General AS setup for STET

To set up an Authorization Server suitable for STET PSD2, do the following:

  1. In the Loginapp configuration go to the OAuth 2.0/OIDC Authorization Servers (create it if required)
  2. Add a new OAuth 2.0/OIDC Authorization Server to the list of authorization servers. Use stet-as as an identifier. In the newly defined AS, do the following:
  3. Create an OAuth 2.0 Authorization Server Identifier (e.g. with identifier stet-as)
  4. Choose an Issuer ID. Note that it must end with the server identifier from the last step. It will be used by the TPPs when using OAuth 2.0 protocols
  5. Example:

  6. Add an OAuth 2.0 Grants/OIDC Flows Object: it defines details about supported flows.
  7. Connect to IAM's technical client database by using a Persisted Clients plugin. This will be used to persist client (TPP) information.
  8. Configure the Token Endpoint:
    1. Client Authentication: Use the OAuth 2.0 Client mTLS Authentication plugin. It makes sure that TPPs are authenticated using client certificates as required by STET. Make sure to configure CRLs and or OCSP according to STET requirements (if not done on the Airlock Gateway).
    2. Scopes To Remove On Refresh should use an OAuth 2.0 Scope Matcher matching scope extended_transaction_history. This assures that the mentioned scope is not granted on token refresh (as required by STET).
  9. Configure the Metadata Endpoint with its default configuration