During Strong Customer Authentication, the end-user (PaymentServiceUser, PSU) must authenticate himself/herself using a two-factor approval. The first factor is the user logging in by providing a user name and a password to the authorization endpoint. The second factor is the user’s approval using an Approval App / Code App (mobile application).
This section describes how to enable app-switch in a ThirdPartyProvider (TPP) mobile application. By app-switch is meant:
In the TPP mobile application, Strong Customer Authentication (SCA) is started by opening the OAuth request in a Custom Tab (Android) or SFSafariViewController (iOS)
var redirectUri = $"{auth_endpoint}?response_type=code&client_id={yourClientId}&scope={scope}&state={request_state}&code_challenge_method=S256&code_challenge={code_challenge}&redirect_uri={yourRedirectUri}&return_app_url={returnAppUrl}";The yourRedirectUri should be an App Link (Android) or Universal Link (iOS), which enables sending, e.g. an authorization code, to the TPP App from the Custom Tab / SFSafariViewController, once the end-user has been authenticated and the authorization completes.
The returnAppUrl parameter should be set if Approval App is present on the device and enables return to TPP App from Approval App. The value should be the package name of the TPP App in the case of Android and an urlencoded universal link in the case of iOS.
Once Custom Tab / SFSafariViewController is opened, it will be possible to choose “MitID PSD2 sandbox”. A link will be available to perform app-switch.
When pressing the link for app-switch in the sandbox environment the following url will be opened:
sandboxstub://auth_id={authId}&return_uri={returnUri}&update_uri={updateUri}where:
updateUri is the url to request once the user has selected an option (Ok, Cancel, Error).
The query params ?auth_id={authId}&status=<ok|cancel|error> must be added to updateUri before request is made.
An Approval App for sandbox testing can register for this url scheme.
We have made an Android version of a Sandbox Approval App which can be used as reference. You can either download our APK-file or build your own APK-file based on our sourcecode.
Link to Bankdata public GitHub https://github.com/Bankdata/open-banking-sandbox-codeapp
Below are some code snippets showing how to check for app presence on a device.
Android
fun deviceHasApprovalApp(): Boolean {
return try {
packageManager.getPackageInfo("dk.bankdata.codeapp.android", 0)
true
} catch (e: PackageManager.NameNotFoundException) {
false
}
}On Android 11+ you may need to add a package query to AndroidManifest.xml
iOS
func canOpenApp() -> Bool {
guard let url = URL(string: “some-approval-app://”) else {
return false
}
Return UIApplication.shared.canOpenUrl(url)
}The TPP App must add “some-approval-app” to the plist file using key LSApplicationQueriesSchemes.
After that, it can check for app presence, as shown in the code snippet.
Below are some code snippets showing how to open a URL in a Custom Tab / SFSafariViewController:
Android
val customTabsIntent = CustomTabsIntent.Builder().build() customTabsIntent.launchUrl(MainActivity.this, Uri.parse(redirectUri))
iOS
guard let url = URL(string: redirectUri) else {
return
}
let safariVC = SFSafariViewController(url: url)
self.navigationController?.pushViewController(safariVC, animated: true)
Android
An intent filter to the main activity in AndroidManifest.xml is needed to enable Approval App to return to the TPP App:
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>iOS
The TPP App needs to implement a Universal Link