Masked Redirect Url
Yapily's knowledge article about masking redirect Urls
Note: This article only applies if you have your own Open Banking AISP/PISP licenses and are using your own certificates
to register with each Yapily Institution
Overview
For customers who are AISPs or PISPs and therefore have the ability to control the redirectUrl, you can take advantage of using Yapily's auth service https://auth.yapily.com/ while masking the url with a url at your own domain of choice.
What is the trade-off for using this solution?
The main reason for doing this is to offload the responsibility of handling the response from each Institution
to Yapily.
Yapily's auth service provides the ability to automatically exchange the state
and code
returned by the Institution
for the consentToken
or a oneTimeToken
or to provide the failure message and categorisation of the message in case there
was an issue as described in handling the callback parameters.
Furthermore, Yapily logs every redirect at https://auth.yapily.com/ which alleviates the need for the TPP to do so.
This of course comes at cost where the TPP forgoes the ability to control the UI elements at https://auth.yapily.com/ which belongs to Yapily.
How it works
In order to do this, in step 8 of Configuring the redirect url, you will
need to add a redirectUrl
that is a CNAME record
mapping the url you want your customers to see to https://auth-callback.yapily.com.
This is usually something your DevOps team will be able to configure quite easily by going to your domain provider's DNS settings and adding a new DNS record e.g.
auth.tpp-domain.com CNAME auth-callback.yapily.com
Validating your CNAME record
To validate that the CNAME is configured correctly, you can run the nslookup
utility using the Terminal application on
Mac or Powershell on Windows:
Unsuccessful configuration
> nslookup auth.tpp-domain.com
Server: 123.123.123.123
Address: 111.111.111.111#53
** server can't find auth.tpp-domain.com: NXDOMAIN
Successful configuration
> nslookup auth.tpp-domain.com
Server: 123.123.123.123
Address: 111.111.111.111#53
Non-authoritative answer:
auth.tpp-domain.com canonical name = auth-callback.yapily.com.
auth-callback.yapily.com canonical name = production-nginx.yapily.com.
Name: production-nginx.yapily.com
Address: 35.189.115.193
Once successfully configured, you will then need to get in contact with our Support Team requesting for Yapily to finalise the configuration on our server and to ensure that your application is configured to use the CNAME. You can verify with the Support Team that this has been set up correctly.
Implications for Institution registrations
You should be aware that adding a new CNAME record to your software statement is the equivalent of changing/adding new redirects. If you are modifying an existing registration, be warned of the risk
of losing consent when re-registering each Institution
.