Dynamic Client Registration

Application Registration

 

Metro Bank is only accepting registrations from organisations that are authorised by the Financial Conduct Authority (FCA)

 

To register an app with Metro Bank, please follow the steps below:

  1. Obtain a Qualified website authentication certificate (QWAC) - As a first step towards registering your client app with Metro Bank, please obtain a valid QWAC certificate from a recognized QTSP
  2. Obtain a Software Statement Assertion (SSA) from the Open Banking Implementation Entity - Please enrol with Open Banking in the UK and follow their guidelines for generating a SSA.
  3. Register your client application - When you have both the QWAC and SSA with you it's time to use our Dynamic Client Registration (DCR) API, designed in accordance with OBIE's DCR specification V3.1 to on board your client app with us.
  4. Retrieve your registered app details - Metro Bank's DCR API will provide a resource for you to retrieve the details of a registered app.

Dynamic Client Registration API

Metro Bank requires that API requests are made over a connection secured with mutual TLS. Please use the QWAC to establish the mutual TLS connection with our APIs available at the host https://api.metrobankonline.co.uk

Registering a new application

To register a new app, please use the /register API resource on the DCR API. 

If you already use Metro Bank’s APIs, please ensure that you use a different app name for DCR.

Sample DCR API request and response

API Request:

HOST https://api.metrobankonline.co.uk
POST /open-banking/v3.1/dcr/register HTTP/1.1
Content-Type: application/jwt
Accept: application/json

eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IllvdXIgUVdBQyBLaWQifQ.eyJpc3MiOiJZb3VyIFNvZnR3YXJlIElkIGZyb20gU1NBIiwiaWF0IjoxNTY4NzMzMjY1LCJleHAiOjQwOTMzNDEyNjUsImp0aSI6IlNob3VsZCBiZSBhIHZhbGlkIEpUSSIsInJlZGlyZWN0X3VyaXMiOlsiWW91ciBSZWRpcmVjdCBVUkkuIFNob3VsZCBiZSBwcmVzZW50IGluIHRoZSBTU0EiXSwiYXVkIjoiTWV0cm8gQmFuaydzIG9yZyBpZCBmcm9tIE9CSUUiLCJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6InRsc19jbGllbnRfYXV0aCIsImdyYW50X3R5cGVzIjpbInJlZnJlc2hfdG9rZW4iLCJjbGllbnRfY3JlZGVudGlhbHMiLCJhdXRob3JpemF0aW9uX2NvZGUiXSwic2NvcGUiOlsib3BlbmlkIiwiYWNjb3VudHMiLCJwYXltZW50cyJdLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJZb3VyIE9CIElzc3VlZCBTU0EiLCJhcHBsaWNhdGlvbl90eXBlIjoid2ViIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsInRva2VuX2VuZHBvaW50X2F1dGhfc2lnbmluZ19hbGciOiJQUzI1NiIsInRsc19jbGllbnRfYXV0aF9kbiI6IllvdXIgQ2VydGlmaWNhdGUgQXV0aCBETiIsInNvZnR3YXJlX2lkIjoiWW91ciBTb2Z0d2FyZSBJZCBmcm9tIFNTQSJ9.QqTNqogHly26ezazaNvbwVPny1A5uIL6hzp8uOdcv0Esl-R4yI4BUDiyOnlsHlB9hqAEhGu8cP0JiA1_tIy7Hef8j-OxCAiCXHNm5eb0dvWDdI1UJQ-CXaOK8dIfvKa1ie6n-puI3iCdEJu0GYMYn10IUEx6eXbImrz_1noCfhMigLhR7D8ti2qYbV05AyLH-5niV_wGOQETf7JX-hXO5hbAchsOhoNT4S9qoiXzDlp09o9n1lfY-d8heDtgW4_3GfuWcVzU3SjduGxOxoQg9T2BkNNGJorfdZ7phrmgiUXlBLcPZ4T5TClo7xY_VDjIJEzocRw3S3B112YXarCNtw

 

The below table will provide some guidance on the request JWT

Parameter Name

Description

M/O

iss Identifier for the TPP. M
iat The time at which the request was issued by the TPP expressed as "seconds since the epoch". M
exp The time at which the request expires expressed as seconds since the epoch. M
aud This should be the unique identifier for the ASPSP issued by the issuer of the software statement. M
jti A unique identifier for the JWT. M
redirect_uris Registered URIs the TPP will use to interact with the ASPSP Authorization Server.
Metro Bank currently accepts only one redirect URI and that needs to be present in the SSA.
M
token_endpoint_auth_method Specifies which token endpoint authentication method the TPP wants to use. Metro Bank accepts tls_client_auth. M
grant_types A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token. Metro Bank supports and requires the grant types: client_credentials, authorization_code, refresh_token. M
response_types A JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint.
Metro Bank accepts and requires: code id_token.
Defaults to code id_token if not specified / specified with an empty array.
O
software_id If specified, the software_id in the request MUST match the software_id specified in the SSA. O
scope Scopes the client is asking for.
Metro Bank accepts any combination of values openid, accounts, payments, where value openid is mandatory. Default value openid, accounts, payments.
O
software_statement Software statement assertion issued by Open Banking.
It is advisable to have the app name different from any existing app registered with us using developer portal registration.
M
application_type Type of application.
Metro Bank accepts web, mobile.
M
id_token_signed_response_alg Algorithm which the TPP expects to sign the id_token, if an id_token is returned.
Metro Bank accepts PS256 only.
M
request_object_signing_alg Algorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP.
Metro Bank accepts PS256 only.
M
token_endpoint_auth_signing_alg Algorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_id_jwt.
Metro Bank accepts PS256 only.
O
tls_client_auth_dn This value must be set if token_endpoint_auth_method is set to tls_client_auth. M

 

Please use the QWAC to sign the JWT payload


API Response:

HTTP/1.1 201 Created
Content-Type: application/json

{
  "client_id": "Some Value",
  "client_secret": "Some Value",
  "client_id_issued_at": 2893256800,
  "client_secret_expires_at": 0,
  "redirect_uris": [
    "Your Specified Redirect URI"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
  "grant_types": [
    "refresh_token",
    "client_credentials",
    "authorization_code"
  ],
  "software_id": "Your Specified Software Id",
  "scope": [
    "openid",
    "accounts",
    "payments"
  ],
  "software_statement": "Your specified software statement",
  "application_type": "web",
  "id_token_signed_response_alg": "PS256",
  "request_object_signing_alg": "PS256",
  "token_endpoint_auth_signing_alg": "PS256",
  "tls_client_auth_dn": "Your SpecifiedCertificate Auth DN"
}
Please keep a note of the client credentials of the newly generated app.

Retrieve information about your registered application

To retrieve the details about a registered app, an access token is required .

Please use the app credentials from the registration response to request an access token.

When you have an access token, please provide it as a bearer token to receive the information about your registered app

Sample access token request and response

API Request:

HOST https://api.metrobankonline.co.uk
POST /identity/v1/token HTTP/1.1 
Authorization: Basic {base64 encoded value of {client_id}:{client_secret}} 
Content-Type: application/x-www-form-urlencoded

scope=read&grant_type=client_credentials


API Response:

HTTP/1.1 200 OK 
Content-Type: application/json

{
  "access_token": "Some Value",
  "token_type": "Bearer",
  "expires_in": 32399
}

 

Following is a sample of the API Request and Response of app information retrieval API

Sample client app registration retrieval request and response

API Request:

HOST https://api.metrobankonline.co.uk 
GET /open-banking/v3.1/dcr/register/{client_id} HTTP/1.1 
Accept: application/json 
Authorization: Bearer {Generated access token}

API Response:

HTTP/1.1 200 OK 
Content-Type: application/json 

{
  "client_id": "Some Value",
  "client_secret": "Some Value",
  "client_id_issued_at": 2893256800,
  "client_secret_expires_at": 0,
  "redirect_uris": [ 
    "Your Specified Redirect URI"
  ],
  "token_endpoint_auth_method": "tls_client_auth",
  "grant_types": [
    "refresh_token",
    "client_credentials",
    "authorization_code"
  ],
  "software_id": "Your Specified Software Id",
  "scope": [
    "openid",
    "accounts",
    "payments"
  ],
  "software_statement": "Your specified software statement",
  "application_type": "web",
  "id_token_signed_response_alg": "PS256",
  "request_object_signing_alg": "PS256",
  "token_endpoint_auth_signing_alg": "PS256",
  "tls_client_auth_dn": "Your SpecifiedCertificate Auth DN"
}
For additional information on the API, please refer to the Open Banking DCR specification here