Reference:
Business Access Authorization API
Q:
We want to test the authorization flow in your Sandbox environment. How can we go through Nordea UI where a user authenticates and select bank accounts? We cannot find the URL for the wizard where we can select bank accounts and redirect to our application with the provided authorization code. What is the starting point of this flow?
A:
Nordea UI is not available in Sandbox - this step is mocked in Sandbox. The first step of the authorization flow is:
Redirect - Initiating the authorization flow
The call will return HTTP 302 redirect code, indicating a successful redirect. Check response Headers - Location for getting the authorization code.
Q:
Then requesting:
POST /authorize
will redirect us to the Nordea UI where the user authenticates and select bank accounts only in Production environment?
A:
Yes, that's correct.
Q:
Will the user be automatically redirected from your side to Nordea UI after:
request or you will return only 302 and we have to redirect the user to the returned Response.Headers.Location?
A:
This option is correct for Sandbox. Nordea UI Authentication wizard is skipped in Sandbox. After initiating the authorization flow the call should return HTTP 302 redirect code and you need to redirect the user to the returned Response.Headers.Location. This value corresponds with the redirect_uri provided in the /authorize request with the parameter auth code. For example:
Response.Headers.Location: test.com?code=<code>Refer to:
Redirect - Initiating the authorization flow
Q:
What happens after:
POST /authorize
in Production environment? Will we get URL for Nordea UI in Response.Headers.Location where we should redirect the user? Is that a web page URL?
A:
Refer to the following Production flow:
- TPP starts the process by initiating the Redirect Authorization flow. The flow can be initiated through the following endpoint: POST /authorize
- The call will return an HTTP 302 redirect code, indicating a successful redirect ("Location" header of the response includes the Nordea UI URL)
- PSU (Payment Service User) is redirected to Nordea UI to select bank accounts he wishes to grant access to
- After this selection is done, he can continue the flow and return back to TPP application.
Refer to:
Redirect access authorization flow
Q:
Do you provide the information about user's selected bank accounts? If yes, where we can acquire it?
A:
TPP cannot see the information about selected accounts until a full authorisation flow is successfully completed. Then TPP can call:
GET /assets
endpoint to get a list of accounts with a given consent.
Q:
(Sandbox) Is it possible to use localhost as a redirect URL for testing purposes?
A:
It's not possible to use localhost as a redirect URL endpoint. Redirect URL must be opened by Nordea services in order to pass the authorization code to TPP and localhost is not accessible from outside your machine. Authorization code is short-lived with a one-time usage, and exchanged for an access token during access authorization. You may use https://www.example.org as a redirect_uri for testing purposes.
Note:
In Sandbox redirects are defined in Developer Portal, during application creation:
Please also see: Nordea Developer Portal (API Market Sandbox) guide
Q:
(Sandbox) While making the request towards:
POST /personal/v5/authorize?Client_id=720f{redacted}d09f&country=DK&duration=3600&redirect_uri=https://example.org&scope=ACCOUNTS_BASIC,ACCOUNTS_BALANCES, ACCOUNTS_DETAILS,ACCOUNTS_TRANSACTIONS,PAYMENTS_MULTIPLE&state=teststate HTTP/1.1
Host: api.nordeaopenbanking.com
with an empty body and default Postman headers we get the following response:
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"Invalid client id or secret."}A:
Proper headers and the body must be included within the request. Please refer to:
Redirect Access Authorization (POST /personal/v5/authorize)
Q:
What am I supposed to send in the "state" parameter?
A:
Please refer to:
Postman and Swagger files (Nordea API Market)
OAuth 2.0 Authorization Framework