Registration
Our interface supports Third Party Provider (TPP) onboarding via Dynamic Client Registration specification as outlined in the OpenBanking documentation. Therefore it is expected that the third party will send a compliant registration request over a valid MTLS connection.
The POST request MUST have the Content-Type of application/jwt and MUST contain an SSA issued to the third party by OpenBanking. Further to this, supplied redirect_uris
MUST match or be a subset of the software_redirect_uris
claim in the SSA. Values provided in the request MUST comply with the supported values advertised on the .well-known
configuration endpoint.
The authorization server maintains the right to modify any of the values provided in the registration request, as is its prerogative per RFC7591
.
All values stored for the client will be returned by the authorization server in the registration response. Therefore, it is imperative that the third party uses the values returned in the response, not the values that it sent in the request.
POST /oauth/register
Registers a new OAuth client using the details provided in the request body. These values may be discarded or replaced as deemed appropriate by the authorization server.
Any modified values will be replayed to the requester in the response.
See Open Banking Dynamic Client Registration for more details.
Request Arguments
Parameter | Description |
---|---|
requestBody Required | Details of the client to be created. |
$ curl "https://open-banking.capitalone.co.uk/open-banking/oauth/register" \
-H "Content-Type: application/jwt" \
-H "accept: application/json" \
-d "string"
Response Arguments
Parameter | Description |
---|---|
client_id | A unique identifier issued to the newly created client. This should be used by the client to identify itself in future interactions with the authorization server. |
registration_access_token | A bearer token issued to the client that it must present when making future requests to query or otherwise manage its registration with the authorization server. |
registration_client_uri | The URI to which the client may send future requests to query or otherwise manage its registration with the authorization server. |
grant_types | The set of grant types registered for the client. A client must be registered with the appropriate grant type if it wishes to make requests to the token endpoint of that type. |
redirect_uris | The list of redirect URIs that were registered for the client. Any requests made by the client where a redirect URI is required will be validated against this list to ensure that the URI has been pre-registered for the client. |
scope | A space-separated list of scopes registered for the client. |
jwks_uri | The URL at which the client's JWKS is located. |
response_types | The response types that are registered for the client. |
token_endpoint_auth_method | The selected method that the client will use to authenticate itself at the token endpoint. Requests made by the client using a method other than the one it is registered to use will be rejected. |
request_object_signing_alg | The signing algorithm used by the client for signing request objects. |
id_token_signed_response_alg | The signing algorithm that the authorization server will use for signing the ID Token. |
software_on_behalf_of | The 'OnBehalfOf' value registered for the client Note: This will appear as part of the customer-facing consent process. |
org_id | The Open Banking organization ID associated with the client. |
org_name | The organization name associated with the client. Note: This will appear as part of the customer-facing consent process. |
token_endpoint_auth_signing_alg | The algorithm used by the client to sign their client assertion (used for private_key_jwt.) |
Example 201 Response
{
"client_id": "string",
"registration_access_token": "string",
"registration_client_uri": "string",
"grant_types": ["client_credentials"],
"redirect_uris": ["string"],
"scope": "string",
"jwks_uri": "string",
"response_types": ["code id_token"],
"token_endpoint_auth_method": "private_key_jwt",
"request_object_signing_alg": "PS256",
"id_token_signed_response_alg": "PS256",
"software_on_behalf_of": "string",
"org_id": "string",
"org_name": "string",
"token_endpoint_auth_signing_alg": "PS256"
}
GET /oauth/register/{client_id}
Retrieves the details of an existing OAuth client.
Request Arguments
Parameter | Description |
---|---|
Authorization Required | The Registration Access Token that was issued to the client when it was first registered, or in response to a client update request. |
client_id Required | The client ID for which details should be retrieved. |
$ curl -X get "https://open-banking.capitalone.co.uk/open-banking/oauth/register/$client_id" \
-H "accept: application/json" \
-H "Authorization: Bearer $registration_access_token"
Response Arguments
Parameter | Description |
---|---|
client_id | A unique identifier issued to the client. This should be used by the client to identify itself in future interactions with the authorization server. |
registration_access_token | A bearer token issued to the client that it must present when making future requests to query or otherwise manage its registration with the authorization server. |
registration_client_uri | The URI to which the client may send future requests to query or otherwise manage its registration with the authorization server. |
grant_types | The set of grant types registered for the client. A client must be registered with the appropriate grant type if it wishes to make requests to the token endpoint of that type. |
redirect_uris | The list of redirect URIs that were registered for the client. Any requests made by the client where a redirect URI is required will be validated against this list to ensure that the URI has been pre-registered for the client. |
scope | A space-separated list of scopes registered for the client. |
jwks_uri | The URL at which the client's JWKS is located. |
response_types | The response types that are registered for the client. |
token_endpoint_auth_method | The selected method that the client will use to authenticate itself at the token endpoint. Requests made by the client using a method other than the one it is registered to use will be rejected. |
request_object_signing_alg | The signing algorithm used by the client for signing request objects. |
token_endpoint_auth_signing_alg | The algorithm used by the client to sign their client assertion (used for private_key_jwt.) |
id_token_signed_response_alg | The signing algorithm that the authorization server will use for signing the ID Token. |
software_on_behalf_of | The 'OnBehalfOf' value registered for the client Note: This will appear as part of the customer-facing consent process. |
org_id | The Open Banking organization ID associated with the client. |
org_name | The organization name associated with the client. Note: This will appear as part of the customer-facing consent process. |
Example 200 Response
{
"client_id": "string",
"registration_access_token": "string",
"registration_client_uri": "string",
"grant_types": ["client_credentials"],
"redirect_uris": ["string"],
"scope": "string",
"jwks_uri": "string",
"response_types": ["code id_token"],
"token_endpoint_auth_method": "private_key_jwt",
"request_object_signing_alg": "PS256",
"token_endpoint_auth_signing_alg": "PS256",
"id_token_signed_response_alg": "PS256",
"software_on_behalf_of": "string",
"org_id": "string",
"org_name": "string"
}
PUT /oauth/register/{client_id}
Updates the client details for the client ID specified in the path.
Request Arguments
$ curl -X put "https://open-banking.capitalone.co.uk/open-banking/oauth/register/$client_id" \
-H "Content-Type: application/json" \
-H "accept: application/json" \
-H "Authorization: Bearer $registration_access_token" \
-d '{"client_id": "string","grant_types":["client_credentials"],"redirect_uris":["string"],"scope":"string","jwks_uri":"string","response_types":["code id_token"],"token_endpoint_auth_method": "private_key_jwt","id_token_signed_response_alg": "PS256"}'
Parameter | Description |
---|---|
Authorization Required | The Registration Access Token that was issued to the client when it was first registered, or in response to a client update request. |
client_id Required | The client ID for which details should be retrieved. |
grant_types | The set of grant types registered for the client. A client must be registered with the appropriate grant type if it wishes to make requests to the token endpoint of that type. |
redirect_uris | The list of redirect URIs that were registered for the client. Any requests made by the client where a redirect URI is required will be validated against this list to ensure that the URI has been pre-registered for the client. |
scope | A space-separated list of scopes registered for the client. |
jwks_uri | The URL at which the client's JWKS is located. |
response_types | The response types that are registered for the client. |
token_endpoint_auth_method | The auth method that the client will use on the token endpoint. |
token_endpoint_auth_signing_alg | The signing algorithms used by the client for the token endpoint. |
request_object_signing_alg | The signing algorithms used by the client for signing request objects. |
id_token_signed_response_alg | The signing algorithms that will be used to sign ID tokens. |
Response Arguments
Example 200 Response
{
"client_id": "string",
"registration_access_token": "string",
"registration_client_uri": "string",
"grant_types": ["client_credentials"],
"redirect_uris": ["string"],
"scope": "string",
"jwks_uri": "string",
"response_types": ["code id_token"],
"token_endpoint_auth_method": "private_key_jwt",
"request_object_signing_alg": "PS256",
"token_endpoint_auth_signing_alg": "PS256",
"id_token_signed_response_alg": "PS256",
"software_on_behalf_of": "string",
"org_id": "string",
"org_name": "string"
}
Parameter | Description |
---|---|
client_id | A unique identifier issued to the client. This should be used by the client to identify itself in future interactions with the authorization server. |
registration_access_token | A bearer token issued to the client that it must present when making future requests to query or otherwise manage its registration with the authorization server. |
registration_client_uri | The URI to which the client may send future requests to query or otherwise manage its registration with the authorization server. |
grant_types | The set of grant types registered for the client. A client must be registered with the appropriate grant type if it wishes to make requests to the token endpoint of that type. |
redirect_uris | The list of redirect URIs that were registered for the client. Any requests made by the client where a redirect URI is required will be validated against this list to ensure that the URI has been pre-registered for the client. |
scope | A space-separated list of scopes registered for the client. |
jwks_uri | The URL at which the client's JWKS is located. |
response_types | The response types that are registered for the client. |
token_endpoint_auth_method | The selected method that the client will use to authenticate itself at the token endpoint. Requests made by the client using a method other than the one it is registered to use will be rejected. |
request_object_signing_alg | The signing algorithm used by the client for signing request objects. |
token_endpoint_auth_signing_alg | The algorithm used by the client to sign their client assertion (used for private_key_jwt.) |
id_token_signed_response_alg | The signing algorithm that the authorization server will use for signing the ID Token. |
software_on_behalf_of | The 'OnBehalfOf' value registered for the client Note: This will appear as part of the customer-facing consent process. |
org_id | The Open Banking organization ID associated with the client. |
org_name | The organization name associated with the client. Note: This will appear as part of the customer-facing consent process. |
DELETE /oauth/register/{client_id}
Deletes the client with the ID specified in the path. WARNING: This will revoke all access granted for the client.
Request Arguments
Parameter | Description |
---|---|
Authorization Required | The Registration Access Token that was issued to the client when it was first registered, or in response to a client update request. |
client_id Required | The client ID for which details should be retrieved. |
$ curl -X delete "https://open-banking.capitalone.co.uk/open-banking/oauth/register/$client_id" \
-H "Authorization: Bearer $registration_access_token"