- Postman Collection
- FAPI Profile support
- Endpoints
- Payment Debtor Test Accounts
- Financial ID
- Mobile Application
- Step-by-step guide
- Step 1: Pre-Requisites (TPP)
- Step 2: Test TPP Transport Certificates (TPP)
- Step 3: Setup TPP On Model Bank (TPP/Open Banking)
- Step 4: Import Environment Files and Collections To Postman (TPP)
- Step 5: PSU Authenticate and Authorize(Open Banking and TPP)
- Step 6: Steps in PSU Consent
- Step 7: Retrieve Account and Transaction Data (TPP)
Open Banking (OB) offers the capability for TPPs to integrate with model banks - Bank1 and Bank2. This model bank supports Open Banking Read/Write Standard v4.0.
This allows the various authentication and authorisation flow to be tested and some basic AISP and PISP functionality to be executed, as per the OB specifications.
Postman can be used to test the flows and APIs prior to building a TPP client.
The steps below will help TPPs validate their setup and help better understand the various security flows required to integrate their own applications within the Open Banking ecosystem.
Ozone Model Bank Collection Files
UK OBL v4.0.postman_collection.json
Currently, the Sandbox provides parallel running for versions v3.1.11 and v4.0, both with FAPI 1.0 Advanced Profile enabled.
Currently, the Sandbox provides parallel running for versions v3.1.11 and v4.0. For 3.1.11 endpoint URLs, please see Model Bank v3.1.11 documentation.
| Item | All Versions |
|---|---|
| Well-known endpoint | https://auth1.obie.uk.ozoneapi.io/.well-known/openid-configuration |
| Dynamic registration | https://rs1.obie.uk.ozoneapi.io/dynamic-client-registration/v3.2/register |
| Token endpoint | https://as1.obie.uk.ozoneapi.io/token |
| Authorization endpoint | https://auth1.obie.uk.ozoneapi.io/auth |
At the moment, the Model Bank v4.0 does not support the new PUT VRP or PATCH VRP endpoints introduced to allow VRP consent data to be migrated from the v3.1.x standards to the new v4.0 data schemas. These two new v4.0 VRP endpoints will be supported in a future Model Bank release.
| Item | v4.0 |
|---|---|
| Domestic VRP Consent | https://rs1.obie.uk.ozoneapi.io/open-banking/v4.0/pisp/domestic-vrp-consents |
| Domestic VRP | https://rs1.obie.uk.ozoneapi.io/open-banking/v4.0/pisp/domestic-vrps |
| User | Debtor Account |
| mits |
{
"SchemeName" : "UK.OBIE.SortCodeAccountNumber",
"Identification" : "10000109010102",
"Name" : "Luigi International"
} |
| mits |
{
"SchemeName" : "UK.OBIE.SortCodeAccountNumber",
"Identification" : "10000109010103",
"Name" : "Mario International"
} |
| rora |
{
"SchemeName" : "UK.OBIE.SortCodeAccountNumber",
"Identification" : "10000109010101",
"Name" : "Mario International"
} |
Used in x-fapi-financial-id header where required.
| Item |
|---|
| 0015800001041RHAAY |
At the moment Ozone Authenticator Mobile App does not support Model Bank v4.0. Support will be added in further Model Bank releases. For support for v3.1.11, please see Model Bank v3.1.11 documentation.
Ensure that the following pre-requisites are met before onboarding onto Ozone.
- The TPP has registered on the Directory Sandbox
- The TPP has at least one software statement created on the Directory Sandbox environment
- The TPP has at least one transport certificate created for each of its software statements.
- The TPP has at least one redirect URI for each of its software statements.
- The TPP has a copy of the OB root and issuing certificate attached.
Testing the well know endpoint below returns a json file which contains a list of endpoints.
curl https://auth1.obie.uk.ozoneapi.io/.well-known/openid-configuration
One of these json endpoints is the token endpoint which you can use to validate your certificates.
https://as1.obie.uk.ozoneapi.io/token
The TPP should run the following check to ensure that it has a valid certificate:
curl https://as1.obie.uk.ozoneapi.io/token
-cacert ca.pem
-key {tpp-key-file}
-cert {tpp-pem-file}
Here, tpp-key-file is the file that contains the TPPs private key and tpp-cert-file contains the transport certificate (downloaded from Sandbox).
This will return an error response but proves that your certificates are valid against the MATLS endpoint.
Here, the ca.pem file contains the Open Banking issuing and root certificate chained together into a single file.
Ozone banks allow TPP to onboard via dynamic client registration.
See http://openid.net/specs/openid-connect-registration-1_0-21.html
Claims required in dynamic client registration for Ozone Banks:
| Field Name | Example Values | Description |
|---|---|---|
| token_endpoint_auth_signing_alg | PS256 |
Signature algorithm used JWK. |
| grant_types | authorization_code, client_credentials | |
| subject_type | public | subject_type requested for responses to this client_id. |
| application_type | web | Kind of the application. The default if not specified is web. The defined values are native or web. |
| iss | software statement id | The issuer must be your software ID. This is important as it's used verify it matches the SSA software ID claim. |
| redirect_uris | All redirect Uris should be added in the claims | |
| token_endpoint_auth_method | client_secret_basic |
Requested authentication method for the Token Endpoint. |
| aud | 0015800001041RHAAY |
The audience must match the AS issuer ID. Modelo bank's issuer ID is: 0015800001041RHAAY |
| scopes | ‘openid and accounts' or 'accounts’ ‘openid and payments' or 'payments ’‘openid,accounts and payments' or 'accounts and payments’ |
The scopes will depend on your role from the FCA (AISP and/or PISP):
|
| request_object_signing_alg | none | |
| exp | timestamp | |
| iat | timestamp | |
| jti | UUID | |
| response_types | code, code id_token | JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code response type. See: https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 |
| id_token_signed_response_alg | RS256 | JWS algorithm |
| software_statement | Since the SSA is essentially a JWT, you can decode it (for example, using https://jwt.davetonge.co.uk/). |
Add the following Modelo and Referenco bank endpoints into Postman;
.obie.uk.ozoneapi.io:
The CRT should be set to the transport certificate downloaded from the open banking directory. The Key value should be set to the private key for the transport certificate.
In Postman settings, ensure SSL Certificate Verification is set to off.
TPPs can initiate the consent authorisation flow URL via Postman.
Once the URL is constructed, open the URL to initiate the PSU consent flow.
Once the PSU consent is successful, Ozone Bank will redirect back to the redirect URI.
