Dynamic Client Registration API

(1 review)

home

Introduction

This specification defines the automated mechanism for a Third Party Provider (TPP) to register one or more clients with Bank of Ireland UK. The Dynamic Client Registration APIs allows a TPP to register one or more clients with the bank. This automated mechanism is compliant with Open Banking’s Dynamic Client Registration specification v3.3. Dynamic Client Registration v3.3 is not currently supported for Bank of Ireland (ROI). Dynamic Client Registration v1.2 is supported for Bank of Ireland (ROI).

APIs supported:

Bank of Ireland UK supports POST and PUT v3.3 API endpoints. Bank of Ireland UK does not support GET or DELETE v3.3 API endpoints.

Please refer to the BOI API list for full details of what APIs are available in the Sandbox or in production, and on which brand.

Software Statement Assertion (SSA)

The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT must be issued and signed by Open Banking for Production. For our Sandbox a TPP can use an unsigned SSA.

SSA Payload

The payload of an SSA MUST be a compliant software statement according to [RFC7591]. The SSA MUST also be a compliant JWT according to [RFC7519]. The table below describes the metadata profiles.

MetadataDescriptionSource Specification
software_idUnique Identifier for TPP Client Software[RFC7591]
issSSA Issuer[RFC7519]
iatTime SSA is issued[RFC7519]
jtiJWT ID[RFC7519]

The following software metadata is additionally defined for this profile:

MetadataDescription
software_client_idThe client ID registered at OB used to access OB resources for non-OB SSA, client id is used as an input by BOI to generate the unique client_id for a TPP.
software_client_descriptionHuman-readable detailed description of the client
software_client_nameHuman-readable Software Name
software_client_uriThe website or resource root uri
software_versionThe version number of the software should a TPP choose to register and / or maintain it
software_environmentRequested additional field to avoid certificate check
software_jwks_endpointContains all active signing and network certificates for the software
software_jwks_revoked_endpointContains all revoked signing and network certificates for the software
software_logo_uriLink to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties
software_modeASPSP requested additional field to indicate that this software is "Test" or "Live" the default is "Live". Impact and support for "Test" software is up to the ASPSP.
software_on_behalf_of_orgA reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.
software_policy_uriA link to the software's policy page
software_redirect_urisRegistered client callback endpoints as registered with Open Banking
software_rolesA multi value list of PSD2 roles that this software is authorized to perform.
software_tos_uriA link to the software's terms of service page

The following organisational metadata is defined for this profile:

MetadataDescription
organisation_competent_authority_claimsAuthorisations granted to the organisation by an NCA
org_statusIncluded to cater for voluntary withdrawal from OB scenarios default values: Active, Revoked or Withdrawn
org_idThe unique TPP or ASPSP ID held by Open Banking. In Sandbox, for non-OB SSA this field should contain the NCA ID as per the eIDAS certificate.
org_nameLegal entity identifier or other known organisation name
org_contactsJSON array of objects containing a triplet of name, email, and phone number
org_jwks_endpointContains all active signing and network certificates for the organisation
org_jwks_revoked_endpointContains all revoked signing and network certificates for the organisation
SSA Header

The SSA header MUST comply with [RFC7519].

MetadataDescription
typMUST be set to JWT
algMUST be set to PS256. For Sandbox, non-OB SSA this field should be set to "NONE".
kidThe kid will be kept the same as the "x5t" parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.
OB SSA Example

The elements defined in the software statement will consist of the following values.

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "PS256",
  "kid": "j_OPXe8tchWuhQ3gVN-SOOOTyDY",
  "typ": "JWT"
}

PAYLOAD:DATA

{
  "iat": 1537249394,
  "iss": "OpenBanking Ltd",
  "jti": "3SjuymQ2BSNmSFljZIV32H",

  "org_contacts": [
    {
      "email": "OBTechnicalQueries@BOI.COM",
      "name": "Technical",
      "phone": "0860681762",
      "type": "Technical"
    },
    {
      "email": "OBBusinessQueries@BOI.COM",
      "name": "Business",
      "phone": "07584 214830",
      "type": "Business"
    }
  ],
  "org_id": "0015800000jfQ9aAAE",
  "org_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/0015800000jfQ9aAAE.jwks",
  "org_jwks_revoked_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/revoked/0015800000jfQ9aAAE.jwks",
  "org_name": "Bank of Ireland (UK) Plc",
  "org_status": "Active",
  "organisation_competent_authority_claims": {
    "authorisations": [
      {
        "member_state": "GB",
        "roles": [
          "AISP",
          "PISP"
        ]
      }
    ],
    "authority_id": "FCAGBR",
    "registration_id": "512956",
    "status": "Active"
  },
  "software_client_description": "CMA2_DeV_18_9",
  "software_client_id": "53ZcZkjLM1sXLOAHkwG6DB",
  "software_client_name": "CMA2_DeV_18_9",
  "software_client_uri": "https://www.getpostman.com/oauth2/callback",
  "software_environment": "sandbox",
  "software_id": "53ZcZkjLM1sXLOAHkwG6DB",
  "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/53ZcZkjLM1sXLOAHkwG6DB.jwks",
  "software_jwks_revoked_endpoint": "https://keystore.openbankingtest.org.uk/0015800000jfQ9aAAE/revoked/53ZcZkjLM1sXLOAHkwG6DB.jwks",
  "software_logo_uri": "https://www.getpostman.com/oauth2/callback",
  "software_mode": "Live",
  "software_on_behalf_of_org": "CG",
  "software_policy_uri": "https://www.getpostman.com/oauth2/callback",
  "software_redirect_uris": [
    "https://www.getpostman.com/oauth2/callback"
  ],
  "software_roles": [
    "AISP",
    "PISP"
  ],
  "software_tos_uri": "https://www.getpostman.com/oauth2/callback",
  "software_version": 1.1
}
NON-OB SSA Example

The elements defined in the software statement will consist of the following values.


HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "NONE"
}

PAYLOAD:DATA

{
  "iss": "PSDIE-CBI-123456",
  "software_client_description": "Non OB SSA Client",
  "software_id": "1OEwYAKNONOBSSAClient",
  "software_roles": [
    "AISP",
    "PISP",
    "CBPII"
  ],
  "exp": 1590776620,
  "iat": 1550774820,
  "jti": "51a15308-3193-4702-a1e0-5bc421e0d88a",
  "software_client_name": "NON_OB_SSA_CLIENT",
  "software_client_id": "1OEwYAKNONOBSSAClient",
  "software_redirect_uris": [
    "https://google.com"
  ],
  "org_id": "PSDIE-CBI-123456",
  "org_name": "Test TPP for Non OB SSA",
  "organisation_competent_authority_claims": {
    "authorisations": [
      {
        "roles": [
          "AISP",
          "PISP",
          "CBPII"
        ]
      }
    ]
  }
}
Client Registration Endpoint

Bank of Ireland UK supports automated client registration endpoint protected by mutually authenticated transport-layer security using either Open Banking ETSI (OBWAC) or eIDAS (QWAC) certificates.

Client Registration Request

To register as a client at BOI, the TPP sends an HTTP POST to the registration endpoint. The request MUST be presented in the format of a [RFC7519] compliant JWT. The request MUST use the HTTP POST method, using the application/JWT method. The JWT MUST be signed using algorithms specified in Open Banking documentation.

Header Claims

MetadataDescription
typMUST be set to JWT
algMUST be set to PS256.
kidThe kid will be kept the same as the "x5t" parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.
x5cPublic certificate of the QSealC. Only to be populated when non-OB SSA is used in request claims.

Request Claims

ClaimDescriptionSource SpecificationOptionalComments
issRequest Issuer (The TPP)[RFC7519]NO 
iatTime of issuance of request[RFC7519]NO 
expRequest expiration time[RFC7519]NO 
audRequest audience (The ASPSP)[RFC7519]NO 
jtiJWT ID[RFC7519]NO 
redirect_urisRegistered URIs the TPP will use to interact with BOI[OIDC-R]NOMUST match or be a subset of the software_redirect_uris claim in the SSA
token_endpoint_auth_methodSpecifies which token endpoint authentication method the TPP wants to use[RFC7591]NOMust be set to tls_client_auth
grant_typesA JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token[RFC7591]NO 
response_typesA JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint.[RFC7591]YES 
software_idThe software_id in the request MUST match the software_id specified in the SSA[RFC7591]YES 
scopescopes the client is asking for (if not specified, default scopes are assigned by the AS)[RFC7591]NOMinimum scope should be openid + whatever scopes are appropriate for the softwares PSD2 Role.
software_statementSSA issued by Open Banking identifier or non-OB SSA generated by TPP[RFC7519]NO 
application_typeWeb or Mobile[OIDC-R]NOMUST be web if specified.
id_token_signed_response_algAlgorithm which the TPP expects to sign the id_token, if an id_token is returned.[OIDC-R]NO 
request_object_signing_algAlgorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP.[OIDC-R]NO
token_endpoint_auth_signing_algAlgorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_secret_jwt. Must be specified if token_endpoint_auth_method is private_key_jwt or client_secret_jwt. YESNot supported by Bank of Ireland.
tls_client_auth_subject_dnThis value must be set iff token_endpoint_auth_method is set to tls_client_auth. The tls_client_auth_subject_dn claim MUST contain the DN of the certificate that the TPP will present to the ASPSP token endpoint.The ASPSP may decide to match only a part of the DN so that the match is based only on the part of the DN that will be immutable for the TPP across all EIDAS certificates issued to it. YES 
client_idThe client identifier generated by the ASPSP YESRequest: Optional; Response: Mandatory
client_id_issued_atTime at which the client identifier was issued expressed as "seconds since the epoch". YES 
backchannel_token_delivery_modeAs defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba YESNot supported by Bank of Ireland.
backchannel_client_notification_endpointAs defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba and backchannel_token_delivery_mode is not poll. This must be a valid HTTPS URL YESNot supported by Bank of Ireland.
backchannel_authentication_request_signing_algAs defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba YESNot supported by Bank of Ireland.
backchannel_user_code_parameter_supportedAs defined in CIBA - Registration and Discovery Metadata. This value MUST be specified only if the grant_types YESNot supported by Bank of Ireland.

Example Dynamic Client Registration Request

curl -X POST \

  https://api-sandbox.bankofireland.com/1/api/open-banking/v3.3/register \

  -H 'Cache-Control: no-cache' \

  -H 'Content-Type: application/jwt' \

  -H 'Postman-Token: 4d718d91-6005-459e-903c-7053ea06aa87' \

  -d eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZwSXp3bDBILWF6X2g5Y0VPejQ4UXdfT0tuOCJ9.eyJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJyZWZyZXNoX3Rva2VuIiwiY2xpZW50X2NyZWRlbnRpYWxzIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJXRUIiLCJpc3MiOiIxT0V3WUFLSWdNdGVmdk9LZlNFZEFTIiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJ0bHNfY2xpZW50X2F1dGgiLCJ0bHNfY2xpZW50X2F1dGhfZG4iOiJDTj0xT0V3WUFLSWdNdGVmdk9LZlNFZEFTLCBPVT0wMDE1ODAwMDAwamZROWFBQUUsIE89T3BlbkJhbmtpbmcsIEM9R0IiLCJzb2Z0d2FyZV9pZCI6IjFPRXdZQUtJZ010ZWZ2T0tmU0VkQVMiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2SW1SVE0waEZlbk41VmtwUFRIcFJWa2hKVld0UFNrVXlTWEZyYlRONVNHSTBRbGxmVUdKQ1JWUlhhbGs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwWVhRaU9qRTFORFEzTnpNNE1EQXNJbWx6Y3lJNklrOXdaVzVDWVc1cmFXNW5JRXgwWkNJc0ltcDBhU0k2SWpJelNteEhSVEZwTjAxTlprcEZkWFY0ZDBsNVJHb2lMQ0p2Y21kZlkyOXVkR0ZqZEhNaU9sdDdJbVZ0WVdsc0lqb2lUMEpDZFhOcGJtVnpjMUYxWlhKcFpYTkFRazlKTGtOUFRTSXNJbTVoYldVaU9pSkNkWE5wYm1WemN5SXNJbkJvYjI1bElqb2lNRGMxT0RRZ01qRTBPRE13SWl3aWRIbHdaU0k2SWtKMWMybHVaWE56SW4wc2V5SmxiV0ZwYkNJNklrOUNWR1ZqYUc1cFkyRnNVWFZsY21sbGMwQkNUMGt1UTA5Tklpd2libUZ0WlNJNklsUmxZMmh1YVdOaGJDSXNJbkJvYjI1bElqb2lNRGcyTURZNE1UYzJNaUlzSW5SNWNHVWlPaUpVWldOb2JtbGpZV3dpZlYwc0ltOXlaMTlwWkNJNklqQXdNVFU0TURBd01EQnFabEU1WVVGQlJTSXNJbTl5WjE5cWQydHpYMlZ1WkhCdmFXNTBJam9pYUhSMGNITTZMeTlyWlhsemRHOXlaUzV2Y0dWdVltRnVhMmx1WjNSbGMzUXViM0puTG5Wckx6QXdNVFU0TURBd01EQnFabEU1WVVGQlJTOHdNREUxT0RBd01EQXdhbVpST1dGQlFVVXVhbmRyY3lJc0ltOXlaMTlxZDJ0elgzSmxkbTlyWldSZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5kR1Z6ZEM1dmNtY3VkV3N2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTDNKbGRtOXJaV1F2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTG1wM2EzTWlMQ0p2Y21kZmJtRnRaU0k2SWtKaGJtc2diMllnU1hKbGJHRnVaQ0FvVlVzcElGQnNZeUlzSW05eVoxOXpkR0YwZFhNaU9pSkJZM1JwZG1VaUxDSnZjbWRoYm1sellYUnBiMjVmWTI5dGNHVjBaVzUwWDJGMWRHaHZjbWwwZVY5amJHRnBiWE1pT25zaVlYVjBhRzl5YVhOaGRHbHZibk1pT2x0N0ltMWxiV0psY2w5emRHRjBaU0k2SWtkQ0lpd2ljbTlzWlhNaU9sc2lRVWxUVUNJc0lsQkpVMUFpWFgwc2V5SnRaVzFpWlhKZmMzUmhkR1VpT2lKSlJTSXNJbkp2YkdWeklqcGJJa0ZKVTFBaUxDSlFTVk5RSWwxOUxIc2liV1Z0WW1WeVgzTjBZWFJsSWpvaVRrd2lMQ0p5YjJ4bGN5STZXeUpCU1ZOUUlpd2lVRWxUVUNKZGZWMHNJbUYxZEdodmNtbDBlVjlwWkNJNklrWkRRVWRDVWlJc0luSmxaMmx6ZEhKaGRHbHZibDlwWkNJNklqVXhNamsxTmlJc0luTjBZWFIxY3lJNklrRmpkR2wyWlNKOUxDSnpiMlowZDJGeVpWOWpiR2xsYm5SZlpHVnpZM0pwY0hScGIyNGlPaUpFUTFKZlUyRnVaR0p2ZUY4eE1qRTBYekF4SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDJsa0lqb2lNVTlGZDFsQlMwbG5UWFJsWm5aUFMyWlRSV1JCVXlJc0luTnZablIzWVhKbFgyTnNhV1Z1ZEY5dVlXMWxJam9pUkVOU1gxTmhibVJpYjNoZk1USXhORjh3TVNJc0luTnZablIzWVhKbFgyTnNhV1Z1ZEY5MWNta2lPaUpvZEhSd2N6b3ZMM2QzZHk1blpYUndiM04wYldGdUxtTnZiUzl2WVhWMGFESXZZMkZzYkdKaFkyc2lMQ0p6YjJaMGQyRnlaVjlsYm5acGNtOXViV1Z1ZENJNkluTmhibVJpYjNnaUxDSnpiMlowZDJGeVpWOXBaQ0k2SWpGUFJYZFpRVXRKWjAxMFpXWjJUMHRtVTBWa1FWTWlMQ0p6YjJaMGQyRnlaVjlxZDJ0elgyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaM1JsYzNRdWIzSm5MblZyTHpBd01UVTRNREF3TURCcVpsRTVZVUZCUlM4eFQwVjNXVUZMU1dkTmRHVm1kazlMWmxORlpFRlRMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDNKbGRtOXJaV1JmWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJ0bGVYTjBiM0psTG05d1pXNWlZVzVyYVc1bmRHVnpkQzV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtVVRsaFFVRkZMM0psZG05clpXUXZNVTlGZDFsQlMwbG5UWFJsWm5aUFMyWlRSV1JCVXk1cWQydHpJaXdpYzI5bWRIZGhjbVZmYkc5bmIxOTFjbWtpT2lKb2RIUndjem92TDNkM2R5NW5aWFJ3YjNOMGJXRnVMbU52YlM5dllYVjBhREl2WTJGc2JHSmhZMnNpTENKemIyWjBkMkZ5WlY5dGIyUmxJam9pVEdsMlpTSXNJbk52Wm5SM1lYSmxYMjl1WDJKbGFHRnNabDl2Wmw5dmNtY2lPaUlpTENKemIyWjBkMkZ5WlY5d2IyeHBZM2xmZFhKcElqb2lhSFIwY0hNNkx5OTNkM2N1WjJWMGNHOXpkRzFoYmk1amIyMHZiMkYxZEdneUwyTmhiR3hpWVdOcklpd2ljMjltZEhkaGNtVmZjbVZrYVhKbFkzUmZkWEpwY3lJNld5Sm9kSFJ3Y3pvdkwzZDNkeTVuWlhSd2IzTjBiV0Z1TG1OdmJTOXZZWFYwYURJdlkyRnNiR0poWTJzaVhTd2ljMjltZEhkaGNtVmZjbTlzWlhNaU9sc2lRVWxUVUNJc0lsQkpVMUFpWFN3aWMyOW1kSGRoY21WZmRHOXpYM1Z5YVNJNkltaDBkSEJ6T2k4dmQzZDNMbWRsZEhCdmMzUnRZVzR1WTI5dEwyOWhkWFJvTWk5allXeHNZbUZqYXlJc0luTnZablIzWVhKbFgzWmxjbk5wYjI0aU9qRXVNWDAuVzJ3Z3RvY1p4UXhwM2lhSnF6RFpaM2Raa2R2TEVKcEZxZmw4ZHJtbzRRVXFfVi1mc1Vjenh6c084d3dQYUFFQ0JNVzBvelh3U0t1NG5IODhVYUNIVFI4NE5VdWh5RHcxNFRvT3dSelU0TVVTaVZlRWdqZ0FtamUwQlRmZXM3ZDJaQ19IUmJjTHFzYWh1MWEyQzctdFh4Vk0wS2Nudk9yYkZlbllydV9IazY2blFWd2RZTkxNbXdXaVBnNjN0VFM4dkVITkh2ZDYzcnVpXzNTbEJPMlZ3VFFzS01YYnhpWEVrMWo2QUdRUzRENEYtTV9HS05KLVVabnFxSk1RbW5XQjBleXJraFl6dFE0U01VOG9fenJvWDFxRVhlQ1JhQ3BELW9LXy16eTBjYW4tNzBGcGEwLXB4bWMtQVBzaUtZQkt3VEwtTERhTEVtVDhjZ0VkX0RscndnIiwiYXVkIjoiaHR0cHM6Ly9hdXRoLXNhbmRib3guYXBpYm9pdGVzdC5jb20iLCJzY29wZSI6Im9wZW5pZCBhY2NvdW50cyBwYXltZW50cyIsInJlcXVlc3Rfb2JqZWN0X3NpZ25pbmdfYWxnIjoiUlMyNTYiLCJleHAiOjE1OTkzNTc4NDMsImlhdCI6MTUxOTM1Nzg0MywianRpIjoiN2FhYzkxNjQtZWVhYy00N2Q2LTgwNDItOWEyNDYxMGE5ODRlIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlJTMjU2In0.EqDCfo53egwkdc1hDH1aUcLbp3rUPpkOvmqqOzOHun_IZ0D5PkgI80Ir9vKSxqDLBL0q6TKVh_P4lKd8zUtLuZF2HMPN1G3eeRLnRsccAZQQeEAekk9aTX9_GCgV2VnURMBFbThlgmSlX7-vB4GSJOdw1yuMR2pfdSfTp_S7Hs1BSg_60jd7ExvkOvSk9GzGyoUsz8-5RMKViXxFAdy3wkEon_t62VlJWmWiPWdNt1FYNeQrUGbTAUGs4Wd-eQjklBgaepJPfPcM957k_ZparyExrU-WCUIkpUaujJEu5EV4dzNQOgfP83w_x91d45r6jJBWTIQO6CyK4mzePlkGGQ

Example Decoded Dynamic Client Registration Request Body

HEADER: ALGORITHM & TOKEN TYPE


{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "6pIzwl0H-az_h9cEOz48Qw_OKn8"
}

PAYLOAD: DATA

{
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "application_type": "web",
  "iss": "1OEwYAKIgMtefvOKfSEdAS",
  "redirect_uris": [
    "https://www.getpostman.com/oauth2/callback"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
      “tls_client_auth_subject_dn: "CN = tpp-test.com,OU = BOI PSD2 OU,2.5.4.97 = PSDIE-CBI-123456,O = BOI PSD2 Test Org,L = Dublin,C = IE",
  "software_id": "1OEwYAKIgMtefvOKfSEdAS",
  "software_statement": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRTM0hFenN5VkpPTHpRVkhJVWtPSkUySXFrbTN5SGI0QllfUGJCRVRXalk9IiwidHlwIjoiSldUIn0.eyJpYXQiOjE1NDQ3NzM4MDAsImlzcyI6Ik9wZW5CYW5raW5nIEx0ZCIsImp0aSI6IjIzSmxHRTFpN01NZkpFdXV4d0l5RGoiLCJvcmdfY29udGFjdHMiOlt7ImVtYWlsIjoiT0JCdXNpbmVzc1F1ZXJpZXNAQk9JLkNPTSIsIm5hbWUiOiJCdXNpbmVzcyIsInBob25lIjoiMDc1ODQgMjE0ODMwIiwidHlwZSI6IkJ1c2luZXNzIn0seyJlbWFpbCI6Ik9CVGVjaG5pY2FsUXVlcmllc0BCT0kuQ09NIiwibmFtZSI6IlRlY2huaWNhbCIsInBob25lIjoiMDg2MDY4MTc2MiIsInR5cGUiOiJUZWNobmljYWwifV0sIm9yZ19pZCI6IjAwMTU4MDAwMDBqZlE5YUFBRSIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMDAxNTgwMDAwMGpmUTlhQUFFLmp3a3MiLCJvcmdfbmFtZSI6IkJhbmsgb2YgSXJlbGFuZCAoVUspIFBsYyIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdhbmlzYXRpb25fY29tcGV0ZW50X2F1dGhvcml0eV9jbGFpbXMiOnsiYXV0aG9yaXNhdGlvbnMiOlt7Im1lbWJlcl9zdGF0ZSI6IkdCIiwicm9sZXMiOlsiQUlTUCIsIlBJU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkFJU1AiLCJQSVNQIl19LHsibWVtYmVyX3N0YXRlIjoiTkwiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCJdfV0sImF1dGhvcml0eV9pZCI6IkZDQUdCUiIsInJlZ2lzdHJhdGlvbl9pZCI6IjUxMjk1NiIsInN0YXR1cyI6IkFjdGl2ZSJ9LCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJEQ1JfU2FuZGJveF8xMjE0XzAxIiwic29mdHdhcmVfY2xpZW50X2lkIjoiMU9Fd1lBS0lnTXRlZnZPS2ZTRWRBUyIsInNvZnR3YXJlX2NsaWVudF9uYW1lIjoiRENSX1NhbmRib3hfMTIxNF8wMSIsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9pZCI6IjFPRXdZQUtJZ010ZWZ2T0tmU0VkQVMiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8xT0V3WUFLSWdNdGVmdk9LZlNFZEFTLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMU9Fd1lBS0lnTXRlZnZPS2ZTRWRBUy5qd2tzIiwic29mdHdhcmVfbG9nb191cmkiOiJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siLCJzb2Z0d2FyZV9tb2RlIjoiTGl2ZSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIiLCJzb2Z0d2FyZV9wb2xpY3lfdXJpIjoiaHR0cHM6Ly93d3cuZ2V0cG9zdG1hbi5jb20vb2F1dGgyL2NhbGxiYWNrIiwic29mdHdhcmVfcmVkaXJlY3RfdXJpcyI6WyJodHRwczovL3d3dy5nZXRwb3N0bWFuLmNvbS9vYXV0aDIvY2FsbGJhY2siXSwic29mdHdhcmVfcm9sZXMiOlsiQUlTUCIsIlBJU1AiXSwic29mdHdhcmVfdG9zX3VyaSI6Imh0dHBzOi8vd3d3LmdldHBvc3RtYW4uY29tL29hdXRoMi9jYWxsYmFjayIsInNvZnR3YXJlX3ZlcnNpb24iOjEuMX0.W2wgtocZxQxp3iaJqzDZZ3dZkdvLEJpFqfl8drmo4QUq_V-fsUczxzsO8wwPaAECBMW0ozXwSKu4nH88UaCHTR84NUuhyDw14ToOwRzU4MUSiVeEgjgAmje0BTfes7d2ZC_HRbcLqsahu1a2C7-tXxVM0KcnvOrbFenYru_Hk66nQVwdYNLMmwWiPg63tTS8vEHNHvd63rui_3SlBO2VwTQsKMXbxiXEk1j6AGQS4D4F-M_GKNJ-UZnqqJMQmnWB0eyrkhYztQ4SMU8o_zroX1qEXeCRaCpD-oK_-zy0can-70Fpa0-pxmc-APsiKYBKwTL-LDaLEmT8cgEd_Dlrwg",
  "aud": "https://auth-sandbox.bankofireland.com",
  "scope": "openid accounts payments",
  "request_object_signing_alg": "PS256",
  "exp": 1599357843,
  "iat": 1519357843,
  "jti": "7aac9164-eeac-47d6-8042-9a24610a984e",
  "id_token_signed_response_alg": "PS256"
}

Dynamic Client Registration Response

Example Successful Client Registration Response

{

    "client_id": "G77EHo37piaf5OrRkK5HpV",
        "redirect_uris": [
            "https://www.getpostman.com/oauth2/callback"
        ],
        "token_endpoint_auth_method": "tls_client_auth",
        "grant_types": [
            "authorization_code",
            "refresh_token",
            "client_credentials"
        ],
        "response_types": [
            "code id_token"
        ],
        "software_id": "1OEwYAKIgMtefvOKfSEdAS",
        "scope": "openid accounts payments fundsconfirmations",
        "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6Imo4SFdZMDBhSUJtS0ExT1c3WW50dnRLVU0ycnVueDdvQWdiS2hJRE1IM0k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2MjAxMjE4MDYsImp0aSI6IjFlNWVkZWRlYzEwNzRkNWYiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiRzc3RUhvMzdwaWFmNU9yUmtLNUhwViIsInNvZnR3YXJlX2NsaWVudF9pZCI6Ikc3N0VIbzM3cGlhZjVPclJrSzVIcFYiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkNsaWVudF80dGhfTWF5Iiwic29mdHdhcmVfY2xpZW50X2Rlc2NyaXB0aW9uIjoiQ2xpZW50XzR0aF9NYXkiLCJzb2Z0d2FyZV92ZXJzaW9uIjoxLjEsInNvZnR3YXJlX2NsaWVudF91cmkiOiJodHRwczovL2dvb2dsZS5jb20iLCJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vZ29vZ2xlLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiI1MTI5NTYiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkNCUElJIiwiQUlTUCIsIkFTUFNQIiwiUElTUCJdfSx7Im1lbWJlcl9zdGF0ZSI6Ik5MIiwicm9sZXMiOlsiUElTUCIsIkNCUElJIiwiQUlTUCIsIkFTUFNQIl19XX0sInNvZnR3YXJlX2xvZ29fdXJpIjoiaHR0cHM6Ly9nb29nbGUuY29tIiwib3JnX3N0YXR1cyI6IkFjdGl2ZSIsIm9yZ19pZCI6IjAwMTU4MDAwMDBqZlE5YUFBRSIsIm9yZ19uYW1lIjoiQmFuayBvZiBJcmVsYW5kIChVSykgUGxjIiwib3JnX2NvbnRhY3RzIjpbeyJuYW1lIjoiVGVjaG5pY2FsIiwiZW1haWwiOiJPQlRlY2huaWNhbFF1ZXJpZXNAQk9JLkNPTSIsInBob25lIjoiKzM1MyA4NjA2ODE3NjIiLCJ0eXBlIjoiVGVjaG5pY2FsIn0seyJuYW1lIjoiQnVzaW5lc3MiLCJlbWFpbCI6Ik9CQnVzaW5lc3NRdWVyaWVzQEJPSS5DT00iLCJwaG9uZSI6Iis0NCA3NTg0IDIxNDgzMCIsInR5cGUiOiJCdXNpbmVzcyJ9XSwib3JnX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFLzAwMTU4MDAwMDBqZlE5YUFBRS5qd2tzIiwib3JnX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAwamZROWFBQUUvcmV2b2tlZC8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL0c3N0VIbzM3cGlhZjVPclJrSzVIcFYuandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmd0ZXN0Lm9yZy51ay8wMDE1ODAwMDAwamZROWFBQUUvcmV2b2tlZC9HNzdFSG8zN3BpYWY1T3JSa0s1SHBWLmp3a3MiLCJzb2Z0d2FyZV9wb2xpY3lfdXJpIjoiaHR0cHM6Ly9nb29nbGUuY29tIiwic29mdHdhcmVfdG9zX3VyaSI6Imh0dHBzOi8vZ29vZ2xlLmNvbSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIifQ.d_2sfHAA8jGYQMhc1vSayEgz--x0ZpZL6-wAYpEfbdcVAPK5w3HF94A1oPSKathrgjPaLbhplfe8EOFtKQDqRvhat7ZsVON0-Jzv9gXFzL6FJ_1LMyCw099jcUQt1PUuYs61Sj3yFZn9fY0bO2FbBVBj8Didmk8aMXFZ7v95ZOq7xZXBjBH5lTivwsfZoX4Y9dychZYYWEW-VWkLQZKpzJH3fkAEOvp8bwlwjI21cVAQvEcMJJfeGGo8QfcPcOWyz38MPlk-PTZ4JI__XkidpfOEmY0OuaC1NV-E3fvfwjrHWb3AsOANuqciWu-3X-PcQPguoivCJ5WqgE45gcgL3w",
        "application_type": "web",
        "id_token_signed_response_alg": "PS256",
        "request_object_signing_alg": "PS256",
        "tls_client_auth_subject_dn": "CN = tpp-test.com,OU = BOI PSD2 OU,2.5.4.97 = PSDIE-CBI-123456,O = BOI PSD2 Test Org,L = Dublin,C = IE"
    }
}

Example Unsuccessful Client Registration Response

HTTP/1.1 400

{
    "errorCode": "9005",
    "errorMessage": "invalid_jwt.",
    "error_desciprtion": "Registration JWT token is invalid."
}
Client Modification Endpoint

Bank of Ireland UK supports automated client PUT endpoint protected by mutually authenticated transport-layer security using either Open Banking ETSI (OBWAC) or eIDAS (QWAC) certificates.

The DCR Update Endpoint in production supports the following changes in certificates:
1. Legacy Certificates (Client ID-Secret) to OBWAC Certificates
2. Legacy Certificates (MATLS) to OBWAC Certificates
3. Legacy Certificates (MATLS) to QWAC Certificates
4. QWAC Certificates to OBWAC Certificates
5. OBWAC to QWAC
6. QWAC to QWAC (subjectDN changes)
7. OBWAC to OBWAC (SubjectDN changes)

Additionally in Sandbox, we support the following change in certificates:
1. Self-Signed Certificates to eIDAS QWAC

Client Modification Request

To modify the client at BOI, the TPP sends a HTTP PUT to the modification endpoint. The request MUST be presented in the format of a [RFC7519] compliant JWT. The request MUST use the HTTP PUT method, using the application/JWT method. The JWT MUST be signed using algorithms specified in Open Banking documentation.

  1. Dynamic Client Registration PUT endpoint requires client credential grant token for authentication. Generate a new client credential token using existing certificate which can be:
    1. OB Legacy (Client ID-Secret / MATLS)
    2. OBWAC (MATLS)
    3. QWAC (MATLS)
  2. Invoke the DCR PUT endpoint using existing certificate as transport certificates and the access token generated in step 1 with the following updates in client metadata:
    1. TPPs using MATLS would need to update the below field:
      • tls_client_auth_subject_dn :- Subject DN of the new certificate that TPP is migrating to, which can be:
        1. OBWAC (MATLS) Subject DN
        2. QWAC (MATLS) Subject DN
    2. TPPs using Client ID/ Secret would need to update the following fields:
      • token_endpoint_auth_method :- ‘tls_client_auth'
      • tls_client_auth_subject_dn :- Subject DN of the new certificate that TPP is migrating to, which can be:
        1. OBWAC (MATLS) Subject DN
        2. QWAC (MATLS) Subject DN
      • id_token_signed_response_alg :- PS256
      • request_object_signing_alg :- PS256
    Additionally TPPs can also modify their Redirect URIs by updating the field ‘redirect_uris’.
  3. Once the updates are successful, an HTTP status code 200 would be returned with client metadata.
  4. On successful updates using the PUT endpoint as per step 3, ready OBWAC / QWAC certificates should be used as the transport certificates including for MATLS with token endpoint.

Header Claims

Metadata

Description

typ

MUST be set to JWT

alg

MUST be set to PS256 if onboarded via TPP portal

MUST be set to PS256 if onboarded via DCR

kid

The kid will be kept the same as the "x5t" parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.

x5c

Public certificate of the QSealC. Only to be populated when non-OB SSA is used in request claims.

 

Request Claims

Claim

Description

Source Specification

Optional

Comments

iss

Request Issuer (The TPP)

[RFC7519]

NO

 

iat

Time of issuance of request

[RFC7519]

NO

 

exp

Request expiration time

[RFC7519]

NO

 

aud

Request audience (The ASPSP)

[RFC7519]

NO

 

jti

JWT ID

[RFC7519]

NO

 

redirect_uris

Registered URIs the TPP will use to interact with BOI

[OIDC-R]

NO

MUST match or be a subset of the software_redirect_uris claim in the SSA

token_endpoint_auth_method

Specifies which token endpoint authentication method the TPP wants to use

[RFC7591]

NO

 

grant_types

A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token

[RFC7591]

NO

 

response_types

A JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint.

[RFC7591]

YES

 

software_id

The software_id in the request MUST match the software_id specified in the SSA

[RFC7591]

YES

 

scope

scopes the client is asking for (if not specified, default scopes are assigned by the AS)

[RFC7591]

NO

Minimum scope should be openid + whatever scopes are appropriate for the softwares PSD2 Role.

software_statement

SSA issued by Open Banking identifier or non-OB SSA generated by TPP

[RFC7519]

NO

 

application_type

Web or Mobile

[OIDC-R]

NO

MUST be web if specified.

id_token_signed_response_alg

Algorithm which the TPP expects to sign the id_token, if an id_token is returned.

[OIDC-R]

NO

 

request_object_signing_alg

Algorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP.

[OIDC-R]

NO


token_endpoint_auth_signing_alg

Algorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_secret_jwt. Must be specified if token_endpoint_auth_method is private_key_jwt or client_secret_jwt

 

YES

Not supported by Bank of Ireland.

tls_client_auth_subject_dn

This value must be set iff token_endpoint_auth_method is set to tls_client_auth. The tls_client_auth_subject_dn claim MUST contain the DN of the certificate that the TPP will present to the ASPSP token endpoint.The ASPSP may decide to match only a part of the DN so that the match is based only on the part of the DN that will be immutable for the TPP across all EIDAS certificates issued to it.

 

YES

 

client_id

 

The client identifier generated by the ASPSP

 

YES

Request: Optional

Response: Mandatory

client_secret

A shared secret generated by the ASPSP.

 

YES

 

client_id_issued_at

 

Time at which the client identifier was issued expressed as "seconds since the epoch".

 

YES

 

client_secret_expires_at

 

Time at which the client secret will expire expressed as "seconds since the epoch".

 

YES

 

backchannel_token_delivery_mode

As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba

 

YES

Not supported by Bank of Ireland.

backchannel_client_notification_endpoint

As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba and backchannel_token_delivery_mode is not poll. This must be a valid HTTPS URL

 

YES

Not supported by Bank of Ireland.

backchannel_authentication_request_signing_alg

As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified iff the grant_types includes urn:openid:params:grant-type:ciba.

 

YES

Not supported by Bank of Ireland.

backchannel_user_code_parameter_supported

As defined in CIBA - Registration and Discovery Metadata. This value MUST be specified only if the grant_types

 

YES

Not supported by Bank of Ireland.

Example Dynamic Client Modification Request

curl -X PUT \

  https://api-sandbox.bankofireland.com/1/api/open-banking/v3.3/register \ VP5WDT1gbyjUjxzJnFGmPB
  -H 'Cache-Control: no-cache' \

  -H 'Content-Type: application/jwt' \

  -H 'Postman-Token: 4d718d91-6005-459e-903c-7053ea06aa87' \
-d eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ilh6c3lVQ2hZWmMwdkhXNGp0TWVr STZTTTVJZyJ9.eyJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJyZWZyZXNoX3Rva2VuIiwiY2xpZW50X2NyZWRlbnRpYWxzIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJ3ZWIiLCJpc3MiOiJWUDVXRFQxZ2J5alVqeHpKbkZHbVBCIiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczovL2RlbW8uY29tIl0sInRva2VuX2VuZHBvaW50X2F1dGhfbWV0aG9kIjoidGxzX2NsaWVudF9hdXRoIiwidGxzX2NsaWVudF9hdXRoX3N1YmplY3RfZG4iOiJDTiA9IDAwMTU4MDAwMDBqZlE5YUFBRSwgMi41LjQuOTcgPSBQU0RHQi1GQ0EtNTEyOTU2LCBPID0gQmFuayBvZiBJcmVsYW5kIChVSykgUGxjLCBDID0gR0IiLCJzb2Z0d2FyZV9pZCI6IlZQNVdEVDFnYnlqVWp4ekpuRkdtUEIiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlFVekkxTmlJc0ltdHBaQ0k2SW1vNFNGZFpNREJoU1VKdFMwRXhUMWMzV1c1MGRuUkxWVTB5Y25WdWVEZHZRV2RpUzJoSlJFMUlNMGs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnBZWFFpT2pFMk1UZzVNVEV5TURFc0ltcDBhU0k2SWpZME1EQmlNalprTXpCbFpEUTFNbVlpTENKemIyWjBkMkZ5WlY5bGJuWnBjbTl1YldWdWRDSTZJbk5oYm1SaWIzZ2lMQ0p6YjJaMGQyRnlaVjl0YjJSbElqb2lWR1Z6ZENJc0luTnZablIzWVhKbFgybGtJam9pVmxBMVYwUlVNV2RpZVdwVmFuaDZTbTVHUjIxUVFpSXNJbk52Wm5SM1lYSmxYMk5zYVdWdWRGOXBaQ0k2SWxaUU5WZEVWREZuWW5scVZXcDRla3B1UmtkdFVFSWlMQ0p6YjJaMGQyRnlaVjlqYkdsbGJuUmZibUZ0WlNJNklrTkhYMVJsYzNSZk1qQXdOREl3TWpFaUxDSnpiMlowZDJGeVpWOWpiR2xsYm5SZlpHVnpZM0pwY0hScGIyNGlPaUpEUjE5VVpYTjBYekl3TURReU1ESXhJaXdpYzI5bWRIZGhjbVZmZG1WeWMybHZiaUk2TVM0eExDSnpiMlowZDJGeVpWOWpiR2xsYm5SZmRYSnBJam9pYUhSMGNITTZMeTlrWlcxdkxtTnZiU0lzSW5OdlpuUjNZWEpsWDNKbFpHbHlaV04wWDNWeWFYTWlPbHNpYUhSMGNITTZMeTlrWlcxdkxtTnZiU0pkTENKemIyWjBkMkZ5WlY5eWIyeGxjeUk2V3lKUVNWTlFJaXdpUTBKUVNVa2lMQ0pCU1ZOUUlsMHNJbTl5WjJGdWFYTmhkR2x2Ymw5amIyMXdaWFJsYm5SZllYVjBhRzl5YVhSNVgyTnNZV2x0Y3lJNmV5SmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKeVpXZHBjM1J5WVhScGIyNWZhV1FpT2lJMU1USTVOVFlpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpTENKaGRYUm9iM0pwYzJGMGFXOXVjeUk2VzNzaWJXVnRZbVZ5WDNOMFlYUmxJam9pUjBJaUxDSnliMnhsY3lJNld5SlFTVk5RSWl3aVEwSlFTVWtpTENKQlNWTlFJaXdpUVZOUVUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpKUlNJc0luSnZiR1Z6SWpwYklrTkNVRWxKSWl3aVFVbFRVQ0lzSWtGVFVGTlFJaXdpVUVsVFVDSmRmU3g3SW0xbGJXSmxjbDl6ZEdGMFpTSTZJazVNSWl3aWNtOXNaWE1pT2xzaVVFbFRVQ0lzSWtOQ1VFbEpJaXdpUVVsVFVDSXNJa0ZUVUZOUUlsMTlYWDBzSW5OdlpuUjNZWEpsWDJ4dloyOWZkWEpwSWpvaWFIUjBjSE02THk5a1pXMXZMbU52YlNJc0ltOXlaMTl6ZEdGMGRYTWlPaUpCWTNScGRtVWlMQ0p2Y21kZmFXUWlPaUl3TURFMU9EQXdNREF3YW1aUk9XRkJRVVVpTENKdmNtZGZibUZ0WlNJNklrSmhibXNnYjJZZ1NYSmxiR0Z1WkNBb1ZVc3BJRkJzWXlJc0ltOXlaMTlqYjI1MFlXTjBjeUk2VzNzaWJtRnRaU0k2SWxSbFkyaHVhV05oYkNJc0ltVnRZV2xzSWpvaVQwSlVaV05vYm1sallXeFJkV1Z5YVdWelFFSlBTUzVEVDAwaUxDSndhRzl1WlNJNklpc3pOVE1nT0RZd05qZ3hOell5SWl3aWRIbHdaU0k2SWxSbFkyaHVhV05oYkNKOUxIc2libUZ0WlNJNklrSjFjMmx1WlhOeklpd2laVzFoYVd3aU9pSlBRa0oxYzJsdVpYTnpVWFZsY21sbGMwQkNUMGt1UTA5Tklpd2ljR2h2Ym1VaU9pSXJORFFnTnpVNE5DQXlNVFE0TXpBaUxDSjBlWEJsSWpvaVFuVnphVzVsYzNNaWZWMHNJbTl5WjE5cWQydHpYMlZ1WkhCdmFXNTBJam9pYUhSMGNITTZMeTlyWlhsemRHOXlaUzV2Y0dWdVltRnVhMmx1WjNSbGMzUXViM0puTG5Wckx6QXdNVFU0TURBd01EQnFabEU1WVVGQlJTOHdNREUxT0RBd01EQXdhbVpST1dGQlFVVXVhbmRyY3lJc0ltOXlaMTlxZDJ0elgzSmxkbTlyWldSZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5kR1Z6ZEM1dmNtY3VkV3N2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTDNKbGRtOXJaV1F2TURBeE5UZ3dNREF3TUdwbVVUbGhRVUZGTG1wM2EzTWlMQ0p6YjJaMGQyRnlaVjlxZDJ0elgyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaM1JsYzNRdWIzSm5MblZyTHpBd01UVTRNREF3TURCcVpsRTVZVUZCUlM5V1VEVlhSRlF4WjJKNWFsVnFlSHBLYmtaSGJWQkNMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDNKbGRtOXJaV1JmWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJ0bGVYTjBiM0psTG05d1pXNWlZVzVyYVc1bmRHVnpkQzV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtVVRsaFFVRkZMM0psZG05clpXUXZWbEExVjBSVU1XZGllV3BWYW5oNlNtNUdSMjFRUWk1cWQydHpJaXdpYzI5bWRIZGhjbVZmY0c5c2FXTjVYM1Z5YVNJNkltaDBkSEJ6T2k4dlpHVnRieTVqYjIwaUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OWtaVzF2TG1OdmJTSXNJbk52Wm5SM1lYSmxYMjl1WDJKbGFHRnNabDl2Wmw5dmNtY2lPaUlpZlEuRDBfZGEtaDZjZzNseDlmTU4yS2hVb1NSZnk5SnhwaHVmWXBWNThBbUhudThtNVMtY1dGdVJLWDY0Q0JBcGRWYmcxOEd1U255OHJrZUNHLWQ5S0RtRkZpSGI4LWRCQU02S19FdldPd1dodFVSd1UzRDlZOXZiZDlHYkZYalk3cTNUSW5lRVpRdXFwZHVBZkd4RlBQTUQxdHVqdTB6cmlvdHVwRVNOQjNPcVJmZEpyUU04SXQ5dXJfLUpFQlc5VENHZ19VdGRabVJuRmJfUW9nZk5wb0VGRmtXZW5zTW52aGltYTNKUEZRNE5MRDdpRnJKRlBIQUpXUUxIQ2pMTjZhMzJLcUFmQ2hYdXpuaExzRkNjZXYyMjQwenE1MU9ySkdqaHRWcFh1VjJ6Ri1wMHMwd1lBUnNqWUVLR2pqek5DV0FmdkEyaFAwMVluOEFHOHRwWlljWkZ3IiwiYXVkIjoiaHR0cHM6Ly9hdXRoLmJvaS1zYW5kYm94LmFwaWJvaXRlc3QuY29tIiwic2NvcGUiOiJvcGVuaWQgYWNjb3VudHMgcGF5bWVudHMgZnVuZHNjb25maXJtYXRpb25zIiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsImV4cCI6MTY1MzE5ODc4OSwiaWF0IjoxNjE4OTExMjAxLCJqdGkiOiI2NDAwYjI2ZDMwZWQ0NTJmIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSBpZF90b2tlbiJdfQ.Zt5u3z7UcYKvo10P_XU-CLefN4nTmRKPNaQmdJ6_erbOq_kWC_gzD2pvL2LyWD5OrEadaUmwxN8usYv4k8FnJtOVAeo2evxUhK0yQSunwGJ6uz4nB7gJfGSCJ2IdYwOOX9isMkWZ-CrbWyWDgPqMrEaDFZU_9rG_D6b6-YJF-TIF7M0-vxNnGDasoVev5mT-YmhBDMxWF3THzNF0lwtXRySts_-XN13kWvuk9lebAAeRjcvgaTZscrxtWg5eWzOyvxp3lo6IC7nawsm7OYCJ4lXFoC72shI_FNjLek1hnl1yPRRGjR1YQzAFtoIMlX3_-Ev1tXF0agEYaoVRUiqv0w

Example Decoded Dynamic Client Modification Request Body

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "PS256",
  "typ": "JWT",
  "kid": "XzsyUChYZc0vHW4jtMekI6SM5Ig"
}
PAYLOAD:DATA

{
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "application_type": "web",
  "iss": "VP5WDT1gbyjUjxzJnFGmPB",
  "redirect_uris": [
   "https://www.getpostman.com/oauth2/callback"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
  "tls_client_auth_subject_dn": "CN = 0015800000jfQ9aAAE, 2.5.4.97 = PSDGB-FCA-512956, O = Bank of Ireland (UK) Plc, C = GB",
  "software_id"
{
  "grant_types": [
    "authorization_code",
    "refresh_token",
    "client_credentials"
  ],
  "application_type": "web",
  "iss": "VP5WDT1gbyjUjxzJnFGmPB",
  "redirect_uris": [
    "https://www.getpostman.com/oauth2/callback"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
  "tls_client_auth_subject_dn": "CN = 0015800000jfQ9aAAE, 2.5.4.97 = PSDGB-FCA-512956, O = Bank of Ireland (UK) Plc, C = GB",
  "software_id": "VP5WDT1gbyjUjxzJnFGmPB",
  "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6Imo4SFdZMDBhSUJtS0ExT1c3WW50dnRLVU0ycnVueDdvQWdiS2hJRE1IM0k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2MTg5MTEyMDEsImp0aSI6IjY0MDBiMjZkMzBlZDQ1MmYiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiVlA1V0RUMWdieWpVanh6Sm5GR21QQiIsInNvZnR3YXJlX2NsaWVudF9pZCI6IlZQNVdEVDFnYnlqVWp4ekpuRkdtUEIiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkNHX1Rlc3RfMjAwNDIwMjEiLCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJDR19UZXN0XzIwMDQyMDIxIiwic29mdHdhcmVfdmVyc2lvbiI6MS4xLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZW1vLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiI1MTI5NTYiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkNCUElJIiwiQUlTUCIsIkFTUFNQIiwiUElTUCJdfSx7Im1lbWJlcl9zdGF0ZSI6Ik5MIiwicm9sZXMiOlsiUElTUCIsIkNCUElJIiwiQUlTUCIsIkFTUFNQIl19XX0sInNvZnR3YXJlX2xvZ29fdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamZROWFBQUUiLCJvcmdfbmFtZSI6IkJhbmsgb2YgSXJlbGFuZCAoVUspIFBsYyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JUZWNobmljYWxRdWVyaWVzQEJPSS5DT00iLCJwaG9uZSI6IiszNTMgODYwNjgxNzYyIiwidHlwZSI6IlRlY2huaWNhbCJ9LHsibmFtZSI6IkJ1c2luZXNzIiwiZW1haWwiOiJPQkJ1c2luZXNzUXVlcmllc0BCT0kuQ09NIiwicGhvbmUiOiIrNDQgNzU4NCAyMTQ4MzAiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMDAxNTgwMDAwMGpmUTlhQUFFLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS9WUDVXRFQxZ2J5alVqeHpKbkZHbVBCLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvVlA1V0RUMWdieWpVanh6Sm5GR21QQi5qd2tzIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOi8vZGVtby5jb20iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIifQ.D0_da-h6cg3lx9fMN2KhUoSRfy9JxphufYpV58AmHnu8m5S-cWFuRKX64CBApdVbg18GuSny8rkeCG-d9KDmFFiHb8-dBAM6K_EvWOwWhtURwU3D9Y9vbd9GbFXjY7q3TIneEZQuqpduAfGxFPPMD1tuju0zriotupESNB3OqRfdJrQM8It9ur_-JEBW9TCGg_UtdZmRnFb_QogfNpoEFFkWensMnvhima3JPFQ4NLD7iFrJFPHAJWQLHCjLN6a32KqAfChXuznhLsFCcev2240zq51OrJGjhtVpXuV2zF-p0s0wYARsjYEKGjjzNCWAfvA2hP01Yn8AG8tpZYcZFw",
  "aud": "https://auth-sandbox.bankofireland.com",
  "scope": "openid accounts payments fundsconfirmations",
  "request_object_signing_alg": "PS256",
  "exp": 1653198789,
  "iat": 1618911201,
  "jti": "6400b26d30ed452f",
  "id_token_signed_response_alg": "PS256",
  "response_types": [
    "code id_token"
  ]
}

Dynamic Client Modification Response

{
   "client_id": "VP5WDT1gbyjUjxzJnFGmPB",
    "redirect_uris": [
            "https://www.getpostman.com/oauth2/callback"
        ],
        "token_endpoint_auth_method": "tls_client_auth",
        "grant_types": [
            "authorization_code",
            "refresh_token",
            "client_credentials"
        ],
        "response_types": [
            "code id_token"
        ],
        "software_id": "VP5WDT1gbyjUjxzJnFGmPB",
        "scope": "openid accounts payments fundsconfirmations",
        "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6Imo4SFdZMDBhSUJtS0ExT1c3WW50dnRLVU0ycnVueDdvQWdiS2hJRE1IM0k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2MTg5MTEyMDEsImp0aSI6IjY0MDBiMjZkMzBlZDQ1MmYiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiVlA1V0RUMWdieWpVanh6Sm5GR21QQiIsInNvZnR3YXJlX2NsaWVudF9pZCI6IlZQNVdEVDFnYnlqVWp4ekpuRkdtUEIiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkNHX1Rlc3RfMjAwNDIwMjEiLCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJDR19UZXN0XzIwMDQyMDIxIiwic29mdHdhcmVfdmVyc2lvbiI6MS4xLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZW1vLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiI1MTI5NTYiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJQSVNQIiwiQ0JQSUkiLCJBSVNQIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJJRSIsInJvbGVzIjpbIkNCUElJIiwiQUlTUCIsIkFTUFNQIiwiUElTUCJdfSx7Im1lbWJlcl9zdGF0ZSI6Ik5MIiwicm9sZXMiOlsiUElTUCIsIkNCUElJIiwiQUlTUCIsIkFTUFNQIl19XX0sInNvZnR3YXJlX2xvZ29fdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamZROWFBQUUiLCJvcmdfbmFtZSI6IkJhbmsgb2YgSXJlbGFuZCAoVUspIFBsYyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JUZWNobmljYWxRdWVyaWVzQEJPSS5DT00iLCJwaG9uZSI6IiszNTMgODYwNjgxNzYyIiwidHlwZSI6IlRlY2huaWNhbCJ9LHsibmFtZSI6IkJ1c2luZXNzIiwiZW1haWwiOiJPQkJ1c2luZXNzUXVlcmllc0BCT0kuQ09NIiwicGhvbmUiOiIrNDQgNzU4NCAyMTQ4MzAiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS8wMDE1ODAwMDAwamZROWFBQUUuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvMDAxNTgwMDAwMGpmUTlhQUFFLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZlE5YUFBRS9WUDVXRFQxZ2J5alVqeHpKbkZHbVBCLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmUTlhQUFFL3Jldm9rZWQvVlA1V0RUMWdieWpVanh6Sm5GR21QQi5qd2tzIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOi8vZGVtby5jb20iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZW1vLmNvbSIsInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIifQ.D0_da-h6cg3lx9fMN2KhUoSRfy9JxphufYpV58AmHnu8m5S-cWFuRKX64CBApdVbg18GuSny8rkeCG-d9KDmFFiHb8-dBAM6K_EvWOwWhtURwU3D9Y9vbd9GbFXjY7q3TIneEZQuqpduAfGxFPPMD1tuju0zriotupESNB3OqRfdJrQM8It9ur_-JEBW9TCGg_UtdZmRnFb_QogfNpoEFFkWensMnvhima3JPFQ4NLD7iFrJFPHAJWQLHCjLN6a32KqAfChXuznhLsFCcev2240zq51OrJGjhtVpXuV2zF-p0s0wYARsjYEKGjjzNCWAfvA2hP01Yn8AG8tpZYcZFw",
        "application_type": "web",
        "id_token_signed_response_alg": "PS256",
        "request_object_signing_alg": "PS256",
        "tls_client_auth_subject_dn": "CN=0015800000jfQ9aAAE, OID.2.5.4.97=PSDGB-FCA-512956, O=Bank of Ireland (UK) Plc, C=GB"
    }
}

Example Unsuccessful Client Modification Response

HTTP/1.1 400

{
    "errorMessage": "INVALID_SOFTWARE_STATEMENT",
    "error_desciprtion": "Registration JWT token is invalid."
}

Reviews