OAuth2 Integrated - `Back To Tpp` button wrong link
valb3r opened this issue · 1 comments
Back To Tpp button at the end of OAuth2-integrated flow has the wrong link that leads to OAuth2 code not being returned to TPP (to exchange to token).
Steps:
- Assuming one has set the correct ASPSP profile to be used with OAUTH:
server:
port: ${common.apps.local.aspspprofile.port}
spring:
profiles:
# debug_mode allows to change bank profiles for test purposes
active: debug_mode
# This file is for ASPSP-Profile application
# Forcing `fixed` bank profile for redirect approach in local configuration
# Points to this file, section 'setting'
xs2a:
bank_profile:
path: ${primary.profile}
# Sandbox environment has very different URLS compared to what is declared in bank_profile.yaml,
# setting to sandbox alike
# Assuming OBA-UI from XS2A-Sandbox runs on port 4400
setting:
ais:
consentTypes:
bankOfferedConsentSupported: TRUE
globalConsentSupported: TRUE
availableAccountsConsentSupported: TRUE
accountAccessFrequencyPerDay: 100
notConfirmedConsentExpirationTimeMs: 86400000
maxConsentValidityDays: 0
accountOwnerInformationSupported: false
trustedBeneficiariesSupported: false
redirectLinkToOnlineBanking:
aisRedirectUrlToAspsp: http://localhost:4400/account-information/login?encryptedConsentId={encrypted-consent-id}&redirectId={redirect-id}
transactionParameters:
availableBookingStatuses:
- BOTH
- BOOKED
- PENDING
transactionsWithoutBalancesSupported: FALSE
supportedTransactionApplicationTypes:
- application/json
deltaReportSettings:
entryReferenceFromSupported: FALSE
deltaListSupported: FALSE
scaRequirementsForOneTimeConsents:
scaByOneTimeAvailableAccountsConsentRequired: TRUE
scaByOneTimeGlobalConsentRequired: TRUE
pis:
supportedPaymentTypeAndProductMatrix:
SINGLE:
- sepa-credit-transfers
- instant-sepa-credit-transfers
maxTransactionValidityDays: 0
notConfirmedPaymentExpirationTimeMs: 86400000
paymentCancellationAuthorisationMandated: FALSE
redirectLinkToOnlineBanking:
pisRedirectUrlToAspsp: http://localhost:4400/payment-initiation/login?paymentId={encrypted-payment-id}&redirectId={redirect-id}
pisPaymentCancellationRedirectUrlToAspsp: http://localhost:4400/payment-cancellation/login?paymentId={encrypted-payment-id}&redirectId={redirect-id}
paymentCancellationRedirectUrlExpirationTimeMs: 600000
countryValidationSupported: DE
supportedTransactionStatusFormats:
- application/json
piis:
piisConsentSupported: NOT_SUPPORTED
common:
scaApproachesSupported:
- REDIRECT
- EMBEDDED
- OAUTH
scaRedirectFlow: REDIRECT
oauthConfigurationUrl: http://localhost:20015/oauth/authorization-server
startAuthorisationMode: auto
# TODO https://github.com/adorsys/open-banking-gateway/issues/980
tppSignatureRequired: FALSE
psuInInitialRequestMandated: FALSE
redirectUrlExpirationTimeMs: 600000
authorisationExpirationTimeMs: 86400000
forceXs2aBaseLinksUrl: FALSE
xs2aBaseLinksUrl: http://myhost.com/
supportedAccountReferenceFields:
- IBAN
multicurrencyAccountLevelSupported: SUBACCOUNT
aisPisSessionsSupported: FALSE
signingBasketSupported: FALSE
checkTppRolesFromCertificateSupported: TRUE
aspspNotificationsSupported:
- NONE
authorisationConfirmationRequestMandated: FALSE
authorisationConfirmationCheckByXs2a: FALSE
checkUriComplianceToDomainSupported: FALSE
tppUriComplianceResponse: WARNING
- And one calls:
curl --location --request POST 'http://localhost:20014/v1/consents' \
--header 'accept: application/json' \
--header 'PSU-ID: anton.brueckner' \
--header 'X-Request-ID: 2f77a125-aa7a-45c0-b414-cea25a116035' \
--header 'Content-Type: application/json' \
--header 'psu-ip-address: 1.1.1.1' \
--header 'X-OAUTH-PREFERRED: integrated' \
--header 'tpp-redirect-uri: https://google.com' \
--data-raw '{
"access": {
"accounts": [],
"balances": [],
"availableAccounts": "allAccounts",
"transactions": []
},
"combinedServiceIndicator": false,
"frequencyPerDay": 10,
"recurringIndicator": true,
"validUntil": "2021-10-10"
}'
-
And then one follows the returned
scaOAuthlink (i.e.
http://localhost:20015/oauth/authorization-server?consentId=uW4nKNRgGUXtjMXg_K923QCNNk4VItxm_AonVQud-KFTx5Ll8DiLGJv_h3mYHzlj9Gjy56Fkiuf5A7NXeKYoy8z9MpaJIQIH3NJX8IHgetw=_=_psGLvQpt9Q&redirectId=ecac1685-c15f-4dce-80c6-0441285804ab) -
And then one follows
authorization_endpointreturned fromhttp://localhost:20015/oauth/authorization-server?consentId=uW4nKNRgGUXtjMXg_K923QCNNk4VItxm_AonVQud-KFTx5Ll8DiLGJv_h3mYHzlj9Gjy56Fkiuf5A7NXeKYoy8z9MpaJIQIH3NJX8IHgetw=_=_psGLvQpt9Q&redirectId=ecac1685-c15f-4dce-80c6-0441285804abcall (the link came from response object from call toscaOAuthlink on previous step) -> i.e. openshttp://localhost:4400/account-information/login?redirectId=ecac1685-c15f-4dce-80c6-0441285804ab&encryptedConsentId=uW4nKNRgGUXtjMXg_K923QCNNk4VItxm_AonVQud-KFTx5Ll8DiLGJv_h3mYHzlj9Gjy56Fkiuf5A7NXeKYoy8z9MpaJIQIH3NJX8IHgetw=_=_psGLvQpt9Q&oauth2=truein local browser -
Performs consent authorization and ends up on page
http://localhost:4400/account-information/result?encryptedConsentId=uW4nKNRgGUXtjMXg_K923QCNNk4VItxm_AonVQud-KFTx5Ll8DiLGJv_h3mYHzlj9Gjy56Fkiuf5A7NXeKYoy8z9MpaJIQIH3NJX8IHgetw%3D_%3D_psGLvQpt9Q&authorisationId=ecac1685-c15f-4dce-80c6-0441285804ab&oauth2=true
So that one sees the button:
Back to TPP page has wrong link - like this:
http://localhost:4400/oba-proxy/ais/uW4nKNRgGUXtjMXg_K923QCNNk4VItxm_AonVQud-KFTx5Ll8DiLGJv_h3mYHzlj9Gjy56Fkiuf5A7NXeKYoy8z9MpaJIQIH3NJX8IHgetw=_=_psGLvQpt9Q/authorisation/ecac1685-c15f-4dce-80c6-0441285804ab/done?oauth2=false
Following this link prevents OnlineBanking from sending OAuth2 code to the requesting TPP
If one changes
http://localhost:4400/oba-proxy/ais/uW4nKNRgGUXtjMXg_K923QCNNk4VItxm_AonVQud-KFTx5Ll8DiLGJv_h3mYHzlj9Gjy56Fkiuf5A7NXeKYoy8z9MpaJIQIH3NJX8IHgetw=_=_psGLvQpt9Q/authorisation/ecac1685-c15f-4dce-80c6-0441285804ab/done?oauth2=true
then the TPP gets OAuth2 code that can be exchanged to token.
Observed on:
adorsys/xs2a-online-banking-ui:3.7.1
and seemingly develop
Full version reference:
https://github.com/adorsys/open-banking-gateway/blob/develop/how-to-start-with-project/xs2a-sandbox-only/docker-compose.yml
Fixed in v.4.5