Masked Redirect Url

Yapily's knowledge article about masking redirect Urls

Note: This article only applies if you have your own Open Banking AISP/PISP licenses and are using your own certificates to register with each Yapily Institution

Overview

For customers who are AISPs or PISPs and therefore have the ability to control the redirectUrl, you can take advantage of using Yapily's auth service https://auth.yapily.com/ while masking the url with a url at your own domain of choice.

What is the trade-off for using this solution?

The main reason for doing this is to offload the responsibility of handling the response from each Institution to Yapily. Yapily's auth service provides the ability to automatically exchange the state and code returned by the Institution for the consentToken or a oneTimeToken or to provide the failure message and categorisation of the message in case there was an issue as described in handling the callback parameters. Furthermore, Yapily logs every redirect at https://auth.yapily.com/ which alleviates the need for the TPP to do so.

This of course comes at cost where the TPP forgoes the ability to control the UI elements at https://auth.yapily.com/ which belongs to Yapily.

How it works

In order to do this, in step 8 of Configuring the redirect url, you will need to add a redirectUrl that is a CNAME record mapping the url you want your customers to see to https://auth-callback.yapily.com.

This is usually something your DevOps team will be able to configure quite easily by going to your domain provider's DNS settings and adding a new DNS record e.g.

auth.tpp-domain.com CNAME auth-callback.yapily.com

Validating your CNAME record

To validate that the CNAME is configured correctly, you can run the nslookup utility using the Terminal application on Mac or Powershell on Windows:

Unsuccessful configuration

> nslookup auth.tpp-domain.com
Server:     123.123.123.123
Address:    111.111.111.111#53

** server can't find auth.tpp-domain.com: NXDOMAIN

Successful configuration

> nslookup auth.tpp-domain.com
Server:     123.123.123.123
Address:    111.111.111.111#53

Non-authoritative answer:
auth.tpp-domain.com canonical name = auth-callback.yapily.com.
auth-callback.yapily.com    canonical name = production-nginx.yapily.com.
Name:   production-nginx.yapily.com
Address: 35.189.115.193

Once successfully configured, you will then need to get in contact with our Support Team requesting for Yapily to finalise the configuration on our server and to ensure that your application is configured to use the CNAME. You can verify with the Support Team that this has been set up correctly.

Implications for Institution registrations

You should be aware that adding a new CNAME record to your software statement is the equivalent of changing/adding new redirects. If you are modifying an existing registration, be warned of the risk of losing consent when re-registering each Institution.