Introduction
Nordea have introduced support to sign the payment(s) in order for Nordea to complete them. Signing method (e.g. BankID, MitID, e-code etc.) requires Nordea to authenticate the PSU before calling the mobile 2-factor authentication part. Nordea provides "Nordea Authentication and Signing Application" (NASA) for the PSU to authenticate securely. This flow consists of several web application pages.
The authentication process results in an "auth_code" type of code that is needed in order for a confirm process to be executed.
Where is the redirect?
Domestic confirmation endpoint
A redirect url is provided as a _link in the confirm response
PUT: /personal/v*/payments/domestic/confirm
response will hold a Link that you, the TPP, will have to redirect the PSU to, browser based
$nasa_url$?order_id=1234567&redirect_uri=$obi_url$&state=$url_encoded_parameters$
nasa_url - Nordea Authentication and Signing Application link
order_id=1234567 - id of a current confirmation procedure
redirect_uri=$obi_url$ - Open Banking link where the PSU will be redirected after the NASA signing in order to trigger the payment execution. She/he will subsequently redirected to the TPP page (see Detailed explanation)
state=$url_encoded_parameters$ - parameters needed for correct communication between Open Banking and NASA
SEPA confirmation endpoint
A redirect url is provided as a _link in the confirm response
PUT: /personal/v*/payments/sepa/confirm
response will hold a Link that you, the TPP, will have to redirect the PSU to, browser based
$nasa_url$?order_id=1234567&redirect_uri=$obi_url$&state=$url_encoded_parameters$
nasa_url - Nordea Authentication and Signing Application link
order_id=1234567 - id of a current confirmation procedure
redirect_uri=$obi_url$ - Open Banking link where the PSU will be redirected after the NASA signing in order to trigger the payment execution. She/he will subsequently redirected to the TPP page (see Detailed explanation)
state=$url_encoded_parameters$ - parameters needed for correct communication between Open Banking and NASA
Why the redirect link?
The redirection URL is to support the case where country specific signing method (e.g. BankID, MitID, e-code etc.) is required in order for the PSU to sign a payment.
Detailed explanation
The link provided in the response from a PUT: /personal/v*/payments/domestic/confirm request is a link that will send the PSU to a secured Nordea Authentication server, where the PSU will input credentials and sign the payment(s).
Nordea Open Banking will get the result as a signed and encrypted code and will execute the payment. The status of the payment will be available by calling the existing endpoint GET: /personal/v*/payments/domestic/{payment-id}.
The browser window, that was used by the PSU to authenticate and sign the payment, can be closed after the PSU has gotten the final result of a HTTP 200 OK.
Endpoint | AS-IS | More info of changes |
---|---|---|
POST: /personal/v*/payments/domestic or POST: /personal/v*/payments/sepa |
Response 201 CREATED | |
PUT: /personal/v*/payments/domestic/confirm or PUT: /personal/v*/payments/sepa/confirm |
Response 202 ACCEPTED _links: {
|
The link relation "signing" will be the header "location" redirection to be sent to the PSU in some form of browser. The result will in the end be a 200 OK, this should trigger a close of the browser session. |
GET: &state=$url_encoded_parameters$" |
Response 200 OK Format of the successful response (redirection url to the TPP) $tpp_redirect_url$?status=success
|
After the payment is signed by the PSU (the execute payment request is triggered right after that on the bank side - no action from TPP needed), the user is redirected to the Third Party Provider (TPP) page (the one provided during the onboarding process for the sake of the OAuth2.0 authorization flow). If the page is not available for some reason, the PSU will be redirected to the Nordea bank page. The "status" query parameter in the response indicates if the signing was successful or not. Note: it doesn't have to mean the payment was successfully executed. For example: for domestic DK payments a second channel confirmation (like SMS) would be required when the amount is bigger than 100 000 DKK. To make sure the transfer is paid and done - see next step. |
GET: /personal/v*/payments/domestic/{payment-id} or GET: /personal/v*/payments/sepa/{payment-id} |
Response 200 OK |
Check the "payment_status" field value to find out if the payment was successfully executed (should be "paid"). |