Building the Open-Banking-compliant consent page with ACP

This article can be of a particular interest for a developer assigned by the bank to build an Open-Banking-compliant consent page. The bank developers can find here not only information on how the custom consent page works in the Open Banking (OB) ecosystem but also guidelines on how to produce a consent page in accordance with OB standards.

The consent page is a website displaying a consent form in which the end user can specify what data to share with the Fintech app from the bank.

For banks operating in the Open Banking ecosystem, it’s essential to to provide the consent page that complies to Open Banking specifications.

There are a number of guidelines defining how the consent page needs to work to be Open-Banking-compliant. OB standards specify how the consent page needs to be build in term of its backend and frontend.

Read more

For information on how OB requirements on

Open Banking consent page needs to display the user’s accounts and permissions that the Fintech application requests. To make the custom consent page display all the essentials for a particular user, the bank developer needs to create a page that

  • Integrates with/calls bank-internal APIs for the list of user’s accounts
  • Integrates with/calls ACP-internal APIs for details on the access consent of the requested account (provided as JSON).
  1. The user logs in and gets authenticated.

  2. ACP redirects the user to the custom consent page.

    Result

    login_id and login_state are sent to the custom consent page.

  3. Bank developer (consent page) calls an ACP-internal API to retrieve details on the account access consent.

    Response

    As a response, the developer receives a JSON file including information on

    • Permissions requested by the application
    • List of requested scopes
    • User’s identifier (subject).
  4. Consent page calls ACP to approve or deny the account access consent and redirects the user to the returned redirect URL.

Open Banking sandbox

You can see see how the custom consent page works in the Open Banking environment by visiting the ACP Open Banking sandbox. The sandbox is an artificial bank environment where you can go through mock banking-Fintech scenarios and check how a sample application produces the custom consent page. The OB scenarios cover the flow of custom consents, which enables you to explore technical details on the consent page provided in the sandbox.

Check out the ACP OB sandbox here

In the sandbox, you can try TPP SAMPLE APP (Fintech application) at https://localhost:8090/, which can give you a good idea of how the custom consent works and looks like.

Note

For details on how to set up the sandbox environment and run a sample Fintech app, see Get the sandbox and Check the backend in Open Banking flow of actions powered by ACP.

After running TPP SAMPLE APP in the sandbox and logging in with IDP, you are redirected to the custom consent page.

Note

You can specify URL for redirection to the custom consent page in ACP.

In ACP, you can configure where the end user is redirected after being logged in.

Read more

For the instruction on how to configure consent page settings in ACP, see Enabling the custom consent page in ACP.

Use specific ACP APIs

To learn how to create your custom consent page, visit ACP OB sandbox and explore TPP SAMPLE APP (https://localhost:8090/). The TPP-SAMPLE-APP scenario helps you understand how the custom consent page is build.

You need to build and configure your consent page so that it communicates with ACP. For this purpose, ACP provides three system APIs that you need to use while developing your application:

  • GET /api/system/{tenant_id}/open-banking/account-access-consent/{login_id} for getting the account access consent
  • POST /api/system/{tenant_id}/open-banking/account-access-consent/{login_id}/accept for accepting the account access consent
  • POST /api/system/{tenant_id}/open-banking/account-access-consent/{login_id}/reject for rejecting the account access consent.

Note

login_id is provided as a query parameter when the user gets redirected to the consent page.

Read more

For information on how to integrate your custom consent page with ACP, see Integrating the custom consent page with ACP.

Comply to OB standards

Configure your custom consent page using the information in JSON returned from ACP after calling GET /api/system/{tenant_id}/open-banking/account-access-consent/{login_id}.

Retrieve and display the accounts list

Use the value of subject to integrate with the bank so that your consent page can display a list of account for a specific user who is logged in.

subject is an identifier of the logged-in user. If you integrate with the bank using a specific subject, the bank can identify the user whose list of accounts is requested.

Display the permissions list

Make your consent page display the list of permissions so that the end user can see what the Fintech app requests for, for example ReadAccountBasic.