Release_notes_5.3.adoc

Release notes v.5.3

Table of Contents

• Fixed incorrect scaStatus for Start the authorisation request (redirect explicit PIS/AIS)

• Provided header Authorization in ContextData

• Feature: extend CMS to store SCA method and TAN for Redirect approach

• Bugfix: PIIS consent status is being changed on implicit revocation

• Feature: provided opportunity to save payment transaction status given by ASPSP

• Bugfix: when bank returns PATC status for payment, multilevel flag in CMS should be set to true

• Implemented support OAuth Redirect for PIS, AIS and Payment Cancellation

• Added validation for access of TPP based on role’s header

• Fixed typos in PSD2 yaml file

• Added statuses to logs

• Refactoring: consent and payment authorisation flows were refactored

• Implemented support pre-step and integrated OAuth modes

Fixed incorrect scaStatus for Start the authorisation request (redirect explicit PIS/AIS)

From now on, if you try to start authorization process for payment or consent without PSU-ID header for payment or consent which was initiated with PSU-ID header, you’ll get scaStatus psuIdentified.

Provided header Authorization in ContextData

From now on, there is a possibility to use header Authorization in XS2A requests, which stores the OAuth2 bearer token. This token passes the SPI level inside the SpiContextData object.

Feature: extend CMS to store SCA method and TAN for Redirect approach

From now on, there is a possibility for online banking to send optional SCA method and optional authentication data (e.g. TAN) in CMS-PSU-API update authorisation status request (PUT /psu-api/v1/payment/{payment-id}/authorisation/{authorisation-id}/status/{status} for payments and PUT /psu-api/v1/ais/consent/{consent-id}/authorisation/{authorisation-id}/status/{status} for AIS consents). Data should be sent in JSON format:

{
	"authenticationMethodId": "SMS",
	"authenticationData": "123456"
}

Both fields are stored in CMS in 'ais_consent_authorization' and pis_consent_authorization tables.

Bugfix: PIIS consent status is being changed on implicit revocation

From now on, implicit consent revocation on creating new PIIS consent will no longer change consent status to REVOKED_BY_PSU if its current status is finalised.

Feature: provided opportunity to save payment transaction status given by ASPSP

From now on there is new endpoint in CMS-ASPSP-API: PUT /aspsp-api/v1/pis/transaction-status/{payment-id}/status/{status}, where you can change payment’s transaction status by payment id even if it is already finalised.

Bugfix: when bank returns PATC status for payment, multilevel flag in CMS should be set to true

From now on, when bank returns PATC status for payment, multilevel flag in pis_common_payment table is set to true.

Implemented support OAuth Redirect for PIS, AIS and Payment Cancellation

From now on, integrated OAUTH flow is supported for PIS, AIS and Payment Cancellation.

Added validation for access of TPP based on role’s header

From now on, TPP access to XS2A resources may be verified based on incoming Tpp-Roles-Allowed header, which can be set between ASPSP’s gateway and xs2a, but not before the ASPSP’s gateway (one can use adorsys QwacAssessor (https://adorsys-platform.de/solutions/qwac-assessor/) for it). ASPSP Gateway is responsible that this header is prohibited from receiving it from TPP. If header Tpp-Roles-Allowed is present, TPP’s requests will be validated according to roles in header. If TPP is prohibited from accessing certain resource it will receive response with 401 code and ROLE_INVALID message. TPP roles will be saved and updated in CMS. Since the pasportisation process in place acts without changing the TPP’s certificate, XS2A doesn’t use the roles from TPP’s certificate and won’t validate requests according to them any more.

Fixed typos in PSD2 yaml file

All typos were fixed in BerlinGroup PSD2 yaml file. Also, all description fields were formatted in the same style.

Added statuses to logs

From now on, consentStatus, paymentStatus and scaStatus values are being logged to access-log for all AIS and PIS endpoints, if they were involved in the request.

Refactoring: consent and payment authorisation flows were refactored

Authorisation process for the consent and payment initiation and payment cancellation were refactored - chain of responsibility design pattern was applied. The authorisation algorithm remained the same.

Implemented support pre-step and integrated OAuth modes

From now on, there is a possibility to use 3 variants of SCA redirect approach:

• redirect (usual redirect approach);

• OAuth pre-step (TPP asks for token before initiation of the request);

• OAuth integrated (TPP asks for token after initiation of the request).

Switching between these modes can be done by changing the scaRedirectFlow field value in the ASPSP profile. Also, new field was added to the ASPSP profile configuration - oauthConfigurationUrl. This is a link to identity provider (IDP) which should be used for accessing third-party application for providing the token.

Pre-step mode flow is the following. If token is present, then pre-step OAuth was already applied by TPP and XS2A returns link scaRedirect to redirect PSU to online-banking (or other authorisation server) for SCA. If token is absent in initial request, XS2A returns error 401 Unauthorized with text Please retrieve token first from {oauthConfigurationUrl}.

Integrated mode: if ASPSP supports integrated OAuth and token is absent in initial request for consent, payment and payment cancellation, XS2A returns link scaOauth (based on oauthConfigurationUrl in profile) to redirect TPP to IDP. If token is present, XS2A responds with error 403 Forbidden with text Token is not valid for the addressed service/resource.