Dynamic Client Registration API

(1 review)

Introduction

This specification defines the automated mechanism for a Third Party Provider (TPP) to register one or more clients with Bank of Ireland UK. The Dynamic Client Registration APIs allows a TPP to register one or more clients with the bank. This automated mechanism is compliant with Open Banking’s Dynamic Client Registration specification v3.3. Dynamic Client Registration v3.3 is not currently supported for Bank of Ireland (ROI). Dynamic Client Registration v1.2 is supported for Bank of Ireland (ROI).

APIs supported:

Bank of Ireland UK supports POST and PUT v3.3 API endpoints. Bank of Ireland UK does not support GET or DELETE v3.3 API endpoints.

Please refer to the BOI API list for full details of what APIs are available in the Sandbox or in production, and on which brand.

Software Statement Assertion (SSA)

The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT must be issued and signed by Open Banking for Production. For our Sandbox a TPP can use an unsigned SSA.

SSA Payload

The payload of an SSA MUST be a compliant software statement according to [RFC7591]. The SSA MUST also be a compliant JWT according to [RFC7519]. The table below describes the metadata profiles.

Metadata	Description	Source Specification
software_id	Unique Identifier for TPP Client Software	[RFC7591]
iss	SSA Issuer	[RFC7519]
iat	Time SSA is issued	[RFC7519]
jti	JWT ID	[RFC7519]

The following software metadata is additionally defined for this profile:

Metadata	Description
software_client_id	The client ID registered at OB used to access OB resources for non-OB SSA, client id is used as an input by BOI to generate the unique client_id for a TPP.
software_client_description	Human-readable detailed description of the client
software_client_name	Human-readable Software Name
software_client_uri	The website or resource root uri
software_version	The version number of the software should a TPP choose to register and / or maintain it
software_environment	Requested additional field to avoid certificate check
software_jwks_endpoint	Contains all active signing and network certificates for the software
software_jwks_revoked_endpoint	Contains all revoked signing and network certificates for the software
software_logo_uri	Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties
software_mode	ASPSP requested additional field to indicate that this software is "Test" or "Live" the default is "Live". Impact and support for "Test" software is up to the ASPSP.
software_on_behalf_of_org	A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.
software_policy_uri	A link to the software's policy page
software_redirect_uris	Registered client callback endpoints as registered with Open Banking
software_roles	A multi value list of PSD2 roles that this software is authorized to perform.
software_tos_uri	A link to the software's terms of service page

The following organisational metadata is defined for this profile:

Metadata	Description
organisation_competent_authority_claims	Authorisations granted to the organisation by an NCA
org_status	Included to cater for voluntary withdrawal from OB scenarios default values: Active, Revoked or Withdrawn
org_id	The unique TPP or ASPSP ID held by Open Banking. In Sandbox, for non-OB SSA this field should contain the NCA ID as per the eIDAS certificate.
org_name	Legal entity identifier or other known organisation name
org_contacts	JSON array of objects containing a triplet of name, email, and phone number
org_jwks_endpoint	Contains all active signing and network certificates for the organisation
org_jwks_revoked_endpoint	Contains all revoked signing and network certificates for the organisation

SSA Header

The SSA header MUST comply with [RFC7519].

Metadata	Description
typ	MUST be set to JWT
alg	MUST be set to PS256. For Sandbox, non-OB SSA this field should be set to "NONE".
kid	The kid will be kept the same as the "x5t" parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.

OB SSA Example

The elements defined in the software statement will consist of the following values.

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "PS256",
  "kid": "j_OPXe8tchWuhQ3gVN-SOOOTyDY",
  "typ": "JWT"
}

PAYLOAD:DATA

{
  "iat": 1537249394,
  "iss": "OpenBanking Ltd",
  "jti": "3SjuymQ2BSNmSFljZIV32H",

  "org_contacts": [
    {
      "email": "OBTechnicalQueries@BOI.COM",
      "name": "Technical",
      "phone": "0860681762",
      "type": "Technical"
    },
    {
      "email": "OBBusinessQueries@BOI.COM",
      "name": "Business",
      "phone": "07584 214830",
      "type": "Business"
    }
  ],
  "org_id": "0015800000jfQ9aAAE",
  "org_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/0015800000jfQ9aAAE.jwks",
  "org_jwks_revoked_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/revoked/0015800000jfQ9aAAE.jwks",
  "org_name": "Bank of Ireland (UK) Plc",
  "org_status": "Active",
  "organisation_competent_authority_claims": {
    "authorisations": [
      {
        "member_state": "GB",
        "roles": [
          "AISP",
          "PISP"
        ]
      }
    ],
    "authority_id": "FCAGBR",
    "registration_id": "512956",
    "status": "Active"
  },
  "software_client_description": "CMA2_DeV_18_9",
  "software_client_id": "53ZcZkjLM1sXLOAHkwG6DB",
  "software_client_name": "CMA2_DeV_18_9",
  "software_client_uri": "https://www.getpostman.com/oauth2/callback",
  "software_environment": "sandbox",
  "software_id": "53ZcZkjLM1sXLOAHkwG6DB",
  "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/53ZcZkjLM1sXLOAHkwG6DB.jwks",
  "software_jwks_revoked_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/revoked/53ZcZkjLM1sXLOAHkwG6DB.jwks",
  "software_logo_uri": "https://www.getpostman.com/oauth2/callback",
  "software_mode": "Live",
  "software_on_behalf_of_org": "CG",
  "software_policy_uri": "https://www.getpostman.com/oauth2/callback",
  "software_redirect_uris": [
    "https://www.getpostman.com/oauth2/callback"
  ],
  "software_roles": [
    "AISP",
    "PISP"
  ],
  "software_tos_uri": "https://www.getpostman.com/oauth2/callback",
  "software_version": 1.1
}

NON-OB SSA Example

The elements defined in the software statement will consist of the following values.


HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "NONE"
}

PAYLOAD:DATA

{
  "iss": "PSDIE-CBI-123456",
  "software_client_description": "Non OB SSA Client",
  "software_id": "1OEwYAKNONOBSSAClient",
  "software_roles": [
    "AISP",
    "PISP",
    "CBPII"
  ],
  "exp": 1590776620,
  "iat": 1550774820,
  "jti": "51a15308-3193-4702-a1e0-5bc421e0d88a",
  "software_client_name": "NON_OB_SSA_CLIENT",
  "software_client_id": "1OEwYAKNONOBSSAClient",
  "software_redirect_uris": [
    "https://google.com"
  ],
  "org_id": "PSDIE-CBI-123456",
  "org_name": "Test TPP for Non OB SSA",
  "organisation_competent_authority_claims": {
    "authorisations": [
      {
        "roles": [
          "AISP",
          "PISP",
          "CBPII"
        ]
      }
    ]
  }
}

Client Registration Endpoint

Bank of Ireland UK supports automated client registration endpoint protected by mutually authenticated transport-layer security using either Open Banking ETSI (OBWAC) or eIDAS (QWAC) certificates.

Client Registration Request

To register as a client at BOI, the TPP sends an HTTP POST to the registration endpoint. The request MUST be presented in the format of a [RFC7519] compliant JWT. The request MUST use the HTTP POST method, using the application/JWT method. The JWT MUST be signed using algorithms specified in Open Banking documentation.

Header Claims

Metadata	Description
typ	MUST be set to JWT
alg	MUST be set to PS256.
kid	The kid will be kept the same as the "x5t" parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.
x5c	Public certificate of the QSealC. Only to be populated when non-OB SSA is used in request claims.

Request Claims

Claim	Description	Source Specification	Optional	Comments
iss	Request Issuer (The TPP)	[RFC7519]	NO
iat	Time of issuance of request	[RFC7519]	NO
exp	Request expiration time	[RFC7519]	NO
aud	Request audience (The ASPSP)	[RFC7519]	NO
jti	JWT ID	[RFC7519]	NO
redirect_uris	Registered URIs the TPP will use to interact with BOI	[OIDC-R]	NO	MUST match or be a subset of the software_redirect_uris claim in the SSA
token_endpoint_auth_method	Specifies which token endpoint authentication method the TPP wants to use	[RFC7591]	NO	Must be set to tls_client_auth
grant_types	A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token	[RFC7591]	NO
response_types	A JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint.	[RFC7591]	YES
software_id	The software_id in the request MUST match the software_id specified in the SSA	[RFC7591]	YES
scope	scopes the client is asking for (if not specified, default scopes are assigned by the AS)	[RFC7591]	NO	Minimum scope should be openid + whatever scopes are appropriate for the softwares PSD2 Role.
software_statement	SSA issued by Open Banking identifier or non-OB SSA generated by TPP	[RFC7519]	NO
application_type	Web or Mobile	[OIDC-R]	NO	MUST be web if specified.
id_token_signed_response_alg	Algorithm which the TPP expects to sign the id_token, if an id_token is returned.	[OIDC-R]	NO
request_object_signing_alg	Algorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP.	[OIDC-R]	NO
token_endpoint_auth_signing_alg	Algorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_secret_jwt. Must be specified if token_endpoint_auth_method is private_key_jwt or client_secret_jwt.		YES	Not supported by Bank of Ireland.
tls_client_auth_subject_dn	This value must be set iff token_endpoint_auth_method is set to tls_client_auth. The tls_client_auth_subject_dn claim MUST contain the DN of the certificate that the TPP will present to the ASPSP token endpoint.The ASPSP may decide to match only a part of the DN so that the match is based only on the part of the DN that will be immutable for the TPP across all EIDAS certificates issued to it.		YES
client_id	The client identifier generated by the ASPSP		YES	Request: Optional; Response: Mandatory
client_id_issued_at	Time at which the client identifier was issued expressed as "seconds since the epoch".		YES
backchannel_token_delivery_mode	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba		YES	Not supported by Bank of Ireland.
backchannel_client_notification_endpoint	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba and backchannel_token_delivery_mode is not poll. This must be a valid HTTPS URL		YES	Not supported by Bank of Ireland.
backchannel_authentication_request_signing_alg	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba		YES	Not supported by Bank of Ireland.
backchannel_user_code_parameter_supported	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified only if the grant_types		YES	Not supported by Bank of Ireland.

Example Dynamic Client Registration Request

curl -X POST \

  https://api-sandbox.bankofireland.com/1/api/open-banking/v3.3/register \

  -H 'Cache-Control: no-cache' \

  -H 'Content-Type: application/jwt' \

  -H 'Postman-Token: 4d718d91-6005-459e-903c-7053ea06aa87' \

  -d eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZwSXp3bDBILWF6X2g5Y0VPejQ4UXdfT0tuOCJ9.eyJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJyZWZyZXNoX3Rva2VuIiwiY2xpZW50X2NyZWRlbnRpYWxzIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJXRUIiLCJpc3MiOiIxT0V3WUFLSWdNdGVmdk9LZlNFZEFTIiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJ0bHNfY2xpZW50X2F1dGgiLCJ0bHNfY2xpZW50X2F1dGhfZG4iOiJDTj0xT0V3WUFLSWdNdGVmdk9LZlNFZEFTLCBPVT0wMDE1ODAwMDAwamZROWFBQUUsIE89T3BlbkJhbmtpbmcsIEM9R0IiLCJzb2Z0d2FyZV9pZCI6IjFPRXdZQUtJZ010ZWZ2T0tmU0VkQVMiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2SW1SVE0waEZlbk41VmtwUFRIcFJWa2hKVld0UFNrVXlTWEZyYlRONVNHSTBRbGxmVUdKQ1JWUlhhbGs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwWVhRaU9qRTFORFEzTnpNNE1EQXNJbWx6Y3lJNklrOXdaVzVDWVc1cmFXNW5JRXgwWkNJc0ltcDBhU0k2SWpJelNteEhSVEZwTjAxTlprcEZkWFY0ZDBsNVJHb2lMQ0p2Y21kZlkyOXVkR0ZqZEhNaU9sdDdJbVZ0WVdsc0lqb2lUMEpDZFhOcGJtVnpjMUYxWlhKcFpYTkFRazlKTGtOUFRTSXNJbTVoYldVaU9pSkNkWE5wYm1WemN5SXNJbkJvYjI1bElqb2lNRGMxT0RRZ01qRTBPRE13SWl3aWRIbHdaU0k2SWtKMWMybHVaWE56SW4wc2V5SmxiV0ZwYkNJNklrOUNWR1ZqYUc1cFkyRnNVWFZsY21sbGMwQkNUMGt1UTA5Tklpd2libUZ0WlNJNklsUmxZMmh1YVdOaGJDSXNJbkJvYjI1bElqb2lNRGcyTURZNE1UYzJNaUlzSW5SNWNHVWlPaUpVWldOb2JtbGpZV3dpZlYwc0ltOXlaMTlwWkNJNklqQXdNVFU0TURBd01EQnFabEU1WVVGQlJTSXNJbTl5WjE5cWQydHpYMlZ1WkhCdmFXNTBJam9pYUhSMGNITTZMeTlyWlhsemRHOXlaUzV2Y0dWdVltRnVhMmx1WjNSbGMzUXViM0puTG5Wckx6QXdNVFU0TURBd01EQnFabEU1WVVGQlJTOHdNREUxT0RBd01EQXdhbVpST1dGQlFVVXVhbmRyY3lJc0ltOXlaMTlxZDJ0elgzSmxkbTlyWldSZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5kR1Z6ZEM1dmNtY3VkV3N2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTDNKbGRtOXJaV1F2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTG1wM2EzTWlMQ0p2Y21kZmJtRnRaU0k2SWtKaGJtc2diMllnU1hKbGJHRnVaQ0FvVlVzcElGQnNZeUlzSW05eVoxOXpkR0YwZFhNaU9pSkJZM1JwZG1VaUxDSnZjbWRoYm1sellYUnBiMjVmWTI5dGNHVjBaVzUwWDJGMWRHaHZjbWwwZVY5amJHRnBiWE1pT25zaVlYVjBhRzl5YVhOaGRHbHZibk1pT2x0N0ltMWxiV0psY2w5emRHRjBaU0k2SWtkQ0lpd2ljbTlzWlhNaU9sc2lRVWxUVUNJc0lsQkpVMUFpWFgwc2V5SnRaVzFpWlhKZmMzUmhkR1VpT2lKSlJTSXNJbkp2YkdWeklqcGJJa0ZKVTFBaUxDSlFTVk5RSWwxOUxIc2liV1Z0WW1WeVgzTjBZWFJsSWpvaVRrd2lMQ0p5YjJ4bGN5STZXeUpCU1ZOUUlpd2lVRWxUVUNKZGZWMHNJbUYxZEdodmNtbDBlVjlwWkNJNklrWkRRVWRDVWlJc0luSmxaMmx6ZEhKaGRHbHZibDlwWkNJNklqVXhNamsxTmlJc0luTjBZWFIxY3lJNklrRmpkR2wyWlNKOUxDSnpiMlowZDJGeVpWOWpiR2xsYm5SZlpHVnpZM0pwY0hScGIyNGlPaUpFUTFKZlUyRnVaR0p2ZUY4eE1qRTBYekF4SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDJsa0lqb2lNVTlGZDFsQlMwbG5UWFJsWm5aUFMyWlRSV1JCVXlJc0luTnZablIzWVhKbFgyTnNhV1Z1ZEY5dVlXMWxJam9pUkVOU1gxTmhibVJpYjNoZk1USXhORjh3TVNJc0luTnZablIzWVhKbFgyTnNhV1Z1ZEY5MWNta2lPaUpvZEhSd2N6b3ZMM2QzZHk1blpYUndiM04wYldGdUxtTnZiUzl2WVhWMGFESXZZMkZzYkdKaFkyc2lMQ0p6YjJaMGQyRnlaVjlsYm5acGNtOXViV1Z1ZENJNkluTmhibVJpYjNnaUxDSnpiMlowZDJGeVpWOXBaQ0k2SWpGUFJYZFpRVXRKWjAxMFpXWjJUMHRtVTBWa1FWTWlMQ0p6YjJaMGQyRnlaVjlxZDJ0elgyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaM1JsYzNRdWIzSm5MblZyTHpBd01UVTRNREF3TURCcVpsRTVZVUZCUlM4eFQwVjNXVUZMU1dkTmRHVm1kazlMWmxORlpFRlRMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDNKbGRtOXJaV1JmWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJ0bGVYTjBiM0psTG05d1pXNWlZVzVyYVc1bmRHVnpkQzV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtVVRsaFFVRkZMM0psZG05clpXUXZNVTlGZDFsQlMwbG5UWFJsWm5aUFMyWlRSV1JCVXk1cWQydHpJaXdpYzI5bWRIZGhjbVZmYkc5bmIxOTFjbWtpT2lKb2RIUndjem92TDNkM2R5NW5aWFJ3YjNOMGJXRnVMbU52YlM5dllYVjBhREl2WTJGc2JHSmhZMnNpTENKemIyWjBkMkZ5WlY5dGIyUmxJam9pVEdsMlpTSXNJbk52Wm5SM1lYSmxYMjl1WDJKbGFHRnNabDl2Wmw5dmNtY2lPaUlpTENKemIyWjBkMkZ5WlY5d2IyeHBZM2xmZFhKcElqb2lhSFIwY0hNNkx5OTNkM2N1WjJWMGNHOXpkRzFoYmk1amIyMHZiMkYxZEdneUwyTmhiR3hpWVdOcklpd2ljMjltZEhkaGNtVmZjbVZrYVhKbFkzUmZkWEpwY3lJNld5Sm9kSFJ3Y3pvdkwzZDNkeTVuWlhSd2IzTjBiV0Z1TG1OdmJTOXZZWFYwYURJdlkyRnNiR0poWTJzaVhTd2ljMjltZEhkaGNtVmZjbTlzWlhNaU9sc2lRVWxUVUNJc0lsQkpVMUFpWFN3aWMyOW1kSGRoY21WZmRHOXpYM1Z5YVNJNkltaDBkSEJ6T2k4dmQzZDNMbWRsZEhCdmMzUnRZVzR1WTI5dEwyOWhkWFJvTWk5allXeHNZbUZqYXlJc0luTnZablIzWVhKbFgzWmxjbk5wYjI0aU9qRXVNWDAuVzJ3Z3RvY1p4UXhwM2lhSnF6RFpaM2Raa2R2TEVKcEZxZmw4ZHJtbzRRVXFfVi1mc1Vjenh6c084d3dQYUFFQ0JNVzBvelh3U0t1NG5IODhVYUNIVFI4NE5VdWh5RHcxNFRvT3dSelU0TVVTaVZlRWdqZ0FtamUwQlRmZXM3ZDJaQ19IUmJjTHFzYWh1MWEyQzctdFh4Vk0wS2Nudk9yYkZlbllydV9IazY2blFWd2RZTkxNbXdXaVBnNjN0VFM4dkVITkh2ZDYzcnVpXzNTbEJPMlZ3VFFzS01YYnhpWEVrMWo2QUdRUzRENEYtTV9HS05KLVVabnFxSk1RbW5XQjBleXJraFl6dFE0U01VOG9fenJvWDFxRVhlQ1JhQ3BELW9LXy16eTBjYW4tNzBGcGEwLXB4bWMtQVBzaUtZQkt3VEwtTERhTEVtVDhjZ0VkX0RscndnIiwiYXVkIjoiaHR0cHM6Ly9hdXRoLXNhbmRib3guYXBpYm9pdGVzdC5jb20iLCJzY29wZSI6Im9wZW5pZCBhY2NvdW50cyBwYXltZW50cyIsInJlcXVlc3Rfb2JqZWN0X3NpZ25pbmdfYWxnIjoiUlMyNTYiLCJleHAiOjE1OTkzNTc4NDMsImlhdCI6MTUxOTM1Nzg0MywianRpIjoiN2FhYzkxNjQtZWVhYy00N2Q2LTgwNDItOWEyNDYxMGE5ODRlIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlJTMjU2In0.EqDCfo53egwkdc1hDH1aUcLbp3rUPpkOvmqqOzOHun_IZ0D5PkgI80Ir9vKSxqDLBL0q6TKVh_P4lKd8zUtLuZF2HMPN1G3eeRLnRsccAZQQeEAekk9aTX9_GCgV2VnURMBFbThlgmSlX7-vB4GSJOdw1yuMR2pfdSfTp_S7Hs1BSg_60jd7ExvkOvSk9GzGyoUsz8-5RMKViXxFAdy3wkEon_t62VlJWmWiPWdNt1FYNeQrUGbTAUGs4Wd-eQjklBgaepJPfPcM957k_ZparyExrU-WCUIkpUaujJEu5EV4dzNQOgfP83w_x91d45r6jJBWTIQO6CyK4mzePlkGGQ

Example Decoded Dynamic Client Registration Request Body

HEADER: ALGORITHM & TOKEN TYPE


{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "6pIzwl0H-az_h9cEOz48Qw_OKn8"
}

PAYLOAD: DATA

{
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "application_type": "web",
  "iss": "1OEwYAKIgMtefvOKfSEdAS",
  "redirect_uris": [
    "https://www.getpostman.com/oauth2/callback"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
      “tls_client_auth_subject_dn: "CN = tpp-test.com,OU = BOI PSD2 OU,2.5.4.97 = PSDIE-CBI-123456,O = BOI PSD2 Test Org,L = Dublin,C = IE",
  "software_id": "1OEwYAKIgMtefvOKfSEdAS",
  "software_statement": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRTM0hFenN5VkpPTHpRVkhJVWtPSkUySXFrbTN5SGI0QllfUGJCRVRXalk9IiwidHlwIjoiSldUIn0.eyJpYXQiOjE1NDQ3NzM4MDAsImlzcyI6Ik9wZW5CYW5raW5nIEx0ZCIsImp0aSI6IjIzSmxHRTFpN01NZkpFdXV4d0l5RGoiLCJvcmdfY29udGFjdHMiOlt7ImVtYWlsIjoiT0JCdXNpbmVzc1F1ZXJpZXNAQk9JLkNPTSIsIm5hbWUiOiJCdXNpbmVzcyIsInBob25lIjoiMDc1ODQgMjE0ODMwIiwidHlwZSI6IkJ1c2luZXNzIn0seyJlbWFpbCI6Ik9CVGVjaG5pY2FsUXVlcmllc0BCT0kuQ09NIiwibmFtZSI6IlRlY2huaWNhbCIsInBob25lIjoiMDg2MDY4MTc2MiIsInR5cGUiOiJUZWNobmljYWwifV0sIm9yZ19pZCI6IjAwMTU4MDAwMDBqZlE5YUFBRSIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMDAxNTgwMDAwMGpmUTlhQUFFLmp3a3MiLCJvcmdfbmFtZSI6IkJhbmsgb2YgSXJlbGFuZCAoVUspIFBsYyIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdhbmlzYXRpb25fY29tcGV0ZW50X2F1dGhvcml0eV9jbGFpbXMiOnsiYXV0aG9yaXNhdGlvbnMiOlt7Im1lbWJlcl9zdGF0ZSI6IkdCIiwicm9sZXMiOlsiQUlTUCIsIlBJU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkFJU1AiLCJQSVNQIl19LHsibWVtYmVyX3N0YXRlIjoiTkwiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCJdfV0sImF1dGhvcml0eV9pZCI6IkZDQUdCUiIsInJlZ2lzdHJhdGlvbl9pZCI6IjUxMjk1NiIsInN0YXR1cyI6IkFjdGl2ZSJ9LCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJEQ1JfU2FuZGJveF8xMjE0XzAxIiwic29mdHdhcmVfY2xpZW50X2lkIjoiMU9Fd1lBS0lnTXRlZnZPS2ZTRWRBUyIsInNvZnR3YXJlX2NsaWVudF9uYW1lIjoiRENSX1NhbmRib3hfMTIxNF8wMSIsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9pZCI6IjFPRXdZQUtJZ010ZWZ2T0tmU0VkQVMiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8xT0V3WUFLSWdNdGVmdk9LZlNFZEFTLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMU9Fd1lBS0lnTXRlZnZPS2ZTRWRBUy5qd2tzIiwic29mdHdhcmVfbG9nb191cmkiOiJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siLCJzb2Z0d2FyZV9tb2RlIjoiTGl2ZSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIiLCJzb2Z0d2FyZV9wb2xpY3lfdXJpIjoiaHR0cHM6Ly93d3cuZ2V0cG9zdG1hbi5jb20vb2F1dGgyL2NhbGxiYWNrIiwic29mdHdhcmVfcmVkaXJlY3RfdXJpcyI6WyJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siXSwic29mdHdhcmVfcm9sZXMiOlsiQUlTUCIsIlBJU1AiXSwic29mdHdhcmVfdG9zX3VyaSI6Imh0dHBzOi8vd3d3LmdldHBvc3RtYW4uY29tL29hdXRoMi9jYWxsYmFjayIsInNvZnR3YXJlX3ZlcnNpb24iOjEuMX0.W2wgtocZxQxp3iaJqzDZZ3dZkdvLEJpFqfl8drmo4QUq_V-fsUczxzsO8wwPaAECBMW0ozXwSKu4nH88UaCHTR84NUuhyDw14ToOwRzU4MUSiVeEgjgAmje0BTfes7d2ZC_HRbcLqsahu1a2C7-tXxVM0KcnvOrbFenYru_Hk66nQVwdYNLMmwWiPg63tTS8vEHNHvd63rui_3SlBO2VwTQsKMXbxiXEk1j6AGQS4D4F-M_GKNJ-UZnqqJMQmnWB0eyrkhYztQ4SMU8o_zroX1qEXeCRaCpD-oK_-zy0can-70Fpa0-pxmc-APsiKYBKwTL-LDaLEmT8cgEd_Dlrwg",
  "aud": "https://auth-sandbox.bankofireland.com",
  "scope": "openid accounts payments",
  "request_object_signing_alg": "PS256",
  "exp": 1599357843,
  "iat": 1519357843,
  "jti": "7aac9164-eeac-47d6-8042-9a24610a984e",
  "id_token_signed_response_alg": "PS256"
}

Dynamic Client Registration Response

Example Successful Client Registration Response

{

    "client_id": "G77EHo37piaf5OrRkK5HpV",
        "redirect_uris": [
            "https://www.getpostman.com/oauth2/callback"
        ],
        "token_endpoint_auth_method": "tls_client_auth",
        "grant_types": [
            "authorization_code",
            "refresh_token",
            "client_credentials"
        ],
        "response_types": [
            "code id_token"
        ],
        "software_id": "1OEwYAKIgMtefvOKfSEdAS",
        "scope": "openid accounts payments fundsconfirmations",
        "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6Imo4SFdZMDBhSUJtS0ExT1c3WW50dnRLVU0ycnVueDdvQWdiS2hJRE1IM0k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2MjAxMjE4MDYsImp0aSI6IjFlNWVkZWRlYzEwNzRkNWYiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiRzc3RUhvMzdwaWFmNU9yUmtLNUhwViIsInNvZnR3YXJlX2NsaWVudF9pZCI6Ikc3N0VIbzM3cGlhZjVPclJrSzVIcFYiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkNsaWVudF80dGhfTWF5Iiwic29mdHdhcmVfY2xpZW50X2Rlc2NyaXB0aW9uIjoiQ2xpZW50XzR0aF9NYXkiLCJzb2Z0d2FyZV92ZXJzaW9uIjoxLjEsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL2dvb2dsZS5jb20iLCJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vZ29vZ2xlLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiI1MTI5NTYiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkNCUElJIiwiQUlTUCIsIkFTUFNQIiwiUElTUCJdfSx7Im1lbWJlcl9zdGF0ZSI6Ik5MIiwicm9sZXMiOlsiUElTUCIsIkNCUElJIiwiQUlTUCIsIkFTUFNQIl19XX0sInNvZnR3YXJlX2xvZ29fdXJpIjoiaHR0cHM6Ly9nb29nbGUuY29tIiwib3JnX3N0YXR1cyI6IkFjdGl2ZSIsIm9yZ19pZCI6IjAwMTU4MDAwMDBqZlE5YUFBRSIsIm9yZ19uYW1lIjoiQmFuayBvZiBJcmVsYW5kIChVSykgUGxjIiwib3JnX2NvbnRhY3RzIjpbeyJuYW1lIjoiVGVjaG5pY2FsIiwiZW1haWwiOiJPQlRlY2huaWNhbFF1ZXJpZXNAQk9JLkNPTSIsInBob25lIjoiKzM1MyA4NjA2ODE3NjIiLCJ0eXBlIjoiVGVjaG5pY2FsIn0seyJuYW1lIjoiQnVzaW5lc3MiLCJlbWFpbCI6Ik9CQnVzaW5lc3NRdWVyaWVzQEJPSS5DT00iLCJwaG9uZSI6Iis0NCA3NTg0IDIxNDgzMCIsInR5cGUiOiJCdXNpbmVzcyJ9XSwib3JnX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFLzAwMTU4MDAwMDBqZlE5YUFBRS5qd2tzIiwib3JnX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAwamZROWFBQUUvcmV2b2tlZC8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL0c3N0VIbzM3cGlhZjVPclJrSzVIcFYuandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAwamZROWFBQUUvcmV2b2tlZC9HNzdFSG8zN3BpYWY1T3JSa0s1SHBWLmp3a3MiLCJzb2Z0d2FyZV9wb2xpY3lfdXJpIjoiaHR0cHM6Ly9nb29nbGUuY29tIiwic29mdHdhcmVfdG9zX3VyaSI6Imh0dHBzOi8vZ29vZ2xlLmNvbSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIifQ.d_2sfHAA8jGYQMhc1vSayEgz--x0ZpZL6-wAYpEfbdcVAPK5w3HF94A1oPSKathrgjPaLbhplfe8EOFtKQDqRvhat7ZsVON0-Jzv9gXFzL6FJ_1LMyCw099jcUQt1PUuYs61Sj3yFZn9fY0bO2FbBVBj8Didmk8aMXFZ7v95ZOq7xZXBjBH5lTivwsfZoX4Y9dychZYYWEW-VWkLQZKpzJH3fkAEOvp8bwlwjI21cVAQvEcMJJfeGGo8QfcPcOWyz38MPlk-PTZ4JI__XkidpfOEmY0OuaC1NV-E3fvfwjrHWb3AsOANuqciWu-3X-PcQPguoivCJ5WqgE45gcgL3w",
        "application_type": "web",
        "id_token_signed_response_alg": "PS256",
        "request_object_signing_alg": "PS256",
        "tls_client_auth_subject_dn": "CN = tpp-test.com,OU = BOI PSD2 OU,2.5.4.97 = PSDIE-CBI-123456,O = BOI PSD2 Test Org,L = Dublin,C = IE"
    }
}

Example Unsuccessful Client Registration Response

HTTP/1.1 400

{
    "errorCode": "9005",
    "errorMessage": "invalid_jwt.",
    "error_desciprtion": "Registration JWT token is invalid."
}

Client Modification Endpoint

Bank of Ireland UK supports automated client PUT endpoint protected by mutually authenticated transport-layer security using either Open Banking ETSI (OBWAC) or eIDAS (QWAC) certificates.

The DCR Update Endpoint in production supports the following changes in certificates:
1. Legacy Certificates (Client ID-Secret) to OBWAC Certificates
2. Legacy Certificates (MATLS) to OBWAC Certificates
3. Legacy Certificates (MATLS) to QWAC Certificates
4. QWAC Certificates to OBWAC Certificates
5. OBWAC to QWAC
6. QWAC to QWAC (subjectDN changes)
7. OBWAC to OBWAC (SubjectDN changes)

Additionally in Sandbox, we support the following change in certificates:
1. Self-Signed Certificates to eIDAS QWAC

Client Modification Request

To modify the client at BOI, the TPP sends a HTTP PUT to the modification endpoint. The request MUST be presented in the format of a [RFC7519] compliant JWT. The request MUST use the HTTP PUT method, using the application/JWT method. The JWT MUST be signed using algorithms specified in Open Banking documentation.

Dynamic Client Registration PUT endpoint requires client credential grant token for authentication. Generate a new client credential token using existing certificate which can be:

OB Legacy (Client ID-Secret / MATLS)
OBWAC (MATLS)
QWAC (MATLS)

Invoke the DCR PUT endpoint using existing certificate as transport certificates and the access token generated in step 1 with the following updates in client metadata:

TPPs using MATLS would need to update the below field:

tls_client_auth_subject_dn :- Subject DN of the new certificate that TPP is migrating to, which can be:

OBWAC (MATLS) Subject DN
QWAC (MATLS) Subject DN

TPPs using Client ID/ Secret would need to update the following fields:

token_endpoint_auth_method :- ‘tls_client_auth'
tls_client_auth_subject_dn :- Subject DN of the new certificate that TPP is migrating to, which can be:

OBWAC (MATLS) Subject DN
QWAC (MATLS) Subject DN

id_token_signed_response_alg :- PS256
request_object_signing_alg :- PS256

Once the updates are successful, an HTTP status code 200 would be returned with client metadata.
On successful updates using the PUT endpoint as per step 3, ready OBWAC / QWAC certificates should be used as the transport certificates including for MATLS with token endpoint.

Header Claims

Metadata	Description
typ	MUST be set to JWT
alg	MUST be set to PS256 if onboarded via TPP portal MUST be set to PS256 if onboarded via DCR
kid	The kid will be kept the same as the "x5t" parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.
x5c	Public certificate of the QSealC. Only to be populated when non-OB SSA is used in request claims.

Request Claims

Claim	Description	Source Specification	Optional	Comments
iss	Request Issuer (The TPP)	[RFC7519]	NO
iat	Time of issuance of request	[RFC7519]	NO
exp	Request expiration time	[RFC7519]	NO
aud	Request audience (The ASPSP)	[RFC7519]	NO
jti	JWT ID	[RFC7519]	NO
redirect_uris	Registered URIs the TPP will use to interact with BOI	[OIDC-R]	NO	MUST match or be a subset of the software_redirect_uris claim in the SSA
token_endpoint_auth_method	Specifies which token endpoint authentication method the TPP wants to use	[RFC7591]	NO
grant_types	A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token	[RFC7591]	NO
response_types	A JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint.	[RFC7591]	YES
software_id	The software_id in the request MUST match the software_id specified in the SSA	[RFC7591]	YES
scope	scopes the client is asking for (if not specified, default scopes are assigned by the AS)	[RFC7591]	NO	Minimum scope should be openid + whatever scopes are appropriate for the softwares PSD2 Role.
software_statement	SSA issued by Open Banking identifier or non-OB SSA generated by TPP	[RFC7519]	NO
application_type	Web or Mobile	[OIDC-R]	NO	MUST be web if specified.
id_token_signed_response_alg	Algorithm which the TPP expects to sign the id_token, if an id_token is returned.	[OIDC-R]	NO
request_object_signing_alg	Algorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP.	[OIDC-R]	NO
token_endpoint_auth_signing_alg	Algorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_secret_jwt. Must be specified if token_endpoint_auth_method is private_key_jwt or client_secret_jwt		YES	Not supported by Bank of Ireland.
tls_client_auth_subject_dn	This value must be set iff token_endpoint_auth_method is set to tls_client_auth. The tls_client_auth_subject_dn claim MUST contain the DN of the certificate that the TPP will present to the ASPSP token endpoint.The ASPSP may decide to match only a part of the DN so that the match is based only on the part of the DN that will be immutable for the TPP across all EIDAS certificates issued to it.		YES
client_id	The client identifier generated by the ASPSP		YES	Request: Optional Response: Mandatory
client_secret	A shared secret generated by the ASPSP.		YES
client_id_issued_at	Time at which the client identifier was issued expressed as "seconds since the epoch".		YES
client_secret_expires_at	Time at which the client secret will expire expressed as "seconds since the epoch".		YES
backchannel_token_delivery_mode	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba		YES	Not supported by Bank of Ireland.
backchannel_client_notification_endpoint	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba and backchannel_token_delivery_mode is not poll. This must be a valid HTTPS URL		YES	Not supported by Bank of Ireland.
backchannel_authentication_request_signing_alg	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba.		YES	Not supported by Bank of Ireland.
backchannel_user_code_parameter_supported	As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified only if the grant_types		YES	Not supported by Bank of Ireland.

Example Dynamic Client Modification Request

curl -X PUT \

  https://api-sandbox.bankofireland.com/1/api/open-banking/v3.3/register \ VP5WDT1gbyjUjxzJnFGmPB
  -H 'Cache-Control: no-cache' \

  -H 'Content-Type: application/jwt' \

  -H 'Postman-Token: 4d718d91-6005-459e-903c-7053ea06aa87' \
-d eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ilh6c3lVQ2hZWmMwdkhXNGp0TWVr STZTTTVJZyJ9.eyJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJyZWZyZXNoX3Rva2VuIiwiY2xpZW50X2NyZWRlbnRpYWxzIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJ3ZWIiLCJpc3MiOiJWUDVXRFQxZ2J5alVqeHpKbkZHbVBCIiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczovL2RlbW8uY29tIl0sInRva2VuX2VuZHBvaW50X2F1dGhfbWV0aG9kIjoidGxzX2NsaWVudF9hdXRoIiwidGxzX2NsaWVudF9hdXRoX3N1YmplY3RfZG4iOiJDTiA9IDAwMTU4MDAwMDBqZlE5YUFBRSwgMi41LjQuOTcgPSBQU0RHQi1GQ0EtNTEyOTU2LCBPID0gQmFuayBvZiBJcmVsYW5kIChVSykgUGxjLCBDID0gR0IiLCJzb2Z0d2FyZV9pZCI6IlZQNVdEVDFnYnlqVWp4ekpuRkdtUEIiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlFVekkxTmlJc0ltdHBaQ0k2SW1vNFNGZFpNREJoU1VKdFMwRXhUMWMzV1c1MGRuUkxWVTB5Y25WdWVEZHZRV2RpUzJoSlJFMUlNMGs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnBZWFFpT2pFMk1UZzVNVEV5TURFc0ltcDBhU0k2SWpZME1EQmlNalprTXpCbFpEUTFNbVlpTENKemIyWjBkMkZ5WlY5bGJuWnBjbTl1YldWdWRDSTZJbk5oYm1SaWIzZ2lMQ0p6YjJaMGQyRnlaVjl0YjJSbElqb2lWR1Z6ZENJc0luTnZablIzWVhKbFgybGtJam9pVmxBMVYwUlVNV2RpZVdwVmFuaDZTbTVHUjIxUVFpSXNJbk52Wm5SM1lYSmxYMk5zYVdWdWRGOXBaQ0k2SWxaUU5WZEVWREZuWW5scVZXcDRla3B1UmtkdFVFSWlMQ0p6YjJaMGQyRnlaVjlqYkdsbGJuUmZibUZ0WlNJNklrTkhYMVJsYzNSZk1qQXdOREl3TWpFaUxDSnpiMlowZDJGeVpWOWpiR2xsYm5SZlpHVnpZM0pwY0hScGIyNGlPaUpEUjE5VVpYTjBYekl3TURReU1ESXhJaXdpYzI5bWRIZGhjbVZmZG1WeWMybHZiaUk2TVM0eExDSnpiMlowZDJGeVpWOWpiR2xsYm5SZmRYSnBJam9pYUhSMGNITTZMeTlrWlcxdkxtTnZiU0lzSW5OdlpuUjNZWEpsWDNKbFpHbHlaV04wWDNWeWFYTWlPbHNpYUhSMGNITTZMeTlrWlcxdkxtTnZiU0pkTENKemIyWjBkMkZ5WlY5eWIyeGxjeUk2V3lKUVNWTlFJaXdpUTBKUVNVa2lMQ0pCU1ZOUUlsMHNJbTl5WjJGdWFYTmhkR2x2Ymw5amIyMXdaWFJsYm5SZllYVjBhRzl5YVhSNVgyTnNZV2x0Y3lJNmV5SmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKeVpXZHBjM1J5WVhScGIyNWZhV1FpT2lJMU1USTVOVFlpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpTENKaGRYUm9iM0pwYzJGMGFXOXVjeUk2VzNzaWJXVnRZbVZ5WDNOMFlYUmxJam9pUjBJaUxDSnliMnhsY3lJNld5SlFTVk5RSWl3aVEwSlFTVWtpTENKQlNWTlFJaXdpUVZOUVUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpKUlNJc0luSnZiR1Z6SWpwYklrTkNVRWxKSWl3aVFVbFRVQ0lzSWtGVFVGTlFJaXdpVUVsVFVDSmRmU3g3SW0xbGJXSmxjbDl6ZEdGMFpTSTZJazVNSWl3aWNtOXNaWE1pT2xzaVVFbFRVQ0lzSWtOQ1VFbEpJaXdpUVVsVFVDSXNJa0ZUVUZOUUlsMTlYWDBzSW5OdlpuUjNZWEpsWDJ4dloyOWZkWEpwSWpvaWFIUjBjSE02THk5a1pXMXZMbU52YlNJc0ltOXlaMTl6ZEdGMGRYTWlPaUpCWTNScGRtVWlMQ0p2Y21kZmFXUWlPaUl3TURFMU9EQXdNREF3YW1aUk9XRkJRVVVpTENKdmNtZGZibUZ0WlNJNklrSmhibXNnYjJZZ1NYSmxiR0Z1WkNBb1ZVc3BJRkJzWXlJc0ltOXlaMTlqYjI1MFlXTjBjeUk2VzNzaWJtRnRaU0k2SWxSbFkyaHVhV05oYkNJc0ltVnRZV2xzSWpvaVQwSlVaV05vYm1sallXeFJkV1Z5YVdWelFFSlBTUzVEVDAwaUxDSndhRzl1WlNJNklpc3pOVE1nT0RZd05qZ3hOell5SWl3aWRIbHdaU0k2SWxSbFkyaHVhV05oYkNKOUxIc2libUZ0WlNJNklrSjFjMmx1WlhOeklpd2laVzFoYVd3aU9pSlBRa0oxYzJsdVpYTnpVWFZsY21sbGMwQkNUMGt1UTA5Tklpd2ljR2h2Ym1VaU9pSXJORFFnTnpVNE5DQXlNVFE0TXpBaUxDSjBlWEJsSWpvaVFuVnphVzVsYzNNaWZWMHNJbTl5WjE5cWQydHpYMlZ1WkhCdmFXNTBJam9pYUhSMGNITTZMeTlyWlhsemRHOXlaUzV2Y0dWdVltRnVhMmx1WjNSbGMzUXViM0puTG5Wckx6QXdNVFU0TURBd01EQnFabEU1WVVGQlJTOHdNREUxT0RBd01EQXdhbVpST1dGQlFVVXVhbmRyY3lJc0ltOXlaMTlxZDJ0elgzSmxkbTlyWldSZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5kR1Z6ZEM1dmNtY3VkV3N2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTDNKbGRtOXJaV1F2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTG1wM2EzTWlMQ0p6YjJaMGQyRnlaVjlxZDJ0elgyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaM1JsYzNRdWIzSm5MblZyTHpBd01UVTRNREF3TURCcVpsRTVZVUZCUlM5V1VEVlhSRlF4WjJKNWFsVnFlSHBLYmtaSGJWQkNMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDNKbGRtOXJaV1JmWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJ0bGVYTjBiM0psTG05d1pXNWlZVzVyYVc1bmRHVnpkQzV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtVVRsaFFVRkZMM0psZG05clpXUXZWbEExVjBSVU1XZGllV3BWYW5oNlNtNUdSMjFRUWk1cWQydHpJaXdpYzI5bWRIZGhjbVZmY0c5c2FXTjVYM1Z5YVNJNkltaDBkSEJ6T2k4dlpHVnRieTVqYjIwaUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OWtaVzF2TG1OdmJTSXNJbk52Wm5SM1lYSmxYMjl1WDJKbGFHRnNabDl2Wmw5dmNtY2lPaUlpZlEuRDBfZGEtaDZjZzNseDlmTU4yS2hVb1NSZnk5SnhwaHVmWXBWNThBbUhudThtNVMtY1dGdVJLWDY0Q0JBcGRWYmcxOEd1U255OHJrZUNHLWQ5S0RtRkZpSGI4LWRCQU02S19FdldPd1dodFVSd1UzRDlZOXZiZDlHYkZYalk3cTNUSW5lRVpRdXFwZHVBZkd4RlBQTUQxdHVqdTB6cmlvdHVwRVNOQjNPcVJmZEpyUU04SXQ5dXJfLUpFQlc5VENHZ19VdGRabVJuRmJfUW9nZk5wb0VGRmtXZW5zTW52aGltYTNKUEZRNE5MRDdpRnJKRlBIQUpXUUxIQ2pMTjZhMzJLcUFmQ2hYdXpuaExzRkNjZXYyMjQwenE1MU9ySkdqaHRWcFh1VjJ6Ri1wMHMwd1lBUnNqWUVLR2pqek5DV0FmdkEyaFAwMVluOEFHOHRwWlljWkZ3IiwiYXVkIjoiaHR0cHM6Ly9hdXRoLmJvaS1zYW5kYm94LmFwaWJvaXRlc3QuY29tIiwic2NvcGUiOiJvcGVuaWQgYWNjb3VudHMgcGF5bWVudHMgZnVuZHNjb25maXJtYXRpb25zIiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsImV4cCI6MTY1MzE5ODc4OSwiaWF0IjoxNjE4OTExMjAxLCJqdGkiOiI2NDAwYjI2ZDMwZWQ0NTJmIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSBpZF90b2tlbiJdfQ.Zt5u3z7UcYKvo10P_XU-CLefN4nTmRKPNaQmdJ6_erbOq_kWC_gzD2pvL2LyWD5OrEadaUmwxN8usYv4k8FnJtOVAeo2evxUhK0yQSunwGJ6uz4nB7gJfGSCJ2IdYwOOX9isMkWZ-CrbWyWDgPqMrEaDFZU_9rG_D6b6-YJF-TIF7M0-vxNnGDasoVev5mT-YmhBDMxWF3THzNF0lwtXRySts_-XN13kWvuk9lebAAeRjcvgaTZscrxtWg5eWzOyvxp3lo6IC7nawsm7OYCJ4lXFoC72shI_FNjLek1hnl1yPRRGjR1YQzAFtoIMlX3_-Ev1tXF0agEYaoVRUiqv0w

Example Decoded Dynamic Client Modification Request Body

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "XzsyUChYZc0vHW4jtMekI6SM5Ig"
}
PAYLOAD:DATA

{
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "application_type": "web",
  "iss": "VP5WDT1gbyjUjxzJnFGmPB",
  "redirect_uris": [
   "https://www.getpostman.com/oauth2/callback"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
  "tls_client_auth_subject_dn": "CN = 0015800000jfQ9aAAE, 2.5.4.97 = PSDGB-FCA-512956, O = Bank of Ireland (UK) Plc, C = GB",
  "software_id"
{
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "application_type": "web",
  "iss": "VP5WDT1gbyjUjxzJnFGmPB",
  "redirect_uris": [
    "https://www.getpostman.com/oauth2/callback"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
  "tls_client_auth_subject_dn": "CN = 0015800000jfQ9aAAE, 2.5.4.97 = PSDGB-FCA-512956, O = Bank of Ireland (UK) Plc, C = GB",
  "software_id": "VP5WDT1gbyjUjxzJnFGmPB",
  "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6Imo4SFdZMDBhSUJtS0ExT1c3WW50dnRLVU0ycnVueDdvQWdiS2hJRE1IM0k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2MTg5MTEyMDEsImp0aSI6IjY0MDBiMjZkMzBlZDQ1MmYiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiVlA1V0RUMWdieWpVanh6Sm5GR21QQiIsInNvZnR3YXJlX2NsaWVudF9pZCI6IlZQNVdEVDFnYnlqVWp4ekpuRkdtUEIiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkNHX1Rlc3RfMjAwNDIwMjEiLCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJDR19UZXN0XzIwMDQyMDIxIiwic29mdHdhcmVfdmVyc2lvbiI6MS4xLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZW1vLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiI1MTI5NTYiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkNCUElJIiwiQUlTUCIsIkFTUFNQIiwiUElTUCJdfSx7Im1lbWJlcl9zdGF0ZSI6Ik5MIiwicm9sZXMiOlsiUElTUCIsIkNCUElJIiwiQUlTUCIsIkFTUFNQIl19XX0sInNvZnR3YXJlX2xvZ29fdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamZROWFBQUUiLCJvcmdfbmFtZSI6IkJhbmsgb2YgSXJlbGFuZCAoVUspIFBsYyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JUZWNobmljYWxRdWVyaWVzQEJPSS5DT00iLCJwaG9uZSI6IiszNTMgODYwNjgxNzYyIiwidHlwZSI6IlRlY2huaWNhbCJ9LHsibmFtZSI6IkJ1c2luZXNzIiwiZW1haWwiOiJPQkJ1c2luZXNzUXVlcmllc0BCT0kuQ09NIiwicGhvbmUiOiIrNDQgNzU4NCAyMTQ4MzAiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMDAxNTgwMDAwMGpmUTlhQUFFLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS9WUDVXRFQxZ2J5alVqeHpKbkZHbVBCLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvVlA1V0RUMWdieWpVanh6Sm5GR21QQi5qd2tzIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOi8vZGVtby5jb20iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIifQ.D0_da-h6cg3lx9fMN2KhUoSRfy9JxphufYpV58AmHnu8m5S-cWFuRKX64CBApdVbg18GuSny8rkeCG-d9KDmFFiHb8-dBAM6K_EvWOwWhtURwU3D9Y9vbd9GbFXjY7q3TIneEZQuqpduAfGxFPPMD1tuju0zriotupESNB3OqRfdJrQM8It9ur_-JEBW9TCGg_UtdZmRnFb_QogfNpoEFFkWensMnvhima3JPFQ4NLD7iFrJFPHAJWQLHCjLN6a32KqAfChXuznhLsFCcev2240zq51OrJGjhtVpXuV2zF-p0s0wYARsjYEKGjjzNCWAfvA2hP01Yn8AG8tpZYcZFw",
  "aud": "https://auth-sandbox.bankofireland.com",
  "scope": "openid accounts payments fundsconfirmations",
  "request_object_signing_alg": "PS256",
  "exp": 1653198789,
  "iat": 1618911201,
  "jti": "6400b26d30ed452f",
  "id_token_signed_response_alg": "PS256",
  "response_types": [
    "code id_token"
  ]
}

Dynamic Client Modification Response

{
   "client_id": "VP5WDT1gbyjUjxzJnFGmPB",
    "redirect_uris": [
            "https://www.getpostman.com/oauth2/callback"
        ],
        "token_endpoint_auth_method": "tls_client_auth",
        "grant_types": [
            "authorization_code",
            "refresh_token",
            "client_credentials"
        ],
        "response_types": [
            "code id_token"
        ],
        "software_id": "VP5WDT1gbyjUjxzJnFGmPB",
        "scope": "openid accounts payments fundsconfirmations",
        "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6Imo4SFdZMDBhSUJtS0ExT1c3WW50dnRLVU0ycnVueDdvQWdiS2hJRE1IM0k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2MTg5MTEyMDEsImp0aSI6IjY0MDBiMjZkMzBlZDQ1MmYiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiVlA1V0RUMWdieWpVanh6Sm5GR21QQiIsInNvZnR3YXJlX2NsaWVudF9pZCI6IlZQNVdEVDFnYnlqVWp4ekpuRkdtUEIiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkNHX1Rlc3RfMjAwNDIwMjEiLCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJDR19UZXN0XzIwMDQyMDIxIiwic29mdHdhcmVfdmVyc2lvbiI6MS4xLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZW1vLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiI1MTI5NTYiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkNCUElJIiwiQUlTUCIsIkFTUFNQIiwiUElTUCJdfSx7Im1lbWJlcl9zdGF0ZSI6Ik5MIiwicm9sZXMiOlsiUElTUCIsIkNCUElJIiwiQUlTUCIsIkFTUFNQIl19XX0sInNvZnR3YXJlX2xvZ29fdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamZROWFBQUUiLCJvcmdfbmFtZSI6IkJhbmsgb2YgSXJlbGFuZCAoVUspIFBsYyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JUZWNobmljYWxRdWVyaWVzQEJPSS5DT00iLCJwaG9uZSI6IiszNTMgODYwNjgxNzYyIiwidHlwZSI6IlRlY2huaWNhbCJ9LHsibmFtZSI6IkJ1c2luZXNzIiwiZW1haWwiOiJPQkJ1c2luZXNzUXVlcmllc0BCT0kuQ09NIiwicGhvbmUiOiIrNDQgNzU4NCAyMTQ4MzAiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMDAxNTgwMDAwMGpmUTlhQUFFLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS9WUDVXRFQxZ2J5alVqeHpKbkZHbVBCLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvVlA1V0RUMWdieWpVanh6Sm5GR21QQi5qd2tzIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOi8vZGVtby5jb20iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIifQ.D0_da-h6cg3lx9fMN2KhUoSRfy9JxphufYpV58AmHnu8m5S-cWFuRKX64CBApdVbg18GuSny8rkeCG-d9KDmFFiHb8-dBAM6K_EvWOwWhtURwU3D9Y9vbd9GbFXjY7q3TIneEZQuqpduAfGxFPPMD1tuju0zriotupESNB3OqRfdJrQM8It9ur_-JEBW9TCGg_UtdZmRnFb_QogfNpoEFFkWensMnvhima3JPFQ4NLD7iFrJFPHAJWQLHCjLN6a32KqAfChXuznhLsFCcev2240zq51OrJGjhtVpXuV2zF-p0s0wYARsjYEKGjjzNCWAfvA2hP01Yn8AG8tpZYcZFw",
        "application_type": "web",
        "id_token_signed_response_alg": "PS256",
        "request_object_signing_alg": "PS256",
        "tls_client_auth_subject_dn": "CN=0015800000jfQ9aAAE, OID.2.5.4.97=PSDGB-FCA-512956, O=Bank of Ireland (UK) Plc, C=GB"
    }
}

Example Unsuccessful Client Modification Response

HTTP/1.1 400

{
    "errorMessage": "INVALID_SOFTWARE_STATEMENT",
    "error_desciprtion": "Registration JWT token is invalid."
}

home