BBK main security requirements:
- TPP must use client SSL for BBK Open Banking API access;
- TPP must obtain the OAuth tokens in an appropriately secure manner for financial data access;
Getting started TPP must be registered in BBK and issue its certificate for SSL connection.
BBK Open Banking API requires token bearer authorization. There are two types of token utilized by BBK Open Banking API:
- Public Access Token
- Consent Access Token (resource token)
TTP must authenticate with BBK and obtain an public access token. This token is used to create new Account consents and Payments resources.
- TPP posts authorization request for obtaining token using valid client credential grant type and scope: accounts, payments or accounts payments.
- After validation of client credentials new access token linked to TPP and scope is created and returned in response to TPP.
- TPP specifies obtained token in each Open Banking API call fo creating Account consents and Payments resources.
Read more...
After registering new resource (account consent or payment consent) using public access token TPP should obtain consent access token for accessing created resources.
- After creation of resource (account consent or payment consent) TPP receives resource ID and creates an Authorization request for the user (customer) to consent to the resource directly with BBK.
- After successfull authorization of consent user is redirected to TPP. Redirect contains authorization code generated for authorized consent.
- TPP exchanges authorization code for consent access token.
Read more...
Refresh token re-authentication is the process that enables an BBK Bank to authenticate a TPP more than once for the same consent.
In order to re-authenticate a consent:
- The consent must be authorized.
- The ExpirationDateTime of the consent should not have expired.
Read more...