Token by secret API call flow
API historyThis API allows to authenticate TPP to obtain short-term access token for passive operations:
- PISP – for initiating Payment order, Standing order, Standing order update, Standing order cancellation, Payment order cancellation or obtaining payment order status
- AISP – for obtaining TokenId binded with IBAN, used to authenticate user - described in „Strong customer authentication SCA - alternative flow“
- PIISP – for obtaining YES/NO confirmation of disponibility of funds, when explicit consent already exists
Step 1: Get the access token with specific scopes (AISP, PISP, PIISP)
Obtaining access token is based on OAuth 2.0 Client credentials grant flow. TPP obtains this credentials during enrollmen process.
Token by secret
Version1
|
URL LIVE
URL SANDBOX
|
POST https://api.csob.sk/identity-server/connect/token
POST https://api.csob.sk/identity-server-test/connect/token
|
TPP calls this service to obtain short-term access token which is needed to verify the TPP in further communication. This access token is valid 20 min only and can’t be renewed. After exspiration, new short-term access token must be issued. On API Explorer web site there is a possibility to test API online (Try it) and download API definition (WADL, Open API).
Request:
Header
Attributes structure
|
Optionality
|
Type
|
Description
|
Content-Type
|
Mandatory
|
String
|
application/x-www-form-urlencoded;charset=UTF-8
|
Request parameters
Version1
|
grant_type={grant_type}&client_id={client_id}&client_secret={client_secret}&scope={scope} |
Attributes structure |
Optionality |
Type |
Description |
grant_type |
Mandatory |
String |
Value is „client_credentials“ |
client_id |
Mandatory |
String |
TPP ID obtained from enrollment |
client_secret |
Mandatory |
String |
Secret obtained from enrollment |
scope |
Mandatory |
String |
The scope of the access request according to SBAS: PISP, PIISP. These scopes can be combined according to TPP rights. |
Response:
Attributes structure |
Optionality |
Type |
Description |
access_token |
Mandatory |
String |
Short-term access token |
expires_in |
Mandatory |
String |
Validity of access token in seconds |
token_type |
Mandatory |
String |
Value is „Bearer“ |
Example:
Request
POST https://api.csob.sk/identity-server/connect/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 120
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
grant_type=client_credentials&client_id=TIDgjzKuS7k&client_secret=Pr9jb8Y7Y5bnUxpNcJEhqdV3EiaxcpvK&scope=PISP PIISP
Response
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: Ypwq7QA68y77ygYArQq8pCNJQDhmNWur
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 27 Mar 2019 14:43:28 GMT
{
"access_token": "b02ab0a7ae7e5f19a85e5e935b4fc0623915a3940e761998cbb46654fe62117f",
"expires_in": 1200,
"token_type": "Bearer"
}