Ability to use OAuth2 consent authorization approach

[Heks-dev]

Place where bug appeared

• Endpoint: /v1/consents/{consentId}/authorisations
• Component: de.adorsys.psd2.xs2a.service.authorization.ais.OauthAisAuthorizationService

Current behavior

• de.adorsys.psd2.xs2a.service.authorization.ais.OauthAisAuthorizationService the bean which has no implementation

Expected behavior

• Seems like it should be an SPI

Steps to reproduce

• aspsp configuration yaml:
• • scaApproaches: OAUTH
• • scaRedirectFlow: OAUTH
• Create consent:
• • POST /v1/consents/
• Start authorization for created consent
• • POST /v1/consents/{consentId}/authorisations

SCA approach

• [ ] OAUTH

Request / Response example

Request POST /v1/consents/

{
  "access": {
    "availableAccounts": "allAccounts"
  },
  "combinedServiceIndicator": false,
  "frequencyPerDay": 5,
  "recurringIndicator": true,
  "validUntil": "9999-10-10"
}

Response

{
    "consentStatus": "received",
    "consentId": "fake-consent-0",
    "_links": {
        "self": {
            "href": "http://localhost:8091/v1/consents/fake-consent-0"
        },
        "status": {
            "href": "http://localhost:8091/v1/consents/fake-consent-0/status"
        }
    },
    "psuMessage": "OTP Password required"
}

Request POST /v1/consents/fake-consent-0/authorisations

{
    "tppMessages": [
        {
            "category": "ERROR",
            "code": "CONSENT_UNKNOWN",
            "text": "Please provide correct consentId."
        }
    ]
}

XS2A version(s):

• 3.5

Log files or other additional info

[DEBUG][13:04:27.589] - org.springframework.security.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@81c57778: Principal: AuthenticatedPrincipal(token=0a3bcd4d-90e9-49ec-8f0d-0f84e7fc9ac4, tokenTtl=600, pwi=user); Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=, tokenType=BearertokenValue=; Granted Authorities: ROLE_USER [DEBUG][13:04:27.590] - org.springframework.security.access.vote.AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3a085c5b, returned: 1 [DEBUG][13:04:27.590] - org.springframework.security.web.access.intercept.FilterSecurityInterceptor: Authorization successful [DEBUG][13:04:27.590] - org.springframework.security.web.access.intercept.FilterSecurityInterceptor: RunAsManager did not change Authentication object [DEBUG][13:04:27.590] - org.springframework.security.web.FilterChainProxy: /v1/consents/fake-consent-0/authorisations reached end of additional filter chain; proceeding with original chain [INFO ][13:04:29.253] - access-log: REQUEST - TPP ID: [PSDDE-FAKENCA-87B2AC], TPP IP: [0:0:0:0:0:0:0:1], X-Request-ID: [2f77a125-aa7a-45c0-b414-cea25a116035], URI: [/v1/consents/fake-consent-0/authorisations], Consent ID: [fake-consent-0] [DEBUG][13:04:29.292] - org.springframework.security.oauth2.provider.error.DefaultOAuth2ExceptionRenderer: Written [error="invalid_token", error_description="Invalid access token: 6443f0ef-9d26-4b5a-bdae-0c67817fad6a"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@1ff9fe46] [DEBUG][13:04:29.292] - org.springframework.security.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed [INFO ][13:04:34.699] - de.adorsys.psd2.xs2a.service.event.Xs2aEventService: X-REQUEST-ID: [2f77a125-aa7a-45c0-b414-cea25a116035], TPP ID: [PSDDE-FAKENCA-87B2AC]. Couldn't record event from TPP request: Event(timestamp=2019-07-12T13:04:34.699072+03:00, consentId=fake-consent-0, paymentId=null, eventOrigin=TPP, eventType=START_AIS_CONSENT_AUTHORISATION_REQUEST_RECEIVED, instanceId=null, psuIdData=PsuIdData(psuId=aspsp, psuIdType=null, psuCorporateId=null, psuCorporateIdType=null), tppAuthorisationNumber=PSDDE-FAKENCA-87B2AC, xRequestId=2f77a125-aa7a-45c0-b414-cea25a116035, payload=RequestEventPayload(tppInfo=TppInfo(authorisationNumber=PSDDE-FAKENCA-87B2AC, tppName=, tppRoles=[AISP, PISP, PIISP], authorityId=DE-FAKENCA, authorityName=Trust Service Provider AG, country=Germany, organisation=Fictional Corporation AG, organisationUnit=Information Technology, city=Nuremberg, state=Bayern, tppRedirectUri=null, issuerCN=null), tppIp=0:0:0:0:0:0:0:1, uri=/v1/consents/fake-consent-0/authorisations, headers={x-request-id=2f77a125-aa7a-45c0-b414-cea25a116035, content-length=0, cookie=SESSION=OWI2OWI2NjUtMGY0My00OGViLTk1ZDgtYjNkNWZiOTQ0ZjI1, postman-token=01c627f3-0296-41ec-86db-7187bbf79032, accept=application/json, authorization=Bearer 02f51b86-2737-48e4-9585-697114ccae9b, tpp-qwac-certificate=-----BEGIN CERTIFICATE-----MIIFQTCCAymgAwIBAgIESLvdaTANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJERTEQMA4GA1UECAwHQkFWQVJJQTESMBAGA1UEBwwJTnVyZW1iZXJnMSIwIAYDVQQKDBlUcnVzdCBTZXJ2aWNlIFByb3ZpZGVyIEFHMR8wHQYDVQQLDBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MB4XDTE5MDMwNTE1MTIwN1oXDTIwMDMwNDAwMDAwMFowgcwxITAfBgNVBAoMGEZpY3Rpb25hbCBDb3Jwb3JhdGlvbiBBRzEJMAcGA1UEAwwAMSUwIwYKCZImiZPyLGQBGRYVcHVibGljLmNvcnBvcmF0aW9uLmRlMR8wHQYDVQQLDBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRAwDgYDVQQGEwdHZXJtYW55MQ8wDQYDVQQIDAZCYXllcm4xEjAQBgNVBAcMCU51cmVtYmVyZzEdMBsGA1UEYQwUUFNEREUtRkFLRU5DQS04N0IyQUMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeDcYlVutZeGFtOkonIMGHwway2ASZl8p7/v7USIxeMo/5ppbAa6Ei7i7jH9ORBoHV6qxAwNFkdd8JDneNiNn0NSvoYTemr5mqyXYhwpzLueXth1oBgjLYvcaLFXXQGS0dd6sDcaCTbw9xdDmap+6xYDRzIrdviyiph1ewpUXlrEHNu5Oomk7R5Dpv4gM9uRwYiskRigZdnArfyQ3ZYW4VZvMlFW3t1IVvSiOWvruF24w+j1g3BOHNM7tIAOlOUYQpHV1G1ChcFt5/ICArtsGAd4/ZUzlmujktdO+hNA70fDHUxkG6vQRFQhSnszzJ/C/g632nMTJbAaGtO2OvdL9DAgMBAAGjfjB8MHoGCCsGAQUFBwEDBG4wbAYGBACBmCcCMGIwOTARBgcEAIGYJwEDDAZQU1BfQUkwEQYHBACBmCcBAgwGUFNQX1BJMBEGBwQAgZgnAQQMBlBTUF9JQwwZVHJ1c3QgU2VydmljZSBQcm92aWRlciBBRwwKREUtRkFLRU5DQTANBgkqhkiG9w0BAQsFAAOCAgEAK07yQviS7/zKm1EqQyyGkEbf/1sHb9FLPBr/BicYxc3IQGd4xG1SJ1uLudX37Yq/o6exjixZ8ywib27jNLCpsF1dEQabHNXgS4enojf7CVTyKjDkKqE1mwqPmGeoWWwaWOUsWQ2/Ja/UTW5Bn5iA+nHCXVrkcjFVnRvi+dSsRm4J3E0EdAAwBkSEqHGDZO1ZiAh20YkNExx8MKKiHAVZ0ZFCXzYcaWzaK6yeCarvyPNCb+BAsc1wf3/88tLT9Nof/Ctzv2L9OjGHcalCLf/g/qTr6/50J4IMVdBwoVkg27yRE5EC3RKJE5BFx6TNWeNGs7r8HpAhO/6hLKzVHjrsA8/SAwTWNQNWdP/azSV42DuVMjDi5o5Ax9RkHXRvjsuwTR19AKvIc6nv/8XUtwORjHW+FTXTGa28PqCD1ZACiHytIBXrETevmLIlFuh6ZaWKBYPUc3DmJbFSZkhRFybh1SEtl/WzeQjIKqkRw0MGzDIRwD0sYqeE8ENkJbXJG+Cy4c42mZmEwG6E7HQQtiT9Irt1cnUiFDRe6g+h4GaxhOC5Pluxhij4DaNHCIZm30IHcyA4vZOyj7rXcvvfGMwPgbSdqSdEeNB25FEmFmJnavESxyJKYNx3JONm//0yRpacfWos/MjmbLWynYz8Bv8EK7mCS84bmSlUrUgHoNvDeBc=-----END CERTIFICATE-----, host=localhost:8091, content-type=application/json, connection=keep-alive, cache-control=no-cache, accept-encoding=gzip, deflate, psu-id=aspsp, user-agent=PostmanRuntime/7.13.0}, body=null)) [DEBUG][13:06:37.400] - org.springframework.security.web.header.writers.HstsHeaderWriter: Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@7c155021 [INFO ][13:06:37.420] - access-log: RESPONSE - TPP ID: [PSDDE-FAKENCA-87B2AC], X-Request-ID: [2f77a125-aa7a-45c0-b414-cea25a116035], Status: [403] [DEBUG][13:06:37.421] - org.springframework.security.web.access.ExceptionTranslationFilter: Chain processed normally [DEBUG][13:06:37.421] - org.springframework.security.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed

[ViraHavrylenko]

Hello, you have wrong aspsp configuration yaml:

• scaApproaches: OAUTH It should be:
• scaApproaches: REDIRECT
• scaRedirectFlow: OAUTH

[Heks-dev]

Hi, Thank you so much for the rapid response. Regards!

[DG0lden]

@Heks-dev Pls let us know if this solves your problem, so that we can close the ticket