Get your access token

Principle

Access to PSD2 API is granted by the bank with an authorization token (or access token) issued using OAUTH2 standardized process.

 

Retrieval of access token sequence

1. Our customer (PSU) provides you the identity of the Banque Populaire which holds his accounts.. 

 

2. You initiate the OAUTH2 access token recovery sequence by redirecting the customer thru is web browser to Banque Populaire authorization infrastructure using GET /authorize

épingleSee also STET V1.4.0.47 / Part I / section 3.4.3.2 / page 21

 

3. The Banque Populaire account manager (ASPSP) will :

  • Identifies and authenticates the PSU using one of the strong authentication methods proposed and presented to the customer
  • Check your role and validity of your eIDAS certificates and agreement.

 

4- Once checks are done and correct, ASPS will redirect the PSU to your site using "call-back" URL given in the GET /authorize and to ASPSP for the Go Live process.

Indeed, the AISP must specify for its consuming APP, an URl which will be called by the banking establishment :

  • if the customer has authorized the recovery of its data by the AISP;
  • or in case of refusal of consent; 
  • or if the kinematics of identification and authentication are interrupted at one of its stages (example: timeout on the identification screen or on the strong authentication screen).

You will find in the response of this request a one-time-token with a short life period.

5- You can then call the Banque Populaire in order to request the OAUTH2 token "access_token" (and refresh one "refresh_token") using POST /token with previously received data (include the one-time-token). 

Note : these /token requests for getting the Authorization Code flow shall be sent WITHOUT the « scope » parameter.


épingleSee also STET V1.4.0.47 / Part I / section 3.4.3.2 / page 22 

 

6- The Banque Populaire account manager (ASPSP) will :

  • Check your role (AISP or CBPII) and validity of your eIDAS certificates and agreement
  • Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value

7- Once checks are done and correct, the Banque Populaire returns a response HTTP200 (OK) with data including the access_token.

épingleSee also see STET V1.4.0.47 / Part I / section 3.4.3.2 / page 23 

 

8- As soon as you get the OAUTH2 access_token (and a 90-day valid refresh_token) issued by the bank, you can use it for each API request within the "Authorization" header, prefixed by the token type "Bearer".

The [client_id] that is linked to the access token must directly or indirectly match with the Authorisation Number that is located within the TPP’s eIDAS certificate (QWAC).

If the access token is expired, the request will be rejected with HTTP401 with an error equal to "invalid_token".

The request can be replayed once the access token has been refreshed suing the use case "Refresh your access token".
 
If your refresh token is about to expire, you will have to perform again all this process "Get your access token" (see point 3 above), meaning also redirect to Banque Populaire for customer's strong autentication (customer SCA). 
 
épingleFor more details, see also OAUTH 2.0 Authorization Framework : https://tools.ietf.org/html/rfc6749#section-4.1

 

Example 

You can find an example of this request in use case "Sandbox assembly".

For more details on the data exchanged, see the use case "How to retrieve your OAUTH2 access token?".