### Example JWT for OIDC Client Creation Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This is a complete example of a JSON Web Token (JWT) generated for creating an OIDC client. It combines the header and payload, signed with ES256, to authenticate and authorize the client registration process. ```text eyJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL2FwaS5jaWFtLmRuYi5uby9jbGllbnRzL3YxIiwiY25mIjp7Imp3ayI6eyJjcnYiOiJQLTI1NiIsImtpZCI6ImlZR2p1aEF1Yi1YNmFzY29qLWFxMHFLZEpaWmVPRGpMSk1zTFNkcHVYYWMiLCJrdHkiOiJFQyIsIngiOiJNUVk3eHlod1EzU2JtTDR5dU5nQUs4REUxVW1LOXM5OGoydlNvd2ZSWmJzIiwieSI6IllLdWdFMzNtbi1wRGRTa214b2ZkRm45eHBFS1hoVFpRaGVsQnVRbllpVFkifX0sImV4cCI6MTcwMTQxMjc0MiwiaWF0IjoxNjk4ODIwNzQyfQ.J4esy0081NITANCvSL6y9N0itdPubmo7h8TlWX2JVdq3WvBKg5Ogy6M8vizi5zHsPokma8KN68OhpcWVIQ_Mdw ``` -------------------------------- ### JWT Header Example for OIDC Client Creation Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This snippet shows the required JSON header format for a JWT used in creating an OIDC client. It specifies the signing algorithm. ```json { "alg": "ES256" } ``` -------------------------------- ### JWT Payload Example for OIDC Client Creation Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This snippet illustrates the required JSON payload format for a JWT when creating an OIDC client. It includes audience, confirmation details with JWK, expiration time, and issued at time. ```json { "aud": "https://api.ciam.dnb.no/clients/v1", "cnf": { "jwk": { "crv": "P-256", "kid": "iYGjuhAub-X6ascoj-aq0qKdJZZeODjLJMsLSdpuXac", "kty": "EC", "x": "MQY7xyhwQ3SbmL4yuNgAK8DE1UmK9s98j2vSowfRZbs", "y": "YKugE33mn-pDdSkmxofdFn9xpEKXhTZQhelBuQnYiTY" } }, "exp": 1701412742, "iat": 1698820742 } ``` -------------------------------- ### PSD2 Onboarding API Source: https://developer.dnb.no/explorer/apis/regulatory Dedicated interface for onboarding PSD2 clients using OpenID Connect (OIDC) for secure access to regulated account and payment services. ```APIDOC ## PSD2 Onboarding ### Description Onboards PSD2 clients securely using OIDC for access to regulated services. ### Method POST ### Endpoint /apis/psd2-onboarding ### Parameters #### Request Body - **clientId** (string) - Required - The client identifier. - **redirectUri** (string) - Required - The URI to redirect to after successful onboarding. - **scopes** (array) - Required - The requested scopes for the client's access. ### Request Example ```json { "clientId": "my-tpp-client-id", "redirectUri": "https://my-tpp.com/callback", "scopes": ["account_info", "payments"] } ``` ### Response #### Success Response (200) - **authorizationUrl** (string) - The URL for client authorization. - **state** (string) - A unique identifier for the session. #### Response Example ```json { "authorizationUrl": "https://auth.dnb.no/authorize?client_id=my-tpp-client-id&redirect_uri=https://my-tpp.com/callback&scope=account_info%20payments&state=random_state_string", "state": "random_state_string" } ``` ``` -------------------------------- ### Introduction to Markets FX: Post Trade API Source: https://developer.dnb.no/documentation/markets-fx-post-trade/%40default/%40latest This section provides an overview of the Markets FX Post Trade API, its purpose, and the general process for accessing FX transaction data. ```APIDOC ## Introduction to Markets FX: Post Trade API ### Description API for retrieving FX transactions, post-trade, between DNB Markets and a given organization. Supports trade date range filtering and pagination. ### Getting Started To use this API, you need to onboard your client application and ensure it has the necessary scopes. Additionally, your client must be onboarded within Markets to access organizational data. ### Contact Information For support or inquiries, please contact: - Email: markets.efx@dnb.no - Phone: +47 24 16 91 20 ``` -------------------------------- ### Payment Initiation Service API Source: https://developer.dnb.no/explorer/apis/regulatory Dedicated interface to initiate domestic and international payments for both individual and corporate customers' accounts. ```APIDOC ## Payment Initiation Service ### Description Initiates domestic and international payments from customer accounts. ### Method POST ### Endpoint /apis/payment-initiation ### Parameters #### Request Body - **debtorAccount** (string) - Required - The account number from which the payment will be made. - **creditorAccount** (string) - Required - The account number to which the payment will be made. - **amount** (object) - Required - The payment amount and currency. - **amount** (string) - Required - The numeric value of the amount. - **currency** (string) - Required - The ISO currency code (e.g., NOK). - **remittanceInformation** (string) - Optional - Information to be included in the payment reference. ### Request Example ```json { "debtorAccount": "1234567890", "creditorAccount": "0987654321", "amount": { "amount": "100.00", "currency": "NOK" }, "remittanceInformation": "Payment for invoice #123" } ``` ### Response #### Success Response (200) - **paymentId** (string) - A unique identifier for the initiated payment. - **status** (string) - The current status of the payment initiation. #### Response Example ```json { "paymentId": "pay_abc123xyz", "status": "PENDING_AUTHORIZATION" } ``` ``` -------------------------------- ### POST /as/token.oauth2 - Fetch Access Token Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This endpoint is used to obtain an access token by providing client credentials. The token is required to authenticate requests to protected API resources. ```APIDOC ## POST /as/token.oauth2 ### Description Fetches an access token required for authenticating requests to DNB Bank APIs. ### Method POST ### Endpoint /as/token.oauth2 ### Parameters #### Query Parameters - **grant_type** (string) - Required - The grant type to exchange the token. Use 'client_credentials'. - **client_assertion_type** (string) - Required - The type of client assertion. Only 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' is supported. - **client_assertion** (string) - Required - The JWT for client authentication. - **scope** (string) - Required - The scopes for the token. Separate multiple scopes with a space and URL encode the string (e.g., 'openbanking.prevalidation.norway%3Avalidate openbanking.prevalidation.international%3Avalidate'). ### Request Example ``` POST /as/token.oauth2 HTTP/1.1 Host: api.ciam.dnb.no Content-Type: application/x-www-form-urlencoded client_assertion=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL210bHMuYXV0aC5kbmIubm8vYXMvdG9rZW4ub2F1dGgyIiwiZXhwIjoxNjc3ODQyMzUxLCJpYXQiOjE2Nzc4NDExNTEsImlzcyI6Ijc2YWVjOGY4LThlZjgtNGVhNi1hMDg3LTUxY2RhY2Q1Mzk1MyIsImp0aSI6IlBRQU5uRGc5eFBUOFdEWUJQRFpZckEiLCJuYmYiOjE2Nzc4NDExNTEsInN1YiI6Ijc2YWVjOGY4LThlZjgtNGVhNi1hMDg3LTUxY2RhY2Q1Mzk1MyJ9.FRW8WfAjAqAyx-DUftNnEu81R_JaKbDa8rmZh9GxDjjHktdQW3K_VKKYCWzg4NlwInueu0eRc2o2_wIA49Zh0Q &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &grant_type=client_credentials &scope=openbanking.prevalidation.norway%3Avalidate%20openbanking.prevalidation.international%3Avalidate ``` ### Response #### Success Response (200) - **access_token** (string) - The obtained Bearer token. - **token_type** (string) - The type of token, typically 'Bearer'. - **expires_in** (integer) - The time in seconds until the token expires. #### Response Example ```json { "access_token": "{omitted for brevity}", "token_type": "Bearer", "expires_in": 3600 } ``` ``` -------------------------------- ### Helper Functions for JWS Conversion Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Provides utility functions for JWS generation, including forcing values to bytes and Base64 URL encoding. `force_bytes` ensures input is in bytes format, while `base64url_encode` performs the necessary encoding. `number_to_bytes` converts numbers to byte strings. ```python def force_bytes(value): if isinstance(value, str): return value.encode("ascii") elif isinstance(value, bytes): return value else: raise TypeError("Expected a string value") def base64url_encode(input): return base64.urlsafe_b64encode(input).replace(b"=", b"") def number_to_bytes(num, num_bytes): padded_hex = "%0*x" % (2 * num_bytes, num) big_endian = binascii.a2b_hex(padded_hex.encode("ascii")) return big_endian ``` -------------------------------- ### Authorization Header - Attaching Access Token Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This section describes how to attach the obtained access token to subsequent API requests using the Authorization header for authentication. ```APIDOC ## Authorization Header ### Description Attach the obtained access token to your API requests using the `Authorization` header to authenticate and gain access to protected resources. ### Method All HTTP Methods (GET, POST, PUT, DELETE, etc.) ### Endpoint Any protected API endpoint ### Parameters #### Request Headers - **Authorization** (string) - Required - The access token, prefixed with 'Bearer ' (e.g., 'Bearer {access_token}'). ### Request Example ``` Authorization: Bearer {access token} ``` ``` -------------------------------- ### API Access Verification Endpoints Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Provides the endpoints for discovering API configuration and accessing the API. ```APIDOC ## API Access Verification Endpoints ### Description Endpoints for OpenID Connect (OIDC) discovery and the base URL for accessing the DNB API. ### Method GET ### Endpoint - **OIDC Discovery:** `https://api.ciam.dnb.no/.well-known/openid-configuration` - **API Base Address:** `https://prevalidation.api.dnb.no/` ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response #### Success Response (200) for OIDC Discovery Provides a JSON document detailing the OIDC configuration, including token endpoints, authorization endpoints, etc. #### Response Example (OIDC Discovery - Snippet) ```json { "issuer": "https://api.ciam.dnb.no", "jwks_uri": "https://api.ciam.dnb.no/jwks", "token_endpoint": "https://api.ciam.dnb.no/as/token.oauth2", "...other OIDC parameters..." } ``` ### Error Handling - 404 Not Found for invalid paths. - Network errors if endpoints are unavailable. ``` -------------------------------- ### Create JWS using AWS KMS Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Generates a JSON Web Signature (JWS) using AWS KMS for signing. It constructs the JWS by combining header and payload, signing with a specified key ARN and region, and verifying the signature before returning the complete JWS. Dependencies include boto3 for AWS interaction. ```python def create_jws(key_arn, payload, header, region): # Segments segments = [header, payload] signing_input = b".".join(segments) jwt_signature = sign_jwt(key_arn, signing_input, region) verify_jwt_response = verify_jwt(key_arn, signing_input, jwt_signature, region) if verify_jwt_response['SignatureValid']: segments.append(convert_ECDSA_signature_to_base64(jwt_signature)) return b".".join(segments) else: print("Could not generate jws for the client") ``` -------------------------------- ### Create JWT Key using AWS KMS (Python) Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This Python script utilizes AWS KMS to create a new cryptographic key or use an existing one. It generates a JSON Web Key Set (JWKS) containing the public key. The script requires the `boto3`, `click`, `jwcrypto`, and `cryptography` libraries. It takes environment, client name, and optional KMS key ID, region, and replication region as input. ```python import click import boto3 import base64 import time import json import jwcrypto.jwk as jwk from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature apiDomainName = {'prod': 'api.ciam.dnb.no'} @click.command(help='Creates a kms key and generates jwks') @click.option( "-e", "--environment", envvar="ENVIRONMENT", required=True, help="The environment to deploy to", type=click.Choice(apiDomainName.keys(), case_sensitive=True) ) @click.option( "-c", "--client_name", envvar="CLIENTNAME", required=True, help="The name of the client for which jwks has to be generated. Only relevant when creating kms key", ) @click.option( "-k", "--kms-key-id", envvar="KMS_KEY_ID", required=False, help="If the kms key already exists, specify the key id to generate a jwks. Key Id can be an id, arn, or alias. When using an alias name, prefix it with 'alias/'" "https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.get_public_key" ) @click.option( "-r", "--region", envvar="REGION", default="eu-west-1", show_default='eu-west-1', required=False, help="The region of the aws environment where the kms key would be created" ) @click.option( "-rr", "--replicate-region", envvar="REPLICATE_REGION", required=False, help="The replication region where KMS key has to be replicated from primary region" ) def main(environment, client_name, kms_key_id, region, replicate_region): if kms_key_id: key_arn = kms_key_id else: key_arn = create_kms_key(client_name, region, replicate_region) pub_key_jwk = get_public_key(key_arn, region) jwt_header = get_header() jwt_payload = create_jwt_payload(environment, pub_key_jwk) client_jws = create_jws(key_arn, jwt_payload, jwt_header, region) print(json.dumps( { 'key_id': key_arn, 'client_jws': client_jws.decode('ascii') }, indent=2 )) def create_kms_key(client_name, region, replicate_region): multi_region = False if replicate_region: multi_region = True else: print("Generating Single region KMS key") kms_client = boto3.client("kms", region_name=region) create_key_response = kms_client.create_key( Description=f"Automatically generated key for {client_name}", KeyUsage="SIGN_VERIFY", CustomerMasterKeySpec="ECC_NIST_P256", Tags=[ { 'TagKey': 'dnb:ciam:client-name', 'TagValue': client_name }, ], MultiRegion = multi_region ) if multi_region: kms_client.replicate_key( KeyId=create_key_response["KeyMetadata"]["KeyId"], ReplicaRegion=replicate_region, Description=f"Replication from {region} automatically generated key for {client_name}", Tags=[ { 'TagKey': 'dnb:ciam:client-name', 'TagValue': client_name }, ] ) kms_client_rr = boto3.client("kms", region_name=replicate_region) kms_client_rr.create_alias( AliasName=f"alias/ciam-{client_name}", TargetKeyId=create_key_response["KeyMetadata"]["KeyId"] ) kms_client.create_alias( AliasName=f"alias/ciam-{client_name}", TargetKeyId=create_key_response["KeyMetadata"]["KeyId"] ) return create_key_response["KeyMetadata"]["Arn"] def get_public_key(key_arn, region): kms_client = boto3.client("kms", region_name=region) get_pub_key_response = kms_client.get_public_key(KeyId=key_arn) pub_key_raw_bytes = base64.b64encode(get_pub_key_response["PublicKey"]) pub_key_raw_string = pub_key_raw_bytes.decode("ascii") pub_key_pkcs8_string = "----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----".format( pub_key_raw_string ) pub_key_pkcs8_bytes = bytearray() pub_key_pkcs8_bytes.extend(map(ord, pub_key_pkcs8_string)) pub_key = jwk.JWK.from_pem(data=pub_key_pkcs8_bytes) return pub_key.export_public() def create_jwt_payload(environment, pub_key_jwk): iat = lambda: int(time.time()) # current timestamp in CET exp = iat() + (30 * 24 * 3600) # valid to the next 30 days from iat aud = 'https://{}/clients/v1'.format(apiDomainName[environment]) jwk = {'jwk': json.loads(pub_key_jwk)} payload = {'aud': aud, 'cnf': jwk, 'exp': exp, 'iat': iat()} payloadBytes = force_bytes(json.dumps(payload, separators=(',', ':'))) return base64url_encode(payloadBytes) def get_header(): header = {"alg": "ES256"} json_header = force_bytes(json.dumps(header, separators=(',', ':'))) return base64url_encode(json_header) def force_bytes(s): if isinstance(s, str): return s.encode('utf-8') return s def base64url_encode(data): encoded_str = base64.urlsafe_b64encode(data).rstrip(b'=') return encoded_str def create_jws(key_arn, payload, header, region): kms_client = boto3.client('kms', region_name=region) message = header + b'.' + payload sign_response = kms_client.sign(KeyId=key_arn, Message=message, SigningAlgorithm='ECDSA_SHA_256') signature = decode_dss_signature(sign_response['Signature']) signature_bytes = (base64url_encode(signature[0]) + b'.' + base64url_encode(signature[1])) return signature_bytes if __name__ == '__main__': main() ``` -------------------------------- ### Account Information Service API Source: https://developer.dnb.no/explorer/apis/regulatory Dedicated interface to retrieve an overview of accounts for individual and corporate customers, including available balances and transactions. ```APIDOC ## Account Information Service ### Description Provides an overview of customer accounts, balances, and transactions. ### Method GET ### Endpoint /apis/account-information ### Parameters #### Query Parameters - **version** (string) - Optional - Specifies the API version. ### Request Example ```json { "query": "?version=2.77.0" } ``` ### Response #### Success Response (200) - **accounts** (array) - List of account details. - **balances** (array) - List of balance information. - **transactions** (array) - List of transaction details. #### Response Example ```json { "accounts": [ { "accountId": "1234567890", "accountName": "Checking Account" } ], "balances": [ { "accountId": "1234567890", "currentBalance": { "amount": "1000.00", "currency": "NOK" } } ], "transactions": [ { "accountId": "1234567890", "transactionId": "txn123", "description": "Groceries", "amount": { "amount": "-50.00", "currency": "NOK" } } ] } ``` ``` -------------------------------- ### JWT Header for Client Assertion Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This is a sample header for a JSON Web Token (JWT) used as a client assertion. It specifies the signing algorithm (ES256), the key ID (kid), and the token type (JWT). This header is part of the JWT structure for client authentication. ```json { "alg": "ES256", "kid": "VT8VpJCLznY5Hn304q4OHCQq0FVCaX", "typ": "JWT" } ``` -------------------------------- ### Fetch Access Token Request Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This snippet demonstrates how to request an access token using the OAuth 2.0 client credentials grant type. It requires a POST request to the token endpoint with specific form parameters, including client assertion, assertion type, grant type, and scope. The JWT client assertion is a critical component for authentication. ```http POST /as/token.oauth2 HTTP/1.1 Host: api.ciam.dnb.no Content-Type: application/x-www-form-urlencoded client_assertion=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL210bHMuYXV0aC5kbmIubm8vYXMvdG9rZW4ub2F1dGgyIiwiZXhwIjoxNjc3ODQyMzUxLCJpYXQiOjE2Nzc4NDExNTEsImlzcyI6Ijc2YWVjOGY4LThlZjgtNGVhNi1hMDg3LTUxY2RhY2Q1Mzk1MyIsImp0aSI6IlBRQU5uRGc5eFBUOFdEWUJQRFpZckEiLCJuYmYiOjE2Nzc4NDExNTEsInN1YiI6Ijc2YWVjOGY4LThlZjgtNGVhNi1hMDg3LTUxY2RhY2Q1Mzk1MyJ9.FRW8WfAjAqAyx-DUftNnEu81R_JaKbDa8rmZh9GxDjjHktdQW3K_VKKYCWzg4NlwInueu0eRc2o2_wIA49Zh0Q &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &grant_type=client_credentials &scope=openbanking.prevalidation.norway%3Avalidate%20openbanking.prevalidation.international%3Avalidate ``` -------------------------------- ### JWT Structure for OIDC Client Public Key Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Details the required structure for the JWT used to submit the public key when creating an OIDC client. ```APIDOC ## JWT Structure for OIDC Client Public Key ### Description Specifies the format of the JSON Web Token (JWT) required to submit your public key for OIDC client creation. ### Method Not Applicable (Format description) ### Endpoint Not Applicable (Format description) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### JWT Structure #### Header ```json { "alg": "ES256" } ``` #### Payload ```json { "aud": "https://api.ciam.dnb.no/clients/v1", "cnf": { "jwk": { "crv": "P-256", "kid": "[Your-Key-ID]", "kty": "EC", "x": "[Your-Public-Key-X-Coordinate]", "y": "[Your-Public-Key-Y-Coordinate]" } }, "exp": [Timestamp - Max 30 days after iat], "iat": [Timestamp - Current Date] } ``` **Key Fields:** - **alg**: Algorithm, must be `ES256`. - **aud**: Audience, must be `https://api.ciam.dnb.no/clients/v1`. - **cnf.jwk**: Contains your public key in JWK format. - **crv**: Curve, must be `P-256`. - **kid**: Key ID (unique identifier for your key). - **kty**: Key Type, must be `EC`. - **x**: X-coordinate of your EC public key. - **y**: Y-coordinate of your EC public key. - **exp**: Expiration time of the JWT (Unix timestamp). Maximum 30 days after `iat`. - **iat**: Issued at time (Unix timestamp). Current date is the latest possible. ### Example JWT ``` eyJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL2FwaS5jaWFtLmRuYi5uby9jbGllbnRzL3YxIiwiY25mIjp7Imp3ayI6eyJjcnYiOiJQLTI1NiIsImtpZCI6ImlZR2p1aEF1Yi1YNmFzY29qLWFxMHFLZEpaWmVPRGpMSk1zTFNkcHVYYWMiLCJrdHkiOiJFQyIsIngiOiJNUVk3eHlod1EzU2JtTDR5dU5nQUs4REUxVW1LOXM5OGoydlNvd2ZSWmJzIiwieSI6IllLdWdFMzNtbi1wRGRTa214b2ZkRm45eHBFS1hoVFpRaGVsQnVRbllpVFkifX0sImV4cCI6MTcwMTQxMjc0MiwiaWF0IjoxNjk4ODIwNzQyfQ.J4esy0081NITANCvSL6y9N0itdPubmo7h8TlWX2JVdq3WvBKg5Ogy6M8vizi5zHsPokma8KN68OhpcWVIQ_Mdw ``` ### Security Notes - Only ES256 keys are supported. - For production, the private key should be generated in HSM and be non-exportable. - Submit your public key via the DNB contact form. ### Error Handling Invalid JWT format, incorrect claims, unsupported key types or algorithms. ``` -------------------------------- ### Currencies V2 API Source: https://developer.dnb.no/documentation/carnegie-currencies/%40default/%40latest This API endpoint allows you to retrieve a list of currency rates for more than 50 currencies. The rates are updated on each business weekday. ```APIDOC ## GET /currencies/v2 ### Description Retrieves a list of currency rates for 50+ currencies, updated on business weekdays. ### Method GET ### Endpoint /currencies/v2 ### Parameters #### Query Parameters - **apiKey** (string) - Required - Your API key for authentication. ### Request Example ```json { "apiKey": "YOUR_API_KEY" } ``` ### Response #### Success Response (200) - **currencyRates** (object) - An object containing currency codes as keys and their corresponding rates as values. - Example: `{"USD": 1.1, "EUR": 1.0, "GBP": 0.85}` #### Response Example ```json { "currencyRates": { "USD": 1.1234, "EUR": 1.0, "GBP": 0.8765 } } ``` ``` -------------------------------- ### Attach Access Token to Request Header Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This snippet shows how to attach the obtained access token to subsequent API requests. The token is included in the Authorization header with the 'Bearer' schema, followed by the access token itself. This is essential for authenticating requests to protected API resources. ```http Authorization:Bearer {access token} ``` -------------------------------- ### Successful Access Token Response Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest A successful response to an access token request includes an HTTP 200 OK status, a Content-Type of application/json, and a JSON body containing the access token, its type (Bearer), and the expiration time in seconds. ```http HTTP/1.1 200 OK Content-Type: application/json { "access_token": "{omitted for brevity}", "token_type": "Bearer", "expires_in": 3600 } ``` -------------------------------- ### PSD2 Fallback API Source: https://developer.dnb.no/explorer/apis/regulatory Serves as a contingency measure and can be used in conjunction with other PSD2 APIs to handle missing data and functionality. ```APIDOC ## PSD2 Fallback ### Description Provides fallback functionality and data for PSD2 related services. ### Method GET ### Endpoint /apis/psd2-fallback ### Parameters #### Query Parameters - **resource** (string) - Required - The specific resource or data point needed. - **version** (string) - Optional - Specifies the API version. ### Request Example ```json { "query": "?resource=account_balances&version=latest" } ``` ### Response #### Success Response (200) - **data** (object) - The requested fallback data. #### Response Example ```json { "data": { "message": "Fallback data for account balances." } } ``` ``` -------------------------------- ### Bearer Token Authentication Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Requests to the DNB API require an access token in the Bearer token format. Obtaining this token involves creating an OIDC client and generating a JWT signed with an ES256 key. ```APIDOC ## Bearer Token Authentication ### Description Authenticates requests using a Bearer token obtained via an OIDC client. Requires a JWT signed with an ES256 key. ### Method POST ### Endpoint `https://api.ciam.dnb.no/as/token.oauth2` ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body - **grant_type** (string) - Required - Typically `client_credentials` for client authentication. - **client_assertion_type** (string) - Required - Must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. - **client_assertion** (string) - Required - The JWT signed with the private key, containing the public key JWK in the `cnf.jwk` field. ### Request Example ```json { "grant_type": "client_credentials", "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "client_assertion": "eyJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL2FwaS5jaWFtLmRuYi5uby9jbGllbnRzL3YxIiwiY25mIjp7Imp3ayI6eyJjcnYiOiJQLTI1NiIsImtpZCI6ImlZR2p1aEF1Yi1YNmFzY29qLWFxMHFLZEpaWmVPRGpMSk1zTFNkcHVYYWMiLCJrdHkiOiJFQyIsIngiOiJNUVk3eHlod1EzU2JtTDR5dU5nQUs4REUxVW1LOXM5OGoydlNvd2ZSWmJzIiwieSI6IllLdWdFMzNtbi1wRGRTa214b2ZkRm45eHBFS1hoVFpRaGVsQnVRbllpVFkifX0sImV4cCI6MTcwMTQxMjc0MiwiaWF0IjoxNjk4ODIwNzQyfQ.J4esy0081NITANCvSL6y9N0itdPubmo7h8TlWX2JVdq3WvBKg5Ogy6M8vizi5zHsPokma8KN68OhpcWVIQ_Mdw" } ``` ### Response #### Success Response (200) - **access_token** (string) - The obtained access token for API requests. - **token_type** (string) - Typically `Bearer`. - **expires_in** (integer) - The lifetime in seconds of the access token. #### Response Example ```json { "access_token": "eyJ...", "token_type": "Bearer", "expires_in": 3600 } ``` ### Error Handling Invalid or expired JWT, incorrect assertion types, or issues with the OIDC client configuration. ``` -------------------------------- ### Mutual TLS (mTLS) Authentication Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest All network traffic to the DNB API is secured using mTLS. Integrators must acquire a QC eSeal certificate issued by Buypass or Commfides and configure it correctly to establish a secure connection. ```APIDOC ## Mutual TLS (mTLS) Authentication ### Description Secures network traffic to the DNB API using mTLS. Requires a QC eSeal certificate from Buypass or Commfides. ### Method Not Applicable (Transport Layer Security) ### Endpoint Not Applicable (Applies to all API endpoints) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example None ### Response None (Handled at the TLS connection level) ### Error Handling Connection failures due to invalid or missing certificates. ``` -------------------------------- ### Convert ECDSA Signature to Base64 URL Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Converts an ECDSA signature obtained from AWS KMS into a Base64 URL-encoded format suitable for JWS. It decodes the signature, formats it into raw bytes, and then applies Base64 URL encoding. Dependencies include binascii and base64. ```python def convert_ECDSA_signature_to_base64(signature): num_bits = 256 num_bytes = (num_bits + 7) // 8 r, s = decode_dss_signature(signature) rawsig = number_to_bytes(r, num_bytes) + number_to_bytes(s, num_bytes) return base64url_encode(rawsig) ``` -------------------------------- ### Sign JWT with AWS KMS Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Signs a JWT payload using AWS KMS. This function utilizes the 'sign' operation of the KMS client to create a digital signature for the provided message using a specified key ARN and signing algorithm. It requires the boto3 library. ```python def sign_jwt(key_arn, jwt_payload, region): kms_client = boto3.client("kms", region_name=region) sign_jwt_response = kms_client.sign( KeyId=key_arn, Message=jwt_payload, MessageType='RAW', SigningAlgorithm='ECDSA_SHA_256' ) return sign_jwt_response["Signature"] ``` -------------------------------- ### Verify JWT with AWS KMS Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest Verifies a JWT signature using AWS KMS. This function employs the 'verify' operation of the KMS client to check if the provided signature is valid for the given message and key ARN. It returns the verification result, including whether the signature is valid. Requires boto3. ```python def verify_jwt(key_arn, message, signature, region): kms_client = boto3.client("kms", region_name=region) response = kms_client.verify( KeyId=key_arn, Message=message, MessageType='RAW', Signature=signature, SigningAlgorithm='ECDSA_SHA_256', ) return response ``` -------------------------------- ### JWT Payload for Client Assertion Source: https://developer.dnb.no/documentation/account-pre-validation/%40default/%40latest This JSON object represents the payload of a JWT used for client assertion. It includes claims such as audience, expiration time (exp), issued at time (iat), issuer (iss), JWT ID (jti), not before time (nbf), and subject (sub). The issuer and subject typically represent the client ID. ```json { "aud": [ "https://api.ciam.dnb.no/as/token.oauth2" ], "exp": 1670860748, "iat": 1670860508, "iss": "{client id}", "jti": "{uuid}", "sub": "{client id}" } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.