Dynamic client registration

Page contents

Endpoint config
API calls
Models

What this API does:

These APIs currently supports Bacs, Balance Transfers, CHAPS and Faster Payments.

This specification defines the APIs for a TPP to submit a Software Statement Assertion to an ASPSP for the purpose of creating OAuth clients that are registered with ASPSP.

Endpoint configuration

POST /register

Production: https://secureapi.prod.ob.virginmoney.com/vmpsd2-psd2prod/psd2-production/register

API calls

POST /register Register a client by way of a Software Statement Assertion

Endpoint will be secured by way of Mutual Authentication over TLS

Name	Description
requestBody (body)	A request to register a Software Statement Assertion with an ASPSP Example Value Model string `string` ($OBClientRegistration1)

Responses

Response content type

Code Description

201

Client registration

Example Value Model

{
  "client_id": "string",
  "client_secret": "string",
  "client_id_issued_at": 0,
  "client_secret_expires_at": 0,
  "redirect_uris": [
    "string"  ],
  "token_endpoint_auth_method": "private_key_jwt",
  "grant_types": [
    "client_credentials"  ],
  "response_types": [
    "code"  ],
  "software_id": "string",
  "scope": [
    "string"  ],
  "software_statement": "string",
  "application_type": "web",
  "id_token_signed_response_alg": "RS256",
  "request_object_signing_alg": "RS256",
  "token_endpoint_auth_signing_alg": "RS256",
  "tls_client_auth_dn": "string"
}

{

client_id*	`string` minLength: 1 maxLength: 36 OAuth 2.0 client identifier string
client_secret	`string` minLength: 1 maxLength: 36 OAuth 2.0 client secret string
client_id_issued_at	integer($int32) minimum: 0 Time at which the client identifier was issued expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC
client_secret_expires_at	integer($int32) minimum: 0 Time at which the client secret will expire expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC. Set to 0 if does not expire
redirect_uris*	[`string`($uri) minLength: 1 maxLength: 256]
token_endpoint_auth_method*	`string` Enum: [ private_key_jwt, tls_client_auth ]
grant_types*	[ minItems: 1 `string` Enum: [ client_credentials, authorization_code, refresh_token ]]
response_types	[`string` Enum: [ code, code id_token ]]
software_id	`string`
scope	[`string` minLength: 1 maxLength: 32]
software_statement*	`string`($JWT)
application_type*	`string` Enum: [ web, mobile ]
id_token_signed_response_alg*	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
request_object_signing_alg*	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
token_endpoint_auth_signing_alg	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
tls_client_auth_dn*	`string` minLength: 1 maxLength: 128

}

400

Request failed due to client error

Example Value Model

{
  "error": "invalid_redirect_uri",
  "error_description": "string"
}

error*	`string` Enum: [ invalid_redirect_uri, invalid_client_metadata, invalid_software_statement, unapproved_software_statement ]
error_description	`string` minLength: 1 maxLength: 500

DELETE /register/{ClientId} Delete a client by way of Client ID

Name	Description
ClientId * string (path)	The client ID
Authorization * string (header)	An Authorisation Token as per https://tools.ietf.org/html/rfc6750 Link opens in a new window

Responses

Response content type

Code

Description

204

Client deleted

401

Request failed due to unknown or invalid Client or invalid access token

Headers:

Name	Description	Type
WWW-Authenticate	Response header field specified in https://tools.ietf.org/html/rfc6750 Link opens in a new window	string

403

The client does not have permission to read, update or delete the Client

405

The client does not have permission to read, update or delete the Client

Models

SupportedAlgorithms

string
Enum:
[ RS256, PS256, ES256 ]

OBRegistrationProperties1

{

client_id	`string` minLength: 1 maxLength: 36 OAuth 2.0 client identifier string
client_secret	`string` minLength: 1 maxLength: 36 OAuth 2.0 client secret string
client_id_issued_at	integer($int32) minimum: 0 Time at which the client identifier was issued expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC
client_secret_expires_at	integer($int32) minimum: 0 Time at which the client secret will expire expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC. Set to 0 if does not expire
redirect_uris*	[`string`($uri) minLength: 1 maxLength: 256]
token_endpoint_auth_method*	`string` Enum: [ private_key_jwt, tls_client_auth ]
grant_types*	[ minItems: 1 `string` Enum: Array [ 3 ]]
response_types	[`string` Enum: Array [ 2 ]]
software_id	`string`
scope	[`string` minLength: 1 maxLength: 32]
software_statement*	`string`($JWT)
application_type*	`string` Enum: [ web, mobile ]
id_token_signed_response_alg*	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
request_object_signing_alg*	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
token_endpoint_auth_signing_alg	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
tls_client_auth_dn*	`string` minLength: 1 maxLength: 128

}

OBClientRegistration1

{

iss*	`string` pattern: ^[0-9a-zA-Z]{1,18}$ minLength: 1 maxLength: 18 Unique identifier for the TPP. Implemented as Base62 encoded GUID
iat*	integer($int32) The time at which the request was issued by the TPP expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC
exp*	integer($int32) The time at which the request expires expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC
aud*	`string` pattern: ^[0-9a-zA-Z]{1,18}$ minLength: 1 maxLength: 18 The audience for the request. This should be the unique identifier for the ASPSP issued by the issuer of the software statement. Implemented as Base62 encoded GUID
jti*	`string` pattern: ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$ minLength: 36 maxLength: 36 Unique identifier for the JWT implemented as UUID v4
client_id	`string` minLength: 1 maxLength: 36 OAuth 2.0 client identifier string
client_secret	`string` minLength: 1 maxLength: 36 OAuth 2.0 client secret string
client_id_issued_at	integer($int32) minimum: 0 Time at which the client identifier was issued expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC
client_secret_expires_at	integer($int32) minimum: 0 Time at which the client secret will expire expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC. Set to 0 if does not expire
redirect_uris*	[`string`($uri) minLength: 1 maxLength: 256]
token_endpoint_auth_method*	`string` Enum: [ private_key_jwt, tls_client_auth ]
grant_types*	[ minItems: 1 `string` Enum: [ client_credentials, authorization_code, refresh_token ]]
response_types	[`string` Enum: [ code, code id_token ]]
software_id	`string`
scope	[`string` minLength: 1 maxLength: 32]
software_statement*	`string`($JWT)
application_type*	`string` Enum: [ web, mobile ]
id_token_signed_response_alg*	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
request_object_signing_alg*	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
token_endpoint_auth_signing_alg	SupportedAlgorithms`string` Enum: [ RS256, PS256, ES256 ]
tls_client_auth_dn*	`string` minLength: 1 maxLength: 128

}

RegistrationError

{

error*	`string` Enum: [ invalid_redirect_uri, invalid_client_metadata, invalid_software_statement, unapproved_software_statement ]
error_description	`string` minLength: 1 maxLength: 500

}

Version 1.1.0 (Current version)

Page contents

What this API does:

Endpoint configuration

API calls

Responses

Responses

Headers:

Models