OAuth 2.0
This page provides information about how to access the rest API via access tokens and required information in order to configure new clients for IDP.
Overview
The guiding principles regarding configuration and security for IDP are drawn by Financial-Grade API (FAPI) standards and OpenID Connect.
Quickstart
Required information for configuring a new client for IDP
- Public key from SSL certificate
- Signature verification key
- Redirect URI
- Optional: logo
Requests
Login
Access Token
Refresh Token
Logout
Full documentation for endpoints
| Request | Http Method | Endpoint | Parameter | Details |
|---|---|---|---|---|
| Login | GET | /oauth/v2/oauth-authorize | scope: available scopes are openid, trading:read and trading:write response_type: code redirect_uri: the redirect URI client_id: id of client request: request JWT object state: string value used to associate a client session with an ID token nonce: random cryptographic token used to prevent replay attacks | Multiple scopes must be separated by empty space (example: "openid trading:read") Example URL: https://oauth.consorsbank.de/oauth/v2/oauth-authorize?scope=openid trading:write trading:read&response_type=code&redirect_uri=your_redirect_url&client_id=your_client_id&request=eyJhbGciOiJSfs43J9.eyJzY2... &state=urfdf7o0q0i1u13ie198on53ja&nonce=3491ff5b-0b0b-49af-812c-8141928b09a8' |
| Access Token for Code flow | POST | /oauth/v2/oauth-token | grant_type: must be authorization_code client_id: the client id redirect_uri: the redirect URI code: the access code (obtained from URL redirect after performing login consent) | Can be performed after a successful login, in order to exchange the access code for a bearer token from where the access token can be obtained. Example cURL Request: curl --location --request POST 'https://api.consorsbank.de/oauth/v2/oauth-token' --cert client-ssl.crt --key client-ssl.key --data-urlencode 'grant_type=authorization_code' --data-urlencode 'client_id=your_client_id' --data-urlencode 'redirect_uri=your_redirect_url' --data-urlencode 'code=5IdtHQyVpnaSR1Ol7qNfwDlom2eh97xt' Example Response: { "id_token": "eyJraWQsiOsdsMzQ0NzA342sCJ4NXQiOiI1U3lpd3NxZXVBajhsWXBaalFxVE11c3FLcHMiLCJhbGciOiJSUzI1NiJ9.eyJ...", "token_type": "bearer", "access_token": "_0XBPWQQ_21a57be8-0cae-4872-9cff-469634149945", "refresh_token": "_1XBPWQQ_3d46cfea-ed51-4e97-8913-75b60cfb0197", "scope": "openid trading:write trading:read", "claims": "calvin_token", "expires_in": 299 } |
| Access Token for Client Credentials flow | POST | /oauth/v2/oauth-token | grant_type: must be client_credentials client_id: the client id scope: the scope of access for the token | Example cURL Request: curl --location --request POST 'https://api.consorsbank.de/oauth/v2/oauth-token' --cert client-ssl.crt --key client-ssl.key --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_id=your_client_id' --data-urlencode 'scope=your_scope' Example Response: { "token_type": "bearer", "access_token": "_0XBPWQQ_a1fa6188-482b-4960-80f9-c8e91918a6bc", "scope": "quote-trigger", "expires_in": 300 } |
| Refresh Token | POST | /oauth/v2/oauth-token | grant_type: must be refresh_token client_id: the client id refresh_token: the refresh token (obtained from the Bearer Token) | The refresh_token is valid for 11 hours and 55 minutes, it contains a new access_token which is valid for 5 minutes and the next refresh_token that can be used. Example cURL Request: curl --location --request POST 'https://api.consorsbank.de/oauth/v2/oauth-token' --cert client-ssl.crt --key client-ssl.key --data-urlencode 'client_id=your_client_id' --data-urlencode 'grant_type=refresh_token' --data-urlencode 'refresh_token=_1XBPWQQ_3d46cfea-ed51-4e97-8913-75b60cfb0197' Example Response: { "token_type": "bearer", "access_token": "_0FSPWQQ_547d0S7a-4e42-4a31-9631-92118d38ce89", "refresh_token": "_1XBGJQ_9fS3ee-197f-432e-880d-4468d1c6df4c", "scope": "openid trading:write trading:read", "claims": "calvin_token", "expires_in": 300 } |
| Logout | POST | /authn/authentication/logout | - | Logout request is using an SSO cookie to identify the user to be logged out. Invalidates the session id for the user. Example URL: https://oauth.consorsbank.de/authn/authentication/logout Example Response: Status Code: 200 |
Updated 8 months ago