU1MjY0MzIyNCwiaXNzIjoiaHR0cHM6Ly9hcGlhdXRob3JpemF0aW9uLWFjYy5jc29iLnNrIiwiYXVkIjoiVElEZ2p6S3VTN2siLCJub25jZSI6ImFhYWEiLCJpYXQiOjE1NTI2NDI5MjQsImNfaGFzaCI6IkNpVHNKQmVOWUlRbzdXTzF2QzlBOFEiLCJzaWQiOiJiM2NmMGI2NWUxNjdkMmQ4OGM0NWU2OWNkMDJkNTk0OSIsInN1YiI6ImxpUVI5aVQ2U2s0dGt4MkJCalJmbm13cmRBNVZ4aUQzUlF1ZCIsImF1dGhfdGltZSI6MTU1MjY0MjkyNCwiaWRwIjoibG9jYWwiLCJhbXIiOlsicHdkIl19.0uLRjDv7PTcbyAJS8y2WEcjbcaq4hpXU5UVh2ZD_F4zL8Nf6pC-kabxL8ZL2AVDP0RXFaabKVgvQxcWK81sYvtTIooIyk7Qw5QReST8TlJkZ0McktDpE9aKqOEmmsBoryUitOdzxrECMhvWDWPFdIU2mqcJazimFbM9WiaLT0Bd2GANHUM0X1ZjjFhHdm1uflieBT0L_VXTVBjCc2oTE-h2W3gZ6YtSx7LoO7xbhxtpFSBRrp0eN9nRZsbyCH7WJ5LP__NjyVJKQ7CgSACPZYXcGBOWdBLNtqqxmKVb3SkgOO5HxlK5Eu-svgPUnFopkIdjY-5No8f1dFmooeQbtPw&scope=openid%20PISP&state=aaaa&session_state=8eEoIGDUPhNKQk-6uWXoJXgmybUTipH7NGxTGn052aw.0dd0a983be8f228b6daa4a573272f143
Redirect URL for obtaining authorization code for long-term token (90 days access to account)
https://apiauthorization.csob.sk/connect/authorize?client_id=TIDgjzKuS7k&response_type=code id_token&redirect_uri=https://www.csob.sk/psd2tpp&scope=AISP PISP PIISP openid offline_access&state=aaaa&nonce=aaaa&request=
Response URL with authorization code for long-term token (90 days access to account)
https://www.csob.sk/psd2tpp#code=ba6dfa11d6eb5952d6ae5d138b55142c0269bf21b239ab05a4b5a5426da535e2&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjExYzBhNzg1YWMyZGZiZjEzYmJiNmMyNjhmZTI0ZDY1IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTM2MTcwODksImV4cCI6MTU1MzYxNzM4OSwiaXNzIjoiaHR0cHM6Ly9hcGlhdXRob3JpemF0aW9uLWFjYy5jc29iLnNrIiwiYXVkIjoiVElEZ2p6S3VTN2siLCJub25jZSI6ImFhYWEiLCJpYXQiOjE1NTM2MTcwODksImNfaGFzaCI6InA4VmlGajNCdnA2OUhqaGZIY3BrMGciLCJzaWQiOiJjYzBiZDMzZWFkOGQ5Njk2OWY4ZjNjNDYwNGY2OThlNSIsInN1YiI6InhVNUdrRjlkb3dsQ2hzbGtSbG1Dd044R21qbVJUU3Noc3FMcCIsImF1dGhfdGltZSI6MTU1MzYxNzA4OSwiaWRwIjoibG9jYWwiLCJhbXIiOlsicHdkIl19.AGBKqt1qzSbgfiMANdLZ9164JOO9FiNcBwElVaQ-lAGHyD2Vca-N6rxYn7znVVgB_ez34MhpzNtUGxoxKsbVSigvRjU0nqOat5TReWB2671qF2iNfa0X4tExQYfBX0EqJJB_ThbryfzbuWynEOEWMmrwX8lt2HcQ3EdqClSF-ujAkC3lrsyZU5KjAc9skIEQXLHIDMZsL8ViH2KCvPuVDjMzGqPJOt8gwk-3DRls1MYqJsZd9_BDDrbZ7Tw-Ez_zhjv0kmic4e24ZDsHuw4L79qkSodQku_u9ox51-H_DmUtMzAmLFIGhqsIs3-Dy-CiRtPSNvQX9WdoGjwFyFRXTg&scope=openid%20AISP%20PISP%20PIISP%20offline_access&state=aaaa&session_state=cLcYH4V3V36dUapl4o85Sr92gafwdXwbglSI5BMRMyE.2f0da100221952712ed1e41ab894cf30
Step 2: Exchange authorization code for access token
Initiate POST request for Authorization code with a code obtained in Step 1. For details see Authorization API / Authorization Code. In response, there is an access token, which is binded to specific operation (payment or binding accounts to scope(s) and TPP) and must be used in further requests.