OAuth2 pre-step - How?

[cyberphone]

Hi Team, I have just installed XS2A on a local VM. It seems to run. I need to use OAuth2 pre-step and token refresh. I can't find any swagger spec that matches the Berlin Group spec for this:

"This specification supports two ways of integrating OAuth2. The first support is an authentication of a PSU in a pre-step, translating this authentication into an access token to be used at the XS2A interface afterwards"

The initial step is supposed to return HTTP 302 and a "location" header. Example from the spec:

GET /authorise?responseType=code&clientId="PSDES-BDE-3DFD21" &
scope=ais%3A1234-wertiq-983+offline_access&
state= S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
code_challenge_method="S256"
code_challenge=5c305578f8f19b2dcdb6c3c955c0aa709782590b4642eb890b97e43917cd
0f36 HTTP/1.1
 Host: api.testbank.com

Thanx, Anders

[ViraHavrylenko]

@cyberphone Hello, you can find description of Configuring SCA Redirect OAuth in XS2A. Also see how to use it at Support Pre-step and Integrated OAuth modes

Authorisation Server (IDP) should be at bank's side, there is no implementation in scope of XS2A.

[DmitryMishchuk]

Hi Anders, In our Sandbox we use Ledgers as IDP, so all OAuth related calls would be referenced there. If you run Sandbox with docker from your images than you have all approaches enabled including both OAuth variations. To enable this feature we added a header X-OAUTH-PREFERRED to requests for OAuth with values: pre-step or integrated as OAuth pre-step and integrated are subtypes of REDIRECT approach. So adding this header with each call to XS2A will make sure you're going for the appropriate approach. For the production implementations it is never used in such manner of course, there you should pick one approach and fill the ASPSP profile accordingly. If you are in need of some more details feel invited.

[cyberphone]

@DmitryMishchuk @ViraHavrylenko thanx, I will try and see where I get 👍