Consent Manager

After a certain period, bank customers may need to view, update, or revoke consents they have granted to API consumer applications to access account data. Consent Manager is an application in WSO2 Open Banking that supports all these requirements and manages consents.

Note

  • Bank officers with the CustomerCareOfficerRole role and bank customers can access the Consent Manager.
  • Customer Care Officers have privileges such as Advanced Search options and the ability to view the consents of all bank customers.

Configuring servers

  1. Open the <IS_HOME>/repository/conf/deployment.toml file and update access control configurations for the consentmgr resource as follows:

    [[resource.access_control]]
    context = "(.*)/consentmgr(.*)"
    secure="false"
    http_method="GET,DELETE"
  2. Open the <API_HOME>/repository/conf/deployment.toml file and add the following gateway executor configurations for the Consent flow:

    [[open_banking.gateway.openbanking_gateway_executors.type]]
    name = "Consent"
    [[open_banking.gateway.openbanking_gateway_executors.type.executors]]
    name = "com.wso2.openbanking.accelerator.gateway.executor.impl.selfcare.portal.UserPermissionValidationExecutor"
    priority = 1
  3. Restart the Identity Server and API Manager servers respectively.

Creating users and roles

Follow Configuring users and roles and do the following:

  1. Create a user and assign the CustomerCareOfficerRole role.

  2. Create 2 other users and assign them only the Internal/subscriber role.

Publishing Self-Care Portal API

  1. Sign in to the API Publisher Portal at https://<APIM_HOST>:9443/publisher with creator/publisher privileges.

  2. On the homepage, go to REST API and select Import Open API. import_API

  3. Select OpenAPI File/Archive.

  4. Download the scp-swagger.yaml file available here .

  5. Click Browse File to Upload and use the scp-swagger.yaml file.

  6. Click Next.

  7. Set the value for Endpoint as follows:

    https://<IS_HOST>:9446/api/openbanking/consent
    • Replace the placeholder with the hostname of Identity Server.
  8. Click Create.

  9. Go to Develop > API Configurations > Runtime using the left menu pane.

    select_runtime

  10. Click the edit button under Request > Message Mediation.

    message_mediation

  11. Now, select the Custom Policy option.

  12. Download the scp-insequence.xml file available here and use it as the Mediation Policy.

  13. Upload the scp-insequence.xml file and click SELECT.

  14. Scroll down and click SAVE.

  15. Go to Overview using the left menu pane.

  16. Click Deploy.

  17. Set the API Gateways configurations and deploy the API.

  18. Go back to Overview.

  19. Click Publish.

Subscribing to Self-Care Portal API

  1. Sign in to the Developer Portal at https://<APIM_HOST>:9443/devportal with Internal/subscriber privileges.

  2. Go to the Applications tab and click ADD NEW APPLICATION. create_new_application

  3. Enter consentmgr as the name of the application and click Save. consent_manager_application

  4. Go to the left menu pane and select Production Keys or Sandbox Keys to generate keys.

  5. Set the Grant Types to Refresh Token and Code.

    If these grant types are not visible in the Developer Portal, click here to see how to configure them.

    Follow the steps below and configure the Grant Types for the Key Manager according to your Open Banking specification:

    1. Sign in to the Admin Portal of API Manager at https://<APIM_HOST>:9443/admin.

    2. Go to the Key Managers tab using the left menu pane.

    3. Select the OBKM key manager. obkm_keymanager

    4. Enter the required grant types and press enter. configure_grant_types

    5. Scroll down and click Update.

    For more information see, Configure Identity Server as the Key Manager.

  6. Set the Callback URL to https://<IS_HOST>:9446/consentmgr/scp_oauth2_callback.

    • Replace the placeholder with the hostname of the Identity Server.
  7. Leave their default values for other configurations.

  8. Scroll down and click GENERATE KEYS.

  9. A message box will display the access token.

  10. You can see that the consumer key and consumer secret are generated for the consentmgr application.

  11. Now, go to the left menu pane and select Subscriptions.

  12. Click SUBSCRIBE APIS. subscribe_to_apis

  13. Find the SelfCarePortalAPI from the list and click the Subscribe button corresponding to it.

  1. Open the <IS_HOME>/repository/deployment/server/webapps/consentmgr/runtime-config.js file.

    • Update the SERVER_URL parameter with a URL to the Identity Server. For example:

      window.env = {
          // This option can be retrieved in "src/index.js" with "window.env.API_URL".
          SERVER_URL: 'https://localhost:9446',
          TENANT_DOMAIN: 'carbon.super',
          NUMBER_OF_CONSENTS: 25,
          VERSION: '3.0.0'
        };
  2. Open the <IS_HOME>/repository/deployment/server/webapps/consentmgr/WEB-INF/web.xml file.

    Configuration Description
    identityServerBaseUrl The hostname of the Identity Server.
    apiManagerServerUrl The hostname of the API Manager.
    scpClientKey The Consumer Key of the application created.
    scpClientSecret The Consumer Secret of the application created.

    For example,

    <context-param>
        <param-name>identityServerBaseUrl</param-name>
        <param-value>https://localhost:9446</param-value>
    </context-param>
    <context-param>
        <param-name>apiManagerServerUrl</param-name>
        <param-value>https://localhost:8243</param-value>
    </context-param>
    <context-param>
        <param-name>scpClientKey</param-name>
        <param-value>2zB5s9wGHWVwmlrvHdWa6Mwc4vsa</param-value>
    </context-param>
    <context-param>
        <param-name>scpClientSecret</param-name>
        <param-value>cqblprasAniVfi02IXGFvp8VREAa</param-value>
    </context-param>
  1. Go to the Consent Manager application at https://<IS_HOST>:9446/consentmgr

  2. Sign in with the credentials provided by the bank.

  3. The consentmgr application requests access to your profile. To grant access, click Continue.

    consentmgr request access

  4. You are redirected to the homepage of the Consent Manager portal.

    consent manger homepage

The three tabs are as follows:

  • Active: Lists active consents that can access your account/payment information.
  • Expired: Lists expired consent that cannot access your account/payment information anymore.
  • Withdrawn: Lists the consents that you have revoked.

Tip

Use the Search button to search consents.

  • To view consent details, click the respective Action button.

    view consent

  • You can view the details such as the associated API consumer application, consent granted date, consent expiry date, account numbers, and permissions that you have granted.

    consent details

  • To revoke a consent, review the details and click Stop Sharing.

    consent details

  • Revoking a consent consists of 2 steps:

    • Step 1: The first step shows the impact of withdrawing the consent.

      stop sharing step 1

    • Step 2: Displays the information the consent has access to.

      stop sharing step 2

  • Once you click Stop Sharing, the status of the consent changes to withdrawn. You can find this consent in the Withdrawn tab now.

Top