4 posts / 0 new
Last post
Lina Abu Nuwar
oAuth API: GET /authorize --- for redirect to Arab Bank's login and consent app.
I received this error: please help me figure out what it could be the reason  {"fault":{"faultstring":"Invalid Claim: policy(Verify-Request-JWT)","detail":{"errorcode":"steps.jwt.InvalidClaim"}}}


Authorization Request parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. It represents the request as a JWT whose Claims are the request parameters. This JWT is called a Request Object. 

this error means that either one of the request claims is missing or the claim in the request object does not match the request parameters.

please provide us with your request so we can help you with that.

Lina Abu Nuwar
this is palyoad  {   "iss": "DTqC7GmPOl49wApTyIA1AktNlGhZjkDb",   "response_type": "code id_token",   "client_id": "DTqC7GmPOl49wApTyIA1AktNlGhZjkDb",   "redirect_uri": "http://localhost/",   "scope": "openid accounts payments",   "state": "99999",   "nonce": "99999",   "x-idempotency-key": "987654321",   "claims": {     "id_token": {       "openbanking_intent_id": {         "value": "urn:arabbank:intent:accounts:eb2bfaa3-d1eb-43d7-aa47-e345d2620f29",         "essential": true       },       "acr": {         "essential": true       }     }   } }     i encripted with our private key and send it in header request      this is header     
  • client_id  (required) TPPs MUST provide this value and set it to the client id issued to them.
  • redirect_uri  (required) Callback URL defined with your registered App. This MUST be a valid, absolute URL that was registered during Client App Registration.
  • nonce  (required) A nonce value, random string
  • response_type  (required)                                                                                                                   code id_token                                                                                                                  code                                                                                                                  token                                                                                                                  token id_token                                                                                                               OAuth 2.0 requires that this parameter is provided. Value is set to ‘code id_token’ or ‘code’. The values for these parameters MUST match those in the Request Object, if present.
  • state  (required) TPPs MAY provide a state parameter. A Unique ID to maintain state between asynchronous requests at the Client.
  • scope  (required)                                                                                                                   openid accounts                                                                                                                  openid payments                                                                                                                  openid                                                                                                               The scopes MUST be a subset of the scopes that were registered during Client app registration. At a minimum the scope parameter MUST contain openid. Other valid scopes are: accounts, payments
  • request  (required) The parameter MUST contain a JWS that is signed by the TPP. The JWS payload MUST consist of a JSON object containing a request object as per OpenID Connect Core 6.1.Example Payload. The request object MUST contain a claims section that includes as a minimum an openbanking_intent_id that identifies the intent id for which this authorisation is requested

Request parameter

Hi Lina, there is a difference between the request header and the JWT header. The /authorize request does not require any header parameter, however, the JWT (always) does.

As per the API doc, the /authorize request only requires query parameters (client_id, redirect_uri, nonce, response_type, state, scope, x-idempotency-key and request). The request query parameter is simply a signed JWT of the /authorize query params. Below is a sample succesful request that redirects the user to Arab Bank's login page.


 https://tapi.arabbank.com/sandbox/oauth/v1/authorize?client_id=GSBGuuWPRmIe0mkG4YAmHLh0SNUkJglJ&redirect_uri=http://localhost/&nonce=99999&response_type=code id_token&state=99999&scope=openid accounts&request=eyJhbGdvcml0aG0iOiJSUzI1NiIsImV4cGlyZXNJbiI6IjFoIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJHU0JHdXVXUFJtSWUwbWtHNFlBbUhMaDBTTlVrSmdsSiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwiY2xpZW50X2lkIjoiR1NCR3V1V1BSbUllMG1rRzRZQW1ITGgwU05Va0pnbEoiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vbG9jYWxob3N0LyIsInNjb3BlIjoib3BlbmlkIGFjY291bnRzIiwic3RhdGUiOiI5OTk5OSIsIm5vbmNlIjoiOTk5OTkiLCJ4LWlkZW1wb3RlbmN5LWtleSI6Ijk5OTk5IiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7Im9wZW5iYW5raW5nX2ludGVudF9pZCI6eyJ2YWx1ZSI6InVybjphcmFiYmFuazppbnRlbnQ6YWNjb3VudHM6ZjQ5ODRhMDktYzliNC00YmZmLWE4NWYtMjkyOTY2M2QxMGU0IiwiZXNzZW50aWFsIjp0cnVlfSwiYWNyIjp7ImVzc2VudGlhbCI6dHJ1ZX19fX0.NhfCiAbOL4EorpLZKlA3xAP9-mdIhkV4XWd5F7dMZwLv2N6OXit9Z1YCmj1QHMPZqhQfmF9Gq1Ig9aJ8Y700fLDO5Rk0sjzpajIeyXCfK8KjO0RTDyHqIV--FIYh7kTHz1_altynDQL0wka7FN2muxXSbvvByEOouqqusl5B0cy_NqFf0F3uXJXH3ddjEkNRBOPlZ7RFrV81rrGupRykc0tuQyJ9x9UVYkiIRZh2A2JjWxPBgWolhSY2cOzOVoa-4IUWaL0WK_9VIn7DjyrX9vGR_66cUzova19hKS1IS8tmIXuQ0mMbx-F15MTkOo6_gm2mCrIYjAJBBBQ0G5s8Kys0S70jSYVGqvl4KyT3EnFJl2-iW5HVYtXvuuCTwEc52tn1Ij1K_JeXOZ7i9ZC67omSUmYYFeuXltleG_RvtnXvBlSxHKZPciMSTt0D2YvpeeTtRFrO72v7aqzXU3q7h0ibXkdV7JuRvgVw_yNtudPxWcZji6UC-ps0pW8Dq19HlVb23usehTteu7BClwdZaWrVknS1LATuxZrGInjT9kHRS7ujdinSISQbXyB5yJJPW0vysA8tnziQKuwoUg-SqMdwbvOtFigAcIO7VuvpokrzBi8Z5emes1p9T7yXyguoRu5WGQ3ef0sw7IPUJF0e5N99dxen89dJ2Qp6KXwOIfo&x-idempotency-key=99999


Just modify the above query params as per your application needs and make sure the request is signed and appended in the 'request' query parameter.

The 'Example Payload' is meant to complement the /authorize required parameter and its purpose is to illustrate what info is needed to be signed using JWT.

You are nearly done!! once the user is redirected and authenticated, Arab bank will redirect back to your callback URL containing a 'code' parameter that will be used again in /token to retrieve an access token that authorizes at the USER LEVEL. (this request is identical to the first /token request, just added the code and modified the grant_type parameter)




Add new comment