To configure the Authorization Code Grant for STET, go to the authorization server settings in Loginapp >> OAuth 2.0/OIDC Authorization Servers >> <some AS> >> OAuth 2.0 Grants/OIDC Flows and add an OAuth 2.0 Authorization Code Grant plugin.
Configure it as follows:
- As Consent use the plugin OAuth 2.0 Remote Consent with the following configuration (see also Remote consent applications with OAuth):
- Request Settings:
- must be configured in accordance with the bank's consent application.
- for security reasons, we recommend using asymmetric signing algorithms (EC or RSA)
- Response Settings:
- must be configured in accordance with the bank's consent application.
- Make sure to use the external URL as a call-back (as seen from the browser) and not an internal URL.
- Airlock Gateway Role for Remote Consent Site: we strongly recommend protecting the bank's consent application with a Gatewayrole. In the description of the Airlock Gateway configuration, we used "psd2_consent" as an example.
- Use the following plugins in the list of "Granted Scope Processors":
- Plugin OAuth 2.0 Granted Scope Whitelist with allowed scopes:
aisp
,extended_transaction_history
,cbpii
(the scopepisp
is only used in the client credentials grant and therefore not in this list) - Plugin STET PSD2 OAuth 2.0 Scope Filter (no detail configuration necessary)
- Access- and Refresh Token Validity: Choose sensitive values considering the following points.
- STET specifies that the scope "extended_transaction_history" is not "re-granted" on token refresh.
- This implies that the scope is lost for the user when refreshing the first time.
- This may be a reason to increase the access token validity.
- Note that STET specifies that the scope "extended_transaction_history" must not be granted for more than 90 days (STET specification at the time this documentation was written)
- For all other properties, the default values should be ok.
Note that valid access tokens are accepted even if the corresponding technical client is locked on the database. Increasing the access token validity thus implies that technical client locking becomes effective later.