PSD2 Authentication
According to the Second Payment Services Directive (PSD2), to get access to the AIS service it is required to be a legal person with a permit as an Account Information Service Provider, granted by national competent authorities (Finansinspektionen in Sweden). In a similar manner, to get access to the PIS service it is required to have a permit as an Payment Initiation Service Provider.
An eIDAS-issued certificate and end user authorization is required to perform PSD2 authentication/authorization to ultimately gain access to the AIS and PIS APIs.
The permissions granted to the TPP translate to PSD2 roles (entitlements), and are stated in the TPP's eIDAS certificate,
those being PSP_AI
and PSP_PI
, according to the mapping in table below:
PSD2 Entitlement | Certificate Role | PSD2 Scope |
---|---|---|
Account Information Service | PSP_AI | AIS |
Payment Initiation Service | PSP_PI | PIS |
Only roles present in the certificate may be used, and requests that do not follow this will be denied. The TPP may perform authentication with a reduced scope if desired (such as only AIS scope even if capable of requesting AIS and PIS). More information on this will be presented below.
PSD2 Fallback
On the 17th of February of 2020, Finansinspektionen (FI) approved SBAB Bank AB's application to be exempted from the obligation to provide a contingency mechanism in accordance with Article 33(4) of the RTS/PSD2 (FI Dnr 19-13438). For this reason, SBAB no longer provides a contingency mechanism for the AIS/PIS interfaces.
Certificate-based authentication
PSD2 API calls (AIS and PIS) require a valid eIDAS certificate belonging to the TPP.
However, since in the Sandbox no TLS certificate validation is possible, you must use a test certificate as a header named
X-PSD2-CLIENT-TEST-CERT
, sending it as a Base64-encoded string. In contrast with a production environment,
AIS and PIS scopes will not be validated against the certificate, no TLS handshake will be performed, and no actual
BankID request will be performed, meaning that you'll get immediate authentication success.
If you want to create a self-signed certificate for testing purposes, you can follow the instructions given in this blog post— öppnas i ny flik.
User authorization
The end user of the service, also known as Payment Service User (PSU) in PSD2 nomenclature, grants access to its data by using Swedish BankID. Authentication and authorization requests will initiate a request to the PSU's BankID and return a pending authorization code and a BankID autostart token. The pending authorization code is used to continue the authentication/authorization flow, and the autostart token should be used by the TPP to trigger the PSU's BankID. More information on BankID and the autostart token can be found on BankID's developer information— öppnas i ny flik page.
Available flows
SBAB provides two flows that TPPs can use to obtain the PSU's consent to access its data: authenticate and authorize flows. The purpose is to separate the customer's consent for different use cases.
Both flows will provide the TPP with a BankID autostart token, which should be user to trigger the PSU's BankID as described above. A pending authorization code will also be provided, which can be used to obtain the appropriate tokens for the initiated flow after a successful BankID grant is given by the PSU (note that this code is used both for authentication and authorization flows, the word "authorization" in its name should not be taken literally).
In addition to the two mentioned flows, a non-standard flow used for a non-authenticated user is also available for transfers and AIS operations. This flow is issuing a restricted access token by calling the token endpoint directly in a single request without BankID authentication.
Authenticate flow
This flow is used to obtain an access token that can be used to perform several operations on the PSU's account, such as reading account information and listing transactions.
The result of this flow is an access token that can only be used during a 30 minute time frame. This flow has no limitations to how many times it is executed but requires end user interaction (BankID interaction) each time the token validity expires. This flow can never produce a refresh token.
Secure start
authenticate flow will use bankID in the following way:
- The client initiates the authenticate flow by calling the authenticate endpoint
/psd2/auth/3.0/authenticate
This initiates a new authentication returning a pending code and requires a valid certificate as usual.
If started in mode AUTO_START
, launch bankId with given autostart token using
bankid://autostarttoken=autostartToken&redirect=null
- The client gets the authentication status by calling the endpoint
/psd2/auth/3.0/status
If in mode QR_CODE
, then a dynamic QR code is returned used to launch a mobile device.
Only use this endpoint while in status PENDING. If status is COMPLETE
, authentication succeeded.
If status is FAILED
, user authentication failed or BankID was not activated within 30 seconds.
In mode QR_CODE
, only ask for status at most once every second but not less than once every second second.
In addition, a hint code is also given in the response.
For a detailed description of QR codes, the statuses and hint codes that map 1-1 to bankID's statuses and hint codes, see https://www.bankid.com/utvecklare/guider/teknisk-integrationsguide/graenssnittsbeskrivning— öppnas i ny flik
- Retrieve an access token with the pending code by calling the existing unchanged endpoint
/psd2/auth/1.0/token
- In status
PENDING
the client can cancel the authentication with the pending code by calling the endpoint
/psd2/auth/3.0/cancel
In the terminal status COMPLETE
or FAILED
the request will be denied.
Authorize flow
This flow is used to obtain a short-lived access token with the same capabilities as the one from authenticate flow above, and additionally a refresh token, which can be used to obtain more short-lived access tokens for a period of up to 180 days without further end user interaction.
More specifically, access tokens obtained from this flow, both the first and any subsequent obtained through the refresh token, are valid for only 5 minutes.
The refresh token, in contrast, will be valid for 180 days and may be used up to 4 times a day to obtain new access tokens.
The secure start
authorize flow will use BankID in exactly the same way as for secure start authenticate
but will in step 1 instead use the endpoint
/psd2/auth/3.0/authorize
After that the status, token and cancel endpoints can be called in the same way as described above for the authenticate flow.
Non Authenticated flow
This new non-standard Oauth flow is used to reduce the number of Strong Customer Authentications (SCA) when executing transfers for a PSD2 client. An access token obtained from this flow has a default TTL of 30 minutes. The flow is reducing the number of SCAs to only 1 instead of 2 by the following steps:
- Get a restricted access token without BankID authentication by calling the token endpoint (no SCA is needed any longer).
- Validate/initiate the transfer with the issued token from step 1 as in current flow.
- Execute the actual transfer with a BankID signing exactly as as in current flow (now the single SCA for this flow).
Please note that the old flow with BankID authentication before signing the transaction, requiring a total of 2 SCAs, is still available.
In addition, also end users authenticated in a TPP app can execute AIS operations on accounts without any further SCA with the same Non Authenticated flow as described for transfers.
If the restricted access token is provided by the TPP app together with a mandatory PSU-IP-Address
header containing the PSU ip address,
no SCA is needed to retrieve account information.
Please note that the old flow with BankID authentication fetching AIS information, requiring one SCA, is still available.
Please note that when retrieving account information in the sandbox, there is no difference between the flow with BankID authentication and the non-authenticated flow since it is only possible to use one type of static sandbox token for each user. These two flows are thus the same in the sandbox but will be different in production.
Retrieving Access Tokens
Irrespective of which flow is being executed, after the PSU allows the TPP to access its data using BankID, an access token must be obtained. Such token will be provided to all calls executed against protected SBAB APIs.
In order to do so, the TPP must use the pending authorization code provided when initializing the authentication/authorization flow. This is the last step of the process, and it may also fail for a number of reasons, beyond the obvious reasons of malformed requests:
- expired eIDAS certificate
- the user haven't yet completed the BankID operation
- expired pending authentication code
- expired refresh token
- refresh token used more than 4 times in a day
- KYC (Know Your Customer) questions not answered by the user
Most of these failures can be amended by repeating the authentication/authorization process. If it fails because of KYC questions, then you must direct the user to access its SBAB account through the SBAB phone app or the web, as there is no API to answer these questions, and no access will be granted until they are answered.
With that, the possible flows, requests and response combinations are summarized below:
Flow | Scope | Requested Token Type | Response | Access Token Validity |
---|---|---|---|---|
Authenticate | AIS/PIS | Access Token | Access Token | 30 minutes |
Authorize | AIS/PIS | Access Token | Access Token + Refresh Token | 5 minutes |
Authorize | AIS | Refresh Token | Access Token | 5 minutes |
Non Authenticated | AIS/PIS | Access Token | Access Token | 30 minutes |
API usage
As mentioned, the flows for PSD2 are authentication, authorization and non-authenticated. For any calls to execute these flows, there are two mandatory headers:
PSU-IP-Address
: it should contain the IP address of the PSU in IPv4 format or IPv6 formatX-PSD2-CLIENT-TEST-CERT
: this field should contain a Base64-encoded test PSD2 certificate; as explained above, the contents of this certificate will not be validated in any way, but it needs to be a well-formed certificate
Secure start authenticate flow
Start by calling the authenticate endpoint:
curl -X POST \
"https://developer.sbab.se/sandbox/psd2/auth/3.0/authenticate" \
-H "accept: application/json" \
-H "X-PSD2-CLIENT-TEST-CERT: -----BEGIN CERTIFICATE-----MIIEEjCdCAv...-----END CERTIFICATE-----" \
-H "Content-Type: application/json" \
-d "{ \"end_user_ip\": \"1.2.3.4\", \"start_mode\": \"AUTO_START\", \"scopes\": \"AIS,PIS\"}" \
The response to this request should look like the following:
{
"pending_code": "2fe95e3b-380b-4ad2-bb77-44caa51605b8",
"auto_start_token": "d35ae4dc-f873-419d-8c43-d85dbe92ab62"
}
If the mode was QR_CODE
, the response would look like this:
{
"pending_code": "2fe95e3b-380b-4ad2-bb77-44caa51605b8"
}
After that, ask for status:
curl -X POST \
"https://developer.sbab.se/sandbox/psd2/auth/3.0/status" \
-H "accept: application/json" \
-H "X-PSD2-CLIENT-TEST-CERT: -----BEGIN CERTIFICATE-----MIIEEjCdCAv...-----END CERTIFICATE-----" \
-H "Content-Type: application/json" \
-d "{ \"pending_code\": \"2fe95e3b-380b-4ad2-bb77-44caa51605b8\"}" \
If the mode was AUTO_START
, the response would look like this:
{
"hint_code": "OUTSTANDING_TRANSACTION",
"bank_id_auth_status": "PENDING"
}
If the mode was QR_CODE
, the response would look like this:
{
"hint_code": "OUTSTANDING_TRANSACTION",
"qr_code": "bankid.67df3917-fa0d-44e5-b327-edcc928297f8.2.dc69358e712458a66a7525beef148ae8526b1c71610eff2c16cdffb4cdac9bf8",
"bank_id_auth_status": "PENDING"
}
If the client BankID authentication, meanwhile performed in background, was successful the response would look like this:
{
"hint_code": "USER_SIGN",
"bank_id_auth_status": "COMPLETE"
}
Is status is COMPLETE
, call token endpoint like before.
If the BankID authentication failed, the response would look like this:
{
"hint_code": "START_FAILED",
"bank_id_auth_status": "FAILED"
}
If status is PENDING, it is possible to cancel the authentication with the pending code by calling the cancel endpoint.
curl -X POST \
"https://developer.sbab.se/sandbox/psd2/auth/3.0/cancel" \
-H "accept: application/json" \
-H "X-PSD2-CLIENT-TEST-CERT: -----BEGIN CERTIFICATE-----MIIEEjCdCAv...-----END CERTIFICATE-----" \
-H "Content-Type: application/json" \
-d "{ \"pending_code\": \"2fe95e3b-380b-4ad2-bb77-44caa51605b8\"}" \
Secure start authorize flow
The Secure start authorize flow looks exactly the same as the secure start authenticate flow but is initialized with the call
curl -X POST \
"https://developer.sbab.se/sandbox/psd2/auth/3.0/authorize" \
-H "accept: application/json" \
-H "X-PSD2-CLIENT-TEST-CERT: -----BEGIN CERTIFICATE-----MIIEEjCdCAv...-----END CERTIFICATE-----" \
-H "Content-Type: application/json" \
-d "{ \"end_user_ip\": \"1.2.3.4\", \"start_mode\": \"AUTO_START\", \"scopes\": \"AIS,PIS\"}" \
The flow then continues like described above for the authenticate flow.
Non Authenticated flow
For this flow, you start by making this request to get a token without BankID authentication:
curl -X POST \
"https://developer.sbab.se/sandbox/psd2/auth/1.0/token" \
-H "Accept: application/json" \
-H "X-PSD2-CLIENT-TEST-CERT: -----BEGIN CERTIFICATE-----MIIEEjCdCAv...-----END CERTIFICATE-----" \
-H "PSU-IP-Address: 127.0.0.1" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=non_authenticated_token \
-d user_id=196306151751
The parameters to use are:
grant_type
: must contain the valuenon_authenticated_token
user_id
: the Swedish personal number of the account owner
The response contains the access token and expiration in seconds:
{
"access_token": "16086f8c-828d-4e01-a30a-0770353decd1",
"expires_in": 1800,
"token_type": "bearer"
}
The following applies for the new non-authenticated flow:
-
This returned access token can be used to initiate a transfer:
/v3/accounts/{account-number}/transfers
and check the status of the ongoing transfer:
/v3/accounts/{account-number}/transfers/{reference-id}/status
The non-authenticated flow can also be used to perform AIS operations like
v2/accounts-numbers
v2/accounts
v2/accounts/{accountNumber}
v2/accounts/{accountNumber}/transfers
v2/accounts/{accountNumber}/transfers/{transfer-id}
v2/accounts/{accountNumber}/{currency}/{amount}
-
The PSD2 certificate must have PIS scope for executing a transfer.
-
The PSD2 certificate must have AIS scope for executing AIS operations.
-
The TTL of the token is configured per TPP. The default TTL is 30 minutes.
-
A special grant type
non_authenticated_token
is used for the token request. -
If all the KYC questions have not been answered by the user, a token can not be obtained. The user has to log into SBAB and answer the KYC questions before a token can be fetched.
-
If the validation of a transfer fails due to the account balance, faulty transfer date or any other failure, the transfer will not be executed.
-
The personal identification number will be given in the request parameter
user_id
. -
All ordered transfers using grant type
non_authenticated_token
must be signed with BankID.
Try it yourself
We recommend that you test the steps above in our sandbox environment, if you haven't done so yet.
Test the API
Production Gateway URL
When you move into production use of our APIs, remember to change the domain from the sandbox one to the production one:
https://psd.sbab.se