We're implementing Nordea Instant Reporting/Corporate Payout Premium APIs. Is it possible to initiate the authorization flow for our admins and then send them a QR-code/link to BankID for them to sign? Is it possible to use BankID with the Redirect Corporate Access Authorization flow?
Yes, it's possible.
APIs | PSD2 | Premium | ||||||
Authorization flow - authentication_type (availability) |
Redirect (YES) |
Decoupled (YES) |
Redirect (YES) |
Decoupled (YES) |
||||
Authentication app (availability) |
Nordea ID (YES) |
BankID (YES) |
Nordea ID (YES) |
BankID (NO) |
Nordea ID (YES) |
BankID (YES) |
Nordea ID (YES) |
BankID (NO) |
Q:
For the Corporate Access Authorization API there is a Decoupled Corporate Access Authorization flow (with Nordea ID) and Redirect Corporate Access Authorization flow - what is the main difference?
- In the Redirect flow the customer is redirected to Nordea Online Authentication Service (web page), where the user can choose authentication method and other authentication details.
- In the Decoupled flow the customer is using TPPs application to choose authentication method and other authentication details.
Note: In both cases the customer needs to confirm the authentication in the mobile application (Nordea ID for Redirect/Decoupled or BankID for Redirect).
Q:
Is Redirect URI just the address to where the signer is redirected after signing the request?
A:
Please refer to:
OAuth 2.0 Authorization Framework
Redirect corporate access authorization workflow
Q:
We have two people that are going to sign the request. How is the flow when it comes to dual signing for Redirect? Can they use the same link or do I have to generate separate links for them?
A:
Please refer to:
Redirect corporate access authorization workflow
Q:
We have a request from an end user on how to connect on the PSD2 Corporate interface - what steps the user should do to authenticate with “Card reader without cable”. After the user has filled in the agreement number on the PSD2 interface he doesn’t have this type of authentication available. What should be done to allow the user to connect on the Corporate account?
A:
This authentication method is not available in Nordea Open Banking APIs. eID card and card reader authentication methods will be decommissioned, hence they're not going to be supported.
Please refer to:
Corporate access authorization API - details
Q:
(SANDBOX) I'm not able to complete the Corporate Authentication flow. I'm stuck in Corporate Authentication. It tells me that "Token is missing":
2023/11/20 10:39:47 Calling Nordea API endpoint: PUT https://api.nordeaopenbanking.com/corporate/v2/authorize/fe1234d1-1dd1-1d12-1d12-bf123a1c12fa
2023/11/20 10:39:47 Body: {"authorizer_id":"12345678"}
2023/11/20 10:39:47 Headers:
2023/11/20 10:39:47 Digest: SHA-256=nqvcYQcDRhOndi123gzA1z+HCz1SW1Sr1sVHm1TbPgI=
2023/11/20 10:39:47 Signature: SKIP_SIGNATURE_VALIDATION_FOR_SANDBOX
2023/11/20 10:39:47 Content-Type: application/json
2023/11/20 10:39:47 X-IBM-Client-Id: 123fb1234567c123456789f12ba12d12
2023/11/20 10:39:47 X-IBM-Client-Secret: adfe123d1234f1f12f1d12345dd123d1
2023/11/20 10:39:47 X-Nordea-Originating-Date: Mon, 20 Nov 2023 09:39:47 GMT
2023/11/20 10:39:47 X-Nordea-Originating-Host: api.nordeaopenbanking.com
2023/11/20 10:39:47
2023/11/20 10:39:47 ResponseBody:
2023/11/20 10:39:47 {"group_header":{"message_identification":"12b1db123b123c12aa12d12c12f12dee","creation_date_time":"2023-11-20T09:39:47.153970196Z","http_code":401},"error":{"request":{"url":"/v2/authorize/fe1234d1-1dd1-1d12-1d12-bf123a1c12fa"},"failures":[{"code":"error.resource.denied","description":"Token is missing."}]}}
How to specify/provide this token in the call to the endpoint:
PUT /corporate/v2/authorize/{access_id}
A:
The mandatory parameter “Authorization” is missing from the header and it’s where you should provide the token. Please refer to:
Confirm an authorization request/Request Parameters (Corporate Access Authorization API))
Corporate Access Authorization API
Postman and Swagger files (Nordea API Market)
Nordea Developer Portal (API Market Sandbox) guide
Q:
In your documentation:
How to start traffic with Instant Reporting API
it's stated that I need to know:
- Your company's Corporate Netbank's agreement number (it can be found in the Corporate Netbank user interface)
- Your company's Corporate Netbank administrator's logon ID. Check with your company's Corporate Netbank administrator, if your company has one or several administrators.
I understand that the first one is required for the "agreement_number" in an authorize request. I do not understand where the second one will be supplied in the authentication process.
A:
The logon ID will not be supplied in the authentication process - you need to provide it. You can find it by logging it to Nordea Corporate Netbank (CN) and navigating to "My profile" page. The logon ID will be shown in the last line.
Q:
The said documentation also mentions "Signature using your self-signed certificate". Is signature made using a private key?
A:
When you create a self-signed certificate, one of the output is a private key. Signature is created using a private key.
Q:
Regarding the authentication methods that are available to our customers using Nordea Corporate API - we can only use the Logon ID for authentication but the Nordea corporate webpage also allows BankID for Sweden or Email ID and password. These two methods are not available to us through the PSD2 API. Do you plan to add these authentication methods to the PSD2 API?
A:
- In Decoupled Corporate Access Authorization flow only Nordea ID is available
- In Redirect Corporate Access Authorization flow you can also use BankID and Nordea ID
When confirming authorization with PUT request, you can choose "authentication_type" as REDIRECT. Refer to:
Confirm an authorization request - Redirect (Corporate Access Authorization API)
Q:
What can be the reason of Agreement is not available error? Is this a problem from customer's side because he entered a wrong agreement number? How can we guide him to use a proper agreement number?
Request:
POST /corporate/v2/authorize HTTP/1.1
Content-Type: application/json
X-IBM-Client-Id: *** 1234
X-IBM-Client-Secret: *** 1234
Signature: "[MASKED]"
X-Nordea-Originating-Date: Tue, 13 Jun 2023 13:17:36 GMT
X-Nordea-Originating-Host: open.nordea.com
Content-Length: 77
Date: Tue, 13 Jun 2023 13:17:36 GMT
Digest: [MASKED]
{
"scope": [
"ACCOUNTS_PSD2"
],
"duration": 129600,
"agreement_number": "1234567891"
}
Response:
{
"group_header": {
"message_identification": "12cd12b1c1231234",
"creation_date_time": "2023-06-13T13:17:37.106188197Z",
"http_code": 403
},
"error": {
"request": {
"url": "/v2/authorize"
},
"failures": [
{
"code": "error.resource.denied",
"description": "Agreement is not available."
}
]
}
}
A:
Most probably the customer is trying to use logon id in the authorization initiation request which is an invalid behaviour.
If TPP wants to provide the optional agreement number parameter during the authorization initiation then, the correct agreement number must be provided in request body:
POST /corporate/v2/authorize
When using Redirect corporate access authorization workflow is it possible to see how exactly the redirect page looks like when using BANKID_SE? Will there be an additional redirect to the BankID page from Nordea site? Or how will that work?
A:
In Redirect flow BankID authentication method shows QR code in Nordea page, then after a success/failure a customer is redirected to the link provided in the authorization confirmation request body.
Q:
Can you confirm that authorizer_id is a mandatory parameter in:
PUT /corporate/v2/authorize/<access_id>
Is it a header field or a body field?
A:
We have two ways of authorization in Corporate Access Authorization API:
-
Decoupled:
Decoupled corporate access authorization flow (Nordea ID)
- Redirect:
Redirect corporate access authorization workflow
Authorizer_id parameter is relevant only in decoupled authorization flow. It is used in:
PUT /corporate/v2/authorize/<access_id>
During redirect flow, body of:
PUT /corporate/v2/authorize/<access_id>
is different and it's not using authorizer_id parameter:
{ "authentication_type": "REDIRECT", "redirect_uri": "https://example.com", "state": "<state>"}
In response to this call you will get redirect URI which you need to follow to confirm authorization.
Note: X-Nordea-Mock-Authorizer-Id: <Authorizer_ID> header is used only in Sandbox redirect flow to mimic authorization which, in Production, is done on a web page.
Q:
What am I supposed to send in the "state" parameter?
A:
Please refer to:
Postman and Swagger files (Nordea API Market)
OAuth 2.0 Authorization Framework
Q:
We want to use Premium Instant Reporting API and we encounter authorizer_id parameter - how will it affect our data flow? Does it mean that every time we make an API call, an administrator has to accept? Is it mandatory to do this every time a call is made?
A:
The authorization by the administrator needs to be done once, just for the purpose of creating a consent (a consent can have a very long time of expiration for Premium APIs). After creating a consent, Access Token (access_token) can be used for 60 minutes as the authorization - after 60 minutes Access Token expires and needs to be refreshed. Operations with a refreshed Access Token do not have to be confirmed by the administrator.
Q:
What does FAILED status mean when polling for authorization code?
A:
Please refer to: FAILED status (Corporate Access Authorization API) FAQ
Q:
Why a corporate client is unable to perform an authorization (with two authorizers involved) and we receive the following API responses:
{"group_header":{"message_identification":"1dd1cb012345678e","creation_date_time":"2024-09-06T09:33:43.07459397Z","http_code":400},"error":{"request":{"url":"/v2/authorize/{access_id}
"},"failures":[{"code":"error.request.invalid","description":"No additional authorizers required."}]}}}
A:
The client needs to verify (contacting company's corporate agreement administrators or CN) if the authorizers involved have admin rights with a "Two together" confirmation rule in Corporate Netbank Administration. In addition, to be able to add second authorizer the client needs to call for a status and receive status "PARTIAL". Only then the second authorizer will be accepted.
Nordea Corporate Netbank contacts
Q:
What's the reason of the following error (Redirect URI is missing in your configuration. Please contact support to update it):
{\"group_header\":{\"message_identification\":\"12f3c1234567890e\",\"creation_date_time\":\"2024-10-23T09:29:15.217150272Z\",\"http_code\":400},\"error\":{\"request\":{\"url\":\"/v2/authorize/1f1ce1d2-f123-12ad-1234-1ad1d1b12345\"},\"failures\":[{\"code\":\"error.parameter.invalid\",\"description\":\"Redirect URI is missing in your configuration. Please contact support to update it.\"}]}}",
How do I update Redirect URI in Production Portal?
A:
Please refer to: