Consent Authorization
The PKCE Consent Authorization flow is as follows:
- The client sends the authorization request along with the
code_challengeand thecode_challenge_methodto the authorization server. - The Authorisation Server makes note of the
code_challengeand thecode_challenge_methodand issues an auth code. - The client sends an access token request along with the
code_verifier. - The Authorization Server validates the code_verifier with the already received
code_challengeand thecode_challenge_method. Then issues an access token if the validation is successful.
The following components perform the consent authorization with PKCE.
Authorization endpoint¶
Before the TPP application accesses the customer's banking information, the TPP sends an authorization request to get the customer's consent for it. The authorization request contains the following elements:
| Parameter | Mandatory/Optional | Description |
|---|---|---|
| Scope | Mandatory | The consent Id of the initiated consent. The consent Id should be prefixed according to the flow:
|
| Response_type | Mandatory | Use code, as this is authorization_code flow. |
| Redirect_uri | Mandatory | The URI to which the application is redirected after consent approval/denial. |
| State | Mandatory | A dynamic value set by the TPP to prevent XSRF attacks. |
| code_challenge | Mandatory | The Berlin specification mandates PKCE for authorization requests. Therefore, a code_challenge is used and optionally a code_challenge_method is used. PKCE - RFC 7636 is an extension to the Authorization Code flow to prevent authorization code interception attacks and to be able to securely perform the OAuth exchange from public clients. With PKCE, the authorization server requires proof of possession to check that the authorization code belongs to the client when the client requests an access token. The code_challenge is generated by transforming a code verifier (a random code which meets a certain requirement, needed when obtaining the access token in PCKE flow). It is recommended not to use the same code verifier/code challenge pair in two flows. |
| code_challenge_method | Optional | Used to let the authorization server know the method of transforming the code verifier to code challenge. If not used, the authorization server assumes that the code challenge and the code verifier are the same. NextGenPSD2 Reference Toolkit lets you configure the supported code challenge methods. |
| Client_id | Mandatory | The client Id of the TPP application. |
Authorization web application¶
The TPPs obtain an authorization URL that redirects the customer to a web interface hosted by the bank. In this web application, the customer:
- Logs in using the login credentials.
- Views information that the TPP requested to access.
- Selects the accounts that the TPP can access.
- Provides consent to the TPP to access the information.