13 - Build your authorize URL

Build an authorize URL using the well-known configuration link

On the production and sandbox environments, the "scaOauth" property of a consent creation (with header tppExplicitAuthorizationPreferred = false) or a POST /authorization endpoint is the following:

{
  …
  "_links": {
    "scaOAuth": {
      "href": "https://api.neuflizeobc.fr/berlingroup/.well-known/openid-configuration?authorizationId=31f68ab6-1ce6-4131-a324-3f37d2ca4b02"
    },
    …
  }
}

You have to call this URL and retrieve the “authorization_enpoint” property in the response:

{
  "issuer": "https://api.neuflizeobc.fr",
  "authorization_endpoint": "https://w.api.neuflizeobc.fr/public/berlingroup/authorize/31f68ab6-1ce6-4131-a324-3f37d2ca4b02",
  "token_endpoint": "https://api.neuflizeobc.fr/berlingroup/v1/token",
  "userinfo_endpoint": "https://api.neuflizeobc.fr/berlingroup/v1/accounts",
  "scopes_supported": [
    "account",
    "payment"
  ],
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "client_credentials",
    "authorization_code",
    "refresh_token"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "subject_types_supported": [
    "public"
  ]
}

With this property, you will be able to build your authorize URL with the following parameters:

URI parameter Description
scope This parameter corresponds to the consentId of the consent creation or the paymentId of the payment initiation
Examples:
AIS:1587559935-bae68c2
PIS:1587561419-bp5b5f2
client_id This parameter corresponds to your NCA id
state Dynamic value that you have to set in order to prevent XSRF attacks
redirect_uri This parameter corresponds to the URI where the OAuth2 server is redirecting the PSU after the authorization.
NB : this redirect_uri has to be the same used for the consent creation or payment initiation
code_challenge This parameter corresponds to PKCE challenge according to cryptographic RFC 7636 which is used to prevent code injection attacks
response_type Type of the response. This value has to be set to “code
code_challenge_method Optional parameter which corresponds to the code verifier transformation method ("S256" or "plain")

Following these instructions your authorize URL should look like this and is now valid to process the authorization of the PSU:

https://w.api.neuflizeobc.fr/public/berlingroup/authorize/31f68ab6-1ce6-4131-a324-3f37d2ca4b02?scope=AIS:1587559935-bae68c2&client_id=[your_client_Id]&state=test&redirect_uri=[your_redirect_uri]&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&response_type=code&code_challenge_method=S256

This process to build the authorize URL is the same for a payment initiation.

NB : the "redirect_uri" parameter in the URL has to be the same as the "TPP-Redirect-URI" header of the consent creation

Enable "on this page" menu on doc section
On

12 - Use the fallback solution

Fallback mechanism

A fallback mechanism is available in order to allow licensed third-party Payment Services Providers to access PSD2 data without break in service.

Fallback registration

  • Send us the request to onboard stating this is for the fallback solution, via the Contact our support team section on the developer portal and include your QWAC certificate.
  • You will receive a confirmation after the setup is completed.

How it works

  • Connect to https://tpp.neuflizeobc.net using your QWAC certificate.
  • Ensure that your QWAC certificate is submitted for each attempt.
  • Request the user to authenticate (using Neuflize OBC mobile application or his physical QR reader).
  • If the authentication is successful, you will be granted access to Neuflize OBC web portal.
  • If the authentication fails you will get an error Message. For support, go to Contact our support team section.
Enable "on this page" menu on doc section
On

11 - Connect to the sandbox or Berlin Group APIs

Description

The communication between the TPP and the Bank (Sandbox or Berlin Group APIs) is always secured by using a TLS-connection Mutual authentication using TLS version 1.2 which is initiated by the TPP.

The TLS-connection has to be established always including client (i.e. TPP) authentication.

For this authentication the TPP has to use a qualified certificate for website authentication (QWAC) which has to be issued by a qualified trust service provider according to the eIDAS regulation.

The content of the certificate has to be compliant with the requirements of the EBA-RTS and follow the ETSI TS 119 495 V1.2.1 (2018-11) technical specification.

During the first connection setup, the TPP will be automatically onboarded and registered (enrolled) in the bank database. However, for security purpose, the bank requires the client certificate to be presented within each request.

Following the EBA clarification 07/06/2019, it's now possible to test the Sandbox using a test certificate. The only restriction is that the certificate used to establish the SSL MA must follow the QWAC format for PSD2, according to ETSI TS 119 495 V1.2.1 (2018-11)

For the Berlin Group APIs, the QWAC certificate has to be issued from a production CA.

Test the connection to the sandbox

Make sure that your QWAC configuration is correct by testing the following endpoint on the sandbox (no headers are necessary)

GET /berlingroup/actuator/info
Enable "on this page" menu on doc section
On

10 - Contact our support team

Contact our Support Team

As a TPP if you face any problems using either our Sandbox or Production APIs you can contact us by using the dedicated support email : Portail.DSP2.NOBC@fr.abnamro.com

Please try to give us the full context of your request  :

  • TPP Name,
  • TPP Registration Number,
  • Date and Time of the issue,
  • Service : AIS, PIS, FCS,
  • Endpoint,
  • Error message, error code, screenshot,
  • Information about concerned version by using one of the following URLs.
    A valid QWAC Certificate for PSD2 is required in order to access these URLs. ​
    The certificate is mandatory, otherwise you will get an error :​

Our support team will answer you as soon as possible.

Enable "on this page" menu on doc section
On
Subscribe to