Corporate Access Authorization API
Q:
One of our users experiences a problem with the following API response:
{"group_header":{"message_identification":"27adf6432d12345a","creation_date_time":"2022-12-28T08:12:34.573971Z","http_code":200},"response":{"status":"PARTIAL","_links":[{"rel":"self","href":"/v2/authorize/12345ad9-132e-1234-8c56-a4afc13bd1cb"},{"rel":"add_authorizer","href":"/v2/authorize/12345ad9-132e-1234-8c56-a4afc13bd1cb"}]}}
What extra steps should be performed to get the final status of the authorization?
A:
In order to finalize the authorization you need to add a second authorizer. The proper way of usage should be:
- Add the first authorizer and confirm in the app
- Poll for status - get PARTIAL
- Add the second authorizer and confirm in the app
- Poll for status - get ACTIVE
Please refer to:
Polling for authorization code (Corporate Access Authorization API)
Note: The user has a "Two together" authorization role active in Nordea Corporate Netbank. Alternatively, the user can have his role changed to "Alone" so he can authorize by his own. If needed, contact details for Corporate Netbank can be found here:
Nordea Corporate Netbank contacts
Q:
When the first ‘Confirm authorization’ request has been made:
PUT /corporate/v2/authorize/<access_id>
we make a second one for the authorizer 2, but we get the response: “No additional authorizers required.” Why is that?
A:
You're trying to authorize the second user before the first one has performed the authorization. You have to wait for the authorizer 1 to sign before you can trigger the authorizer 2.
Q:
Yes, that is correct. The second request is sent as soon as the status PARTIAL is returned from the API - directly after the first authorization request has been sent (even though it has not been signed yet). How to keep track on whether the first authorizer has signed or not?
A:
Refer to our documentation - especially step no 7 (about polling the status):
Decoupled corporate access authorization flow (Nordea ID)
Q:
We send the request:
PUT /corporate/v2/authorize/<access_id>
and directly after that (while waiting for the first user to sign) making the request:
GET /corporate/v2/authorize/{access_id}
and then we get the status PARTIAL, no matter if the first authorizer has signed the request or not. Are we not supposed to get PENDING status when we make the “get status” request?
GET /corporate/v2/authorize/{access_id}
A:
If one authorizer successfully signs the access request but a second is required and has not yet been nominated, the access request status will be returned as PARTIAL, this indicates to the client that a second authorizer is required.
Q: I want to verify the order in which the requests should be made:
- Start an authorization flow by requesting:
POST /corporate/v2/authorize
- Request for the authorizer 1 to sign:
PUT /corporate/v2/authorize/<access_id>
- Poll for status (whether the authorizer 1 has signed or not)
GET /corporate/v2/authorize/{access_id}
- Status PENDING should be returned until the authorizer 1 has signed
- When the authorizer 1 has signed, the status should be changed to PARTIAL
- Make the request for the authorizer 2 to sign
- Continue polling for status:
GET /corporate/v2/authorize/{access_id}
- When the authorizer 2 has signed - status ACTIVE is returned.
Is that order correct? Are we not supposed to poll for status PENDING to know if the authorizer 1 has signed or not? And then when we get the status PARTIAL, make the request for authorizer 2 to sign?
A:
The order is correct. Additionally, if two "signatures" are required (according to Corporate Netbank Agreement) and even if only one request was sent (i.e. for the authorizer 1), the logic of application infer PARTIAL automatically, so PENDING will not be available in this context.
Q:
When the request for the authorizer 1 to sign has been made, how will we know when to send the request for the authorizer 2 to sign? Should we just wait for two minutes to send the second request?
A:
There is no precise state indicating user's signing state. From the client perspective PARTIAL covers both: waiting for signing or already signed (by the authorizer 1). When the authorizer 1 will not sign (after established time period, i.e. 3 min) - then polling returns FAILED. When only one signed - then PARTIAL. When both will sign - then ACTIVE.
Q:
When authorizer 1 has signed, is there a time limit for how long authorizer 2 can wait until he needs to sign? For example: if authorizer 1 signs today, can authorizer 2 signs tomorrow or will this fail?
A:
A time limit for both authorizers is set to 3 minutes. Please refer to: