What are the recent updates to the PIS authentication flow for Nordea banks?

The PIS authentication flow for Nordea banks (ngp-ndeadk, ngp-ndeafi, ngp-ndeano, ngp-ndease) has recently been updated. The aim of this change is to improve the user experience by making the debtor account optional.

This flow, to support account selection, requires additional efforts from TPPs if they support and desire to use their own UI to handle complex scenarios, such as handling PSU credentials in the middle of the flow. The API flow is outlined in a step-by-step manner below:

Step 1: send POST /token-requests call

Step 2: send POST /token-requests/{requestId}/authorization

Step 3: navigate redirectUrl

credential-fields parameter returns as seen below: (it bears accountNumbers to select).

"credential-fields": "eyJmaWVsZHMiOlt7ImRpc3BsYXlOYW1lIjoiUGxlYXNlLCBzZWxlY3QgYWNjb3VudCIsImlkIjoiYWNjb3VudE51bWJlcnMiLCJvcHRpb25zIjpbIjIwMzAxNTQ0MTExNTU1IiwiMjAzMDE1NDQxMTgwMjgiLCIyMDMwMTU0NDExNzU0NCJdLCJ0eXBlIjoiRklFTEQifV19"

Step 4: send POST /token-requests/{requestId}/authorization call passing accountNumbers field with one of the accounts

"consentAccepted": true ,"useCredentialFlow": true ,"credentials": { "accountNumbers":"20301544118028" } }
Step 5: navigate the redirectUrl:

request-id parameter will return


Step 6: send GET /token-requests/{requestId}/result call

Step 7: send GET /transfers/{transferId} call:

  • Since the bank's sandbox is a mock environment, it always assumes that users have multiple accounts with the bank. Yet, in a production environment, it's typical for users to have only one account. This difference, not only eliminates debtor account requests from the PSU for the payload but also bypasses additional account selection steps. 
  • Given a TPP uses Token webApp, all account selection steps are handled by the webApp.

Was this article helpful?
0 out of 0 found this helpful