OAUTH SCA approach set in ASPSP-profile seem to be ignored

valb3r commented 4 years ago

Field in question

scaRedirectFlow=OAUTH Does not seem to function properly

Place where bug appeared

Endpoint or Component or Class

Current behavior

When using the following ASPSP profile

{
  "ais": {
    "consentTypes": {
      "bankOfferedConsentSupported": true,
      "globalConsentSupported": true,
      "availableAccountsConsentSupported": true,
      "accountAccessFrequencyPerDay": 100,
      "notConfirmedConsentExpirationTimeMs": 86400000,
      "maxConsentValidityDays": 0,
      "accountOwnerInformationSupported": false,
      "trustedBeneficiariesSupported": false
    },
    "redirectLinkToOnlineBanking": {
      "aisRedirectUrlToAspsp": "http://localhost:4400/account-information/login?encryptedConsentId={encrypted-consent-id}&redirectId={redirect-id}"
    },
    "transactionParameters": {
      "availableBookingStatuses": [
        "both",
        "booked",
        "pending"
      ],
      "transactionsWithoutBalancesSupported": false,
      "supportedTransactionApplicationTypes": [
        "application/json"
      ]
    },
    "deltaReportSettings": {
      "entryReferenceFromSupported": false,
      "deltaListSupported": false
    },
    "scaRequirementsForOneTimeConsents": {
      "scaByOneTimeAvailableAccountsConsentRequired": true,
      "scaByOneTimeGlobalConsentRequired": true
    }
  },
  "pis": {
    "supportedPaymentTypeAndProductMatrix": {
      "payments": [
        "sepa-credit-transfers",
        "instant-sepa-credit-transfers"
      ]
    },
    "maxTransactionValidityDays": 0,
    "notConfirmedPaymentExpirationTimeMs": 86400000,
    "paymentCancellationAuthorisationMandated": false,
    "redirectLinkToOnlineBanking": {
      "pisRedirectUrlToAspsp": "http://localhost:4400/payment-initiation/login?paymentId={encrypted-payment-id}&redirectId={redirect-id}",
      "pisPaymentCancellationRedirectUrlToAspsp": "http://localhost:4400/payment-cancellation/login?paymentId={encrypted-payment-id}&redirectId={redirect-id}",
      "paymentCancellationRedirectUrlExpirationTimeMs": 600000
    },
    "countryValidationSupported": "DE",
    "supportedTransactionStatusFormats": [
      "application/json"
    ]
  },
  "piis": {
    "piisConsentSupported": "NOT_SUPPORTED"
  },
  "common": {
    "scaRedirectFlow": "OAUTH",
    "oauthConfigurationUrl": "http://localhost:20015/oauth/authorization-server",
    "startAuthorisationMode": "AUTO",
    "tppSignatureRequired": false,
    "psuInInitialRequestMandated": false,
    "redirectUrlExpirationTimeMs": 600000,
    "authorisationExpirationTimeMs": 86400000,
    "forceXs2aBaseLinksUrl": false,
    "xs2aBaseLinksUrl": "http://myhost.com/",
    "supportedAccountReferenceFields": [
      "IBAN"
    ],
    "multicurrencyAccountLevelSupported": "SUBACCOUNT",
    "aisPisSessionsSupported": false,
    "signingBasketSupported": false,
    "checkTppRolesFromCertificateSupported": true,
    "aspspNotificationsSupported": [
      "NONE"
    ],
    "authorisationConfirmationRequestMandated": false,
    "authorisationConfirmationCheckByXs2a": false,
    "checkUriComplianceToDomainSupported": false,
    "tppUriComplianceResponse": "WARNING"
  }
}

and calling POST /v1/consents of xs2a, scaOAuth URL is wrong - it is http://localhost:20015/oauth/authorization-server

Expected behavior

When and calling POST /v1/consents of xs2a, scaOAuth URL should be like - http://localhost:20015/oauth/authorization-server?consentId=Js7WlzPxLwcAH-zLnlcEgSWEJxhZpUfEmhTXGHENk_pyT7hcwKMcr-oyrvEPRiMyfVD9C7aDmHXy2Bg8xOSursz9MpaJIQIH3NJX8IHgetw=_=_psGLvQpt9Q&redirectId=d64994fb-50df-42cc-a847-b42042276f94

Steps to reproduce

Enable ASPSP profile to use OAUTH Ensure OAUTH is in supported SCA

Note, that when using X-OAUTH-PREFERRED header scaOAuth is correct

SCA approach

[ ] Redirect
[ ] Embedded
[ ] Decoupled
[x] Oauth

XS2A version(s):

7.4.1 Same seem to happen on develop too

Log files or other additional info

Feel free to provide more info about your problem

According to https://github.com/adorsys/xs2a/blob/58cba89ad0735f436dc46e8a9b11da9d5cf7ac3d/doc/XS2A.%20Details%20of%20realisation/Strong%20customer%20authentication.adoc#support-pre-step-and-integrated-oauth-modes This is valid setup

ViraHavrylenko commented 4 years ago

@valb3r All reported parameters in Profile are used to test OAuth and Redirect SCA approaches simultaneously at XS2A-Sandbox https://github.com/adorsys/XS2A-Sandbox

It cann't be used the same way in Production.

Parameter "scaRedirectFlow" in the ASPSP-Profile defines variant of the SCA approach=REDIRECT:

REDIRECT for standard Redirect SCA;
OAUTH_PRESTEP for pre-step OAuth SCA (TPP asks for token before initiation of request);
OAUTH for integrated OAuth SCA (TPP asks for token after initiation of request).

Fow scaRedirectFlow=OAUTH link in response is wrong and will be fixed soon.

valb3r commented 4 years ago

@ViraHavrylenko

All reported parameters in Profile are used to test OAuth and Redirect SCA approaches simultaneously at XS2A-Sandbox

That's exactly the case - I need to have OAuth2-integrated (OAUTH) working with Sandbox and now it can only be achieved with X-OAUTH-PREFERRED header and not with ASPSP configuration. OAUTH_PRESTEP works seeming because it is the default.

Fow scaRedirectFlow=OAUTH link in response is wrong and will be fixed soon.

:+1:

ViraHavrylenko commented 3 years ago

Fixed in v.8.0 (Sandbox is updated in v.4.5)

adorsys / xs2a