6.3 One-factor Redirect Authentication technical details

The authentication URI is returned when a one-factor authentication is needed in order to identify the PSU. The whole URL is built by CBI Globe by concatenating the base URL for the specific ASPSP, configured into the system during provisioning process, with query parameters related to the consent or payment resource.

In detail:

  • Payment:<aspsp_authentication_configuration.REDIRECT_URL>?paymentId=<paymentid>&tppAuthenticationRedirectUri<tpp-authentication-redirect-uri>&tppName=<tppName>&aspspCode=<aspspCode>&aspspProductCode=aspspProductCode&tppRegistrationNumber=&<tppRegistrationNumber>&hash=<control parameter value>
  • Consent:<aspsp_authentication_configuration.REDIRECT_URL>?consentId=<consent-id>&tppAuthenticationRedirectUri<tpp-authentication-redirect-uri>&tppName=<tppName>&aspspCode=<aspspCode>&aspspProductCode=aspspProductCode&tppRegistrationNumber=<tppRegistrationNumber>&hash=<control parameter value>


  • paymentId/consentId is the resource in process;
  • tppAuthenticationRedirectUri is the URL of the TPP where the ASPSP has to redirect the PSU after the authentication execution. The value is sent by the TPP as input parameter of the paymentInitiationRequest and establishConsent APIs;
  • tppName is name of the TPP as defined into eIDAS certificate;
  • aspspCode is the unique identifier of the ASPSP configured into CBI Globe during the ASPSP provisioning;
  • aspspProductCode is the unique identifier of the product into ASPSP scope;
  • tppRegistrationNumber is registration number of the TPP as defined into eIDAS certificate;
  • hash is a control check value.

The TPP can receive the authentication redirect URI as output of the paymentInitiationRequest, establishConsent, updatePaymentresource, updateConsent and getPaymentStatus APIs. When the ASPSP receives the GET command from the client of the PSU, it has to check the control value, perform the authentication and the it has to redirect the client to the tppAuthenticationRedirectUri.