The PIS authentication flow for Nordea banks (ngp-ndeadk, ngp-ndeafi, ngp-ndeano, ngp-ndease) has recently been updated. The aim of this change is to improve the user experience by making the debtor account optional.
This flow, to support account selection, requires additional efforts from TPPs if they support and desire to use their own UI to handle complex scenarios, such as handling PSU credentials in the middle of the flow. The API flow is outlined in a step-by-step manner below:
Step 1: send POST /token-requests call
credential-fields parameter returns as seen below: (it bears accountNumbers to select).
"credential-fields": "eyJmaWVsZHMiOlt7ImRpc3BsYXlOYW1lIjoiUGxlYXNlLCBzZWxlY3QgYWNjb3VudCIsImlkIjoiYWNjb3VudE51bWJlcnMiLCJvcHRpb25zIjpbIjIwMzAxNTQ0MTExNTU1IiwiMjAzMDE1NDQxMTgwMjgiLCIyMDMwMTU0NDExNzU0NCJdLCJ0eXBlIjoiRklFTEQifV19"
Step 4: send POST /token-requests/{requestId}/authorization call passing accountNumbers field with one of the accounts
{
"consentAccepted": true
,"useCredentialFlow": true
,"credentials": {
"accountNumbers":"20301544118028"
}
}
request-id parameter will return
https://dlng.io/test/?request-id=rq:yUJRFT69aXv22XXoRwhVBHPw6GS:5zKtXEAq&request_id=rq:yUJRFT69aXv22XXoRwhVBHPw6GS:5zKtXEAq
Step 6: send GET /token-requests/{requestId}/result call
Step 7: send GET /transfers/{transferId} call:
- Since the bank's sandbox is a mock environment, it always assumes that users have multiple accounts with the bank. Yet, in a production environment, it's typical for users to have only one account. This difference, not only eliminates debtor account requests from the PSU for the payload but also bypasses additional account selection steps.
-
Given a TPP uses Token webApp, all account selection steps are handled by the webApp.