Authorization

PSD2 allows a range of SCA approaches. rebel exclusively supports the scaOAuth SCA approach.

OAuth: Proof Key for Code Exchange (PKCE)

Please consult PKCE - RFC 7636 for an in-depth explanation of OAuth 2.0. If you create a new rebel consent, as a service consumer you receive an scaOAuth with a href inside. The OAuth 2.0 Authorization Server Metadata RFC8414 endpoint should be specified in this href, so the service consumer is able to construct the proper /authorize URL.

Caution

rebel recommends to include the consent_id as a query parameter within the /authorize URL. The actual implementation in PSD2 varies, but this approach is followed by a number of service providers.

The data owner should be redirected to this URL, complete the OAuth flow, and the service consumer can use the obtained authorization_grant to exchange it for valid tokens, attached to the rebel consent.

If your consent is valid, these tokens can be used to access data from the data owner.

• RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients

Additional authorization flows

You might also choose to implement additional authorization steps using rebel. For example, if your consent involves manual steps or paperwork, you might use a simple redirect flow and guide the data owner to the necessary steps to complete the setup. The consent stays in the consentStatus partiallyAuthorised during that time, and calls to the API might be answered by HTTP 401 and code CONSENT_INVALID.

You can use rebelConsentConfiguration in _links to guide your users to the incomplete consent.