Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

1. Introduction

This release includes additional endpoints and all API endpoints in version 1.1 of the standards, together with a number of fixes as outlined in https://openfinanceuae.atlassian.net/wiki/spaces/OF/pages/277446657/Copy+of+API+Hub+Sandbox+v1.1+2024.12.17#4.-Release-Notes

...

Notes

Base URL

Code Block
https://rs1.altareq1.sandbox.apihub.openfinance.ae

OIDC Discovery Endpoint

Code Block
https://auth1.altareq1.sandbox.apihub.openfinance.ae/.well-known/openid-configuration

Postman Collection

View file
nameAPI Hub Sandbox v1.1 2024.1112.1917.postman_collection.json

n/a

2.3 Supported Endpoints

2.3.1 Trust Framework

...

2.3.2 Service Initiation

Single Instant PaymentPayments

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

Future Dated PaymentPayments

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

Recurring Payments

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

Variable Recurring Payments

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

International Payments

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

Bulk / Batch Payments

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

2.3.3 Bank Data Sharing

Account DataAccounts

  • POST /par

  • GET /accounts/{AccountId}

  • GET /accounts

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Balance DataBalances

  • POST /par

  • GET /accounts/{AccountId}/balances

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Transaction DataTransactions

  • POST /par

  • GET /accounts/{AccountId}/transactions

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Customer and Meta DataParties

  • POST /par

  • GET /accounts/{AccountId}/parties

  • GET /parties

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Product Data

  • POST /par

  • GET /accounts/{AccountId}/product

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

...

  • POST /par

  • GET /accounts/{AccountId}/standing-orders

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

2.3.4 Confirmation of Payee

  • POST /confirmation

  • POST /discovery

2.3.5 Balance Check

  • POST /par

  • GET /accounts/{AccountId}/balances

2.3.6 Refunds

  • POST /par

  • GET /payment-consents/{ConsentId}/refund

3. Insurance Sandbox (AlTareq2)

This Sandbox will be included in the next release due on

4. Release Notes

4.1 Extended Features and Enhancements

  • Standards and Spec Updates (v1.1):

    • Updates for the Ozone API Hub and Consent Manager APIs, including GET/POST requests and response format changes.

    • Integration of new data-sharing, consent management, and service initiation functionalities.

  • FAPI :

    • Enhancements made to ensure compliance with CBUAE FAPI standards..

  • Payment Consent

    • Additional updates for sequential user authorisations in payment consent workflows.

  • PAR and Consent Updates:

    • Changes to PAR authorisation details, JWT payload validation, and common claim checks.

    • Expanded support for consent event tracking and new consent data requirements.

  • API Validation & Error Handling:

    • Validation checks added for Single Instant Payment, Future-Dated Payment, and Data Sharing endpoints.

    • Error handling improvements for ‘x-idempotency-key’, JSON, and JWT flows across several endpoints, including Payments, Accounts, and Direct Debits.

  • Schema Validation Updates:

    • Schema validation fixes for endpoints such as Scheduled Payments, Standing Orders, Direct Debits, and Beneficiaries.

4.2 Fixes

  • Resolved issue with receiving /par URL in the Link.self field for the consent endpoint.

  • Fixed issue where transaction responses were returned despite invalid fromBookingDateTime or toBookingDateTime values.

  • Addressed the problem of receiving response_type as undefined in auth during headless-Heimdall flow

4.3 Known Issues

...

While creating a PAR, the parameters "nonce" and "aud" are optional. However, removing them from the request body results in an error.

...

When the "ReadTransactionsDebits" permission is granted, Credit Transactions are also reflects in response.

...

When creating consent with varying values, the payment is successfully processed.

...

Payments may still be initiated even when the Personally Identifiable Information (PII) provided during the consent request differs from the PII used during the actual payment initiation.

...

Roles are displayed as "undefined" for the Ozone API Test 1 TPP on the admin portal.

...

IsSingleAuthorisation: false gets an error while patching the consent.

...

In the PATCH /consent API call, setting the status to "Suspended" results in an error.

...

The endpoint processes requests even when invalid values are provided for optional headers.

...

The authorisation request without a nonce fails when using the FAPI 2.0 Security Profile

...

The fapi2-security-profile-id2 requires that an unsigned request to the PAR (Payment Initiation Request) endpoint fails, but currently, unsigned requests may not trigger a failure as expected.

...

3.1 TPP Client Registration

To register a client on the on the API Hub Sandbox, the following command can be used:

Code Block
curl --location --request POST 'https://rs1.altareq2.sandbox.apihub.openfinance.ae/tpp-registration' \
--header 'x-fapi-interaction-id: {UUIDv4}' \
--cert /path/to/your_certificate.pem \
--key /path/to/your_private_key.pem \
--cacert /path/to/your_ca_certificate.pem

Parameters

Description

x-fapi-interaction-id

A UUIDv4 used for traceability. Each request should have a unique id.

--cert

Your OFTF Application Transport certificate

--key

Your OFTF Application Transport private key

--cacert

The OFTF CA Certificate

3.2 Environment Variables

Base URL

Code Block
https://rs1.altareq2.sandbox.apihub.openfinance.ae

OIDC Discovery Endpoint

Code Block
https://auth1.altareq2.sandbox.apihub.openfinance.ae/.well-known/openid-configuration

Postman Collection

View file
nameAPI Hub Sandbox Insurance v1.1 2024.12.17.postman_collection.json

3.3 Supported Endpoints

3.3.1 Trust Framework

  • POST /tpp-registration

3.3.2 Motor Insurance

  • POST /par

  • GET /insurance-policies/{InsurancePolicyId}/customer-payment-details

  • GET /insurance-policies

  • GET /insurance-policies/{InsurancePolicyId}

  • GET /insurance-consents

  • GET /insurance-consents/{ConsentId}

  • PATCH /insurance-consents/{ConsentId}

4. Release Notes

This release supports all endpoints in v1.1 of the standards.

It also introduces several enhancements, including improved payment consent screens, AIS APIs that support PIS consents, and upgraded event notification reporting. Additionally, this update addresses various issues within insurance APIs, currency validation, and file payments. Resolved defects include those in CBUAE APIs and payment consent flows.

However, there are some known issues, please see below.

4.1 Enhancements

  1. Creditor Account on Consent Screen:
    The creditor account details are now prominently displayed on the payment consent screen.

  2. Payment Consent Permissions:
    Specific permissions have been added to the payment consent response schema, enhancing access control.

  3. AIS APIs with PIS Consent Support:
    The AIS APIs have been updated to include support for Payment Initiation Service (PIS) consents.

  4. Event Notification Report:
    We have introduced event notification reporting to improve tracking and management.

  5. Cbuae Insurance APIs:
    The insurance APIs have been refactored, and the cbuae-api-spec-insurance.yaml specification has been updated.

  6. New Payment Schema Enhancements:
    Schema issues in the file have been resolved, and combined payments have been optimised for better compatibility.

  7. Standardisation Error Messages:
    Standardised error messages for Data Sharing, Payment Initiation.

  8. Insurance Module:

    • Updated insurance schema paths for efficient data loading.

    • Corrected hardcoded paths in the mock server configuration for CBUAE.

    • Added the previously missing Dynamic Client Registration (DCR) configurations.

    • Streamlined the data load process for non-insurance RS scenarios.

    • Revised LFI notification paths for CBUAE insurance.

    • The change logs for the cbuae-api-spec-insurance provide essential updates and modifications.

      Code Block
       ### Changes in Version 2024.48.0
      
          * Revised API Paths Get /motor-insurance-policies
          * Revised API Paths Get /motor-insurance-policies/{InsurancePolicyId}
          * Revised API Paths Get /motor-insurance-policies/{InsurancePolicyId}/customer-payment-details endpoint.

4.2 Fixes

  1. PAR Parameter Error:
    Fixed issue where excluding optional parameters "nonce" and "aud" from the PAR creation request body caused an error.

  2. Transaction Permission Misbehaviour:
    Resolved issue where granting "ReadTransactionsDebits" permission caused credit transactions to appear in the response.

  3. Consent Variation:
    Addressed issue where payments were processed successfully even with varying values during consent creation.

  4. PII Mismatch in Payment Initiation:
    Fixed issue allowing payment initiation when Personally Identifiable Information (PII) in the consent request differed from the PII provided during payment initiation.

  5. Admin Portal Roles Issue:
    Corrected display issue where roles appeared as "undefined" for the "Ozone API Test 1 TPP" on the admin portal.

  6. IsSingleAuthorisation Patch Error:
    Fixed error occurring when patching the consent with IsSingleAuthorisation: false.

  7. PATCH Consent Status Error:
    Resolved error triggered when setting the consent status to "Suspended" via the PATCH /consent API.

  8. Invalid Optional Header Values:
    Addressed issue where the endpoint processed requests with invalid values for optional headers.

  9. Links Object Format:
    Corrected the format of the "Related" field in the Links object for the "Get Payment Consents" endpoint.

  10. Path-to-RegExp Vulnerability:
    Mitigated a ReDoS vulnerability found in the path-to-regexp library.

4.3 Known Issues

  1. Error Propagation:
    The system does not currently process or honor errors sent by the LFI.

  2. PAR Request Support:
    The system only supports the creditor object within PII data for PAR requests (Consent creation).

    par support.pngImage Added

  3. Insurance Augmentation API:
    The insurance augmentation API has been enabled.

  4. Consent Revocation:
    After consent revocation, the Data Sharing and Service Initiation API responses do not return the correct error codes to the TPP.

  5. Regulatory Error Codes:
    Some regulatory-specific error codes may be missing in certain scenarios.

  6. Insurance Permissions Display:
    Permissions related to insurance are not displayed in the Heimdall UI.

  7. Confirmation of Payee POST /discovery:
    The response for this endpoint will return an empty payload with status code 204. This is the expected behavior as LFI data has not been mapped.

4.4 Next Release

The next release will include the resolution of all known issues.